;
Image: Unsplash

The onset of the COVID-19 pandemic and the far-ranging lockdowns that have followed from it have pushed e-commerce spending to new heights over the past year and a half. While global retail sales as a whole dropped in 2020 by an estimated 2.8 percent, according to eMarketer, e-commerce sales for the year surged by 25.7 percent to $4.213 trillion and are expected climb even further – by nearly 17 percent – to a whopping $4.921 trillion by the end of this year. Not only has the large-scale adoption of e-commerce by consumers across the globe enabled digitally-connected brands to better weather the pandemic than their brick-and-mortar dependent counterparts, it has also given them sweeping access to valuable data that they can use to more effectively target consumers going forward. 

From location tracking to extensive records of past purchases, the insights that can be drawn from this information help brands determine what new products and services to bring to the market while also assisting them in personalizing their advertising efforts. And as brands learned over the past 18 months, “Data is instrumental in marketing, allowing retailers to bridge the gap between online/offline and digital/physical stores (where applicable),” according to Euromonitor’s Florence Allday. 

“Today’s digital tools provide brands and retailers with more sources of data than ever before,” says data consultancy vXchnge’s Kaylie Gyarmathy. She notes that “not only can they draw upon what products are being sold and where, but they can identify what individual consumers and groups of consumers are buying, what they are considering buying, and how their purchasing decisions are influenced by outside forces.” In short: the use of consumer data has readily transformed how companies do business.

The Stakes Are High

With e-commerce continuing to grow as a proportion of total retail spending, and with such personalization and predictive benefits in mind, companies are increasingly seeking out greater data points. Yet, at the same time, many customers are exercising heightened caution about sharing data. “The stakes are high for companies that are handling consumer data,” McKinsey aptly asserts, both from a financial perspective and a reputational one. Even consumers who have not been directly affected by headline-making data breaches “paid attention to the way companies responded to them,” the consultancy says. Meanwhile, accounting firm KPMG has found that over a third of consumers would stop shopping online with a retailer if it suffered a security breach. Identity security company Ping Identity has put that figure at a much higher 81 percent of consumers. 

(To further put the stakes in perspective, the Federal Trade Commission levied a $5 billion fine on Facebook in 2019 on the basis of charges that the social media giant violated a 2012 FTC order by deceiving users about their ability to control the privacy of their personal information.)

Still yet, lawmakers around the world are ramping up data privacy regulations to protect consumers. “Proliferating breaches and the demand of consumers for privacy and control of their own data have led governments to adopt new regulations,” McKinsey states, citing the adoption of the General Data Protection Regulation (“GDPR”) by the European Union in 2016 and the California Consumer Privacy Act which went into effect in January 2020. 

More recently, China enacted the Personal Information Protection Law (“PIPL”), which will take effect on November 1, 2021. Along with China’s Cyber Security Law and its Data Security Law, the PIPL helps set a legal foundation for China’s protection of consumer data and cyber security. “These laws have significantly enhanced the protection of personal information and other sensitive data, and tightened controls over cross-border data transfers,” per Beijing based attorney Samuel Yang. “As one of the most restrictive data privacy laws in the world, PIPL imposes significant compliance obligations on companies doing business in China which they should not overlook.” 

All the while, updated versions of the Data Protection Act of 2020, which aims to create a federal Data Protection Agency to exercise oversight in the space, and the SAFE DATA Act, which is described by the sponsoring lawmakers as “providing Americans with more choice and control over their data and [requiring] direct businesses to be more transparent and accountable for their data practices,” have been reintroduced in the U.S. Senate this year in light of a lack of a comprehensive privacy law in the U.S.

Enter: Chief Privacy Officers

Against this background and in light of consistently increasing scrutiny over how personally identifiable information is protected by companies that collect and use it, McKinsey states that “leading companies are learning that data protection and privacy can create a business advantage.” This is a big part of why the role of Chief Privacy Officer has been rising in recent years, with a surge first coinciding with the adoption of the GDPR five years ago. (Note: The GDPR mandated that public bodies and most large-scale companies must appoint a Data Protection Officer, that role differs from that of a CPO.)

“As a best practice,” many of the world’s largest companies “already have an attorney or team of attorneys dedicated to privacy law on staff,” according to consulting firm Spencer Stuart. However, with the GDPR and the California Consumer Privacy Act in place, and additional state and federal laws under consideration, the firm states that “it will likely not be enough to have a dedicated privacy function, and many organizations will need to elevate privacy to the C-level and appoint a CPO.” And that is what Amazon, Walmart, American Express, ViacomCBS, Pfizer, Uber, Coca-Cola, Ford, and AirBnB, among others, have done, appointing an executive-level individual to craft and oversee the company’s global privacy policy and strategy for both offline and online businesses, and ensure compliance. 

At the same time, an array of other retail names, such as Nike, Chanel, Ralph Lauren, and L Brands, for example, have CPOs on their rosters, and while the titles may vary to some extent, Chanel, for instance, labels the role as “Head of Privacy,” the responsibilities are largely the same. While at behemoths like Amazon and Apple, CPO is a stand-alone role, it is worth noting for many slightly-less-enormous companies, the role is frequently being taken on by (or seemingly tacked on to) the company’s General Counsel.

When to Hire?

As for whether – and when – it is advisable for a company to establish the role of CPO, Spencer Stuart points to a handful of situations when organizations should consider hiring a CPO, including “before a merger or acquisition; when expanding the business into new regions where you are legally required to have one (e.g., New Zealand, Australia and India are all establishing some version of GDPR); and when building new Internet of Things capabilities, such as ‘smart’ devices that capture individual user preferences and data.” 

In terms of where fashion’s hiring practices are going when it comes to privacy roles, many individual brands – as distinct from the industry’s growing number of multi-brand groups – very well may stay the course without a designated CPO. Neither direct-to-consumer pioneer Warby Parker nor buzzy footwear brand Allbirds, for example, both of which filed their S-1s in the last couple of weeks, have CPO roles in their executive suites as of now; with privacy roles likely falling within the purview of their in-house lawyers. Brands that are, in fact, looking to start wading into this arena are likely to take the route of resale giant Poshmark, which maintains a Chief Data Officer but not a CPO. Beyond that, should companies opt to go a step further, Korean e-commerce player Coupang, which listed on NYSE in March, has a CPO, a role that it combines with that of Chief Information Security Officer. 

Regardless of what brands endeavor to do on the privacy hiring front, ultimately, what might be the clearest takeaway going forward is that companies need to take proactive and innovative action to safeguard the personal data of their customers, says global data privacy and risk expert Robert Healey. “Ensuring privacy and security – through every phase of the data lifecycle (e.g., collection, use, retention, storage, disposal, or destruction) – has become crucial to avoiding legal liability, and maintaining regulatory compliance, as well as to protecting brand [goodwill] and preserving customer confidence.”