Ann Cavoukian, Ontario’s privacy commissioner, is speaking to the Canadian Marketing Associates convention this week about privacy. She’s an unusual speaker because frequently the relationship between privacy advocates and marketing is strained. Marketing wants more information and to process the information to its best advantage, while privacy and security experts often have to be the ones to squash new information uses.

The speech will cover the business advantages to developing a privacy program, namely consumer brand and trust. Brand and trust are terms that marketing works with on a daily basis, whereas compliance reasons tend to fall on deaf ears. But in her argument she makes a lot of claims such as, "You will lose business if you don’t have a strong privacy policy." Within this short article these statements are not substantiated, and I’ve been hard-pressed to find research and proof of them. Take TJX for example — its sales have not stumbled because of its data breach; they’ve had great profits. ChoicePoint’s stock has recovered from its initial drop after its data breach. Does anyone have more than anecdotal data to show that customers actually do leave the stores as opposed to surveys that show that customers say they no longer work with that business? I do not quarrel with her end conclusions, but I’m not sure the argument is completely on solid ground yet. How do you make the business case to executives for improved privacy programs? It’s easy to point at companies that have had breaches, but how do you counter the examples of companies that survive and thrive post-breach?