March 13, 2001, 10:53 AM — When large companies first began appointing chief privacy officers last year, Sally Cowan found herself pioneering a position at American Express Co. that upheld the firm's long-standing information practices. After 16 years working as a lawyer in the general counsel office, Cowan was appointed American Express' vice president of privacy and data protection.
"I advised the business worldwide in customer protection and privacy issues, and I was very familiar with the issues that the company faced in data and privacy protections," says Cowan. "When the company created this position, it was not a customer service or legal or PR position. This is truly a business issue."
New York-based American Express has been a forerunner in privacy. In 1974, it became the first financial services firm to give customers the ability to opt out of its direct marketing efforts. In 1991, it published employee privacy principals, and in 1998, it became one of the first businesses to post an Internet privacy statement. The company doesn't sell customer data and doesn't give customer e-mail addresses to third-party marketers.
With 48 million cardholders and close to 90,000 employees worldwide, American Express must apply those privacy policies globally. Cowan discovered that not all the privacy statements on the company's international Web sites were consistent, and some weren't posted in local languages. In one case, a privacy statement hadn't been updated when the site shifted from an informative site to an interactive site. The statement was changed, says Cowan. "We tell our customers the information we collect and what we do with it," she says.
One of the toughest jobs for chief privacy officers is creating a corporate culture that's sensitive to privacy concerns. All new employees get basic privacy training, and Cowan says the company plans to increase this instruction for employees at every level.
Cowan says one of her biggest challenges is making sure that all worldwide product development addresses privacy issues. She says American Express is creating a checklist to ensure that these issues are addressed early in the design phase. It has also designated "privacy champions" in global business units to ensure that attention is paid to local privacy issues.
Cowan says a key part of her job involves listening to customers' concerns and giving them the tools to protect their privacy. Last year, the company launched the first in a suite of privacy products that lets card members shop online without using their Amex credit card numbers. The company will soon offer a private browsing product that will allow customers to choose the amount of information they share when surfing.
Cowan says these privacy tools are an example of how industry self-regulation can work. "The marketplace will determine whether our customers trust us and want to continue doing business with us, and the marketplace will determine -- and should determine -- the rules of privacy," she says.
