From Paper to Power: Reflections on the 2025 Consero CPO Summit

The role of the CPO is evolving fast: from a regulatory risk manager to an enabler of growth, an automation strategist, an AI gatekeeper, a cross-functional data referee. These were the key messages that the Ethyca team heard loud and clear from top minds in privacy and data governance at the Consero Chief Privacy Officer Summit in Westlake Village, California. Across three packed days, one thing became clear: Below are our biggest takeaways from the event, gathered from panels, our roundtable discussions as well as 1:1 sessions with privacy leaders.

1. The privacy profession has entered its growth era

A consistent theme throughout the event was the reframing of privacy from a regulatory obligation (the old way) to a lever for driving business value from data (the new way). One CPO we spoke with put this reframing as follows, “If you improve your relationship with your data, the laws become easy.” The idea, heard across a variety of panels, was that improving data quality, data access and data literacy, doesn’t just decrease friction around privacy tasks. It creates a foundation for growth from data for everyone who interacts with it.

Across financial services, healthcare, tech and consumer goods, CPOs are moving away from reactive, paper-based compliance towards dynamic, programmatic privacy infrastructure that enables growth. CPOs at the summit were candid about what’s pushing this change: board pressure to support AI adoption, increasing DSAR volumes (and preventing a bottleneck in the event of a breach or influx of requests), scrutiny from regulators and a growing expectation that privacy teams demonstrate ROI like any other business function.

2. Automation is a necessity, but it must be meaningful

As CPOs and privacy teams have been sold technology solutions over the past decade, one thing has become abundantly clear: they are not interested in vaporware. As one CPO told us, “We’ve been burned by tools that promise automation but only deliver more manual work.” CPOs are purchasing tools that help them automate, but selectively, with greater precision and intention, as well as technical validation. 

A common theme around automation was the need to get specific: automation is such an abstract, generic term that it requires clarity around what is being automated, how, and to what end. Just like AI, it needs to be disambiguated and talked about in maximum detail for CPOs to figure out how it can be useful for them. We identified a few applications where automation is driving the bottom-line:

• Monthly database scans that detect new fields of PII without relying on tribal engineering knowledge
• CMP-GTM integrations that flag unauthorized website tags and pixels
• DSAR workflows with a “human-in-the-loop” model to combine speed and oversight

The most successful applications of automation shared one trait: they weren’t just about efficiency. They created space for deeper strategic work—like PIAs and risk modeling—by freeing teams from repetitive, low-leverage tasks.

3. Know your data or risk falling behind

Whether discussing AI governance, vendor risk or privacy metrics, one message came through loud and clear: know your data. In every conversation from banking to consumer data, leaders acknowledged the growing complexity of enterprise data environments. Silos are breaking down. Systems are more interconnected. And the risks (and opportunities) of misunderstanding your data are compounding.

As one speaker noted, “The next wave of privacy regulation is already here. If your systems can’t tell you where sensitive data is flowing, or who has access to it, you’re playing defense.” Our view? The time to shift from policy PDFs to operational controls is now. You simply can’t enforce what you can’t observe.

4. AI is fundamentally reshaping the privacy conversation

AI governance was the elephant in every room. But the terminology itself was a point of frustration. Much like automation, a speaker asked, “What does AI even mean? ADMT? GenAI? You’re going to regulate those very differently.” 

We saw meaningful dialogue emerge on this front. From financial institutions wrestling with biometric voice analysis for DSARs to marketing teams estimating ethnicity for audience targeting, the takeaway was clear: privacy professionals must now become fluent in the nuances of AI technology and the implications of data use in order to be effective in large enterprises.

As a result, a new mandate is emerging: privacy teams must shift from compliance arbiters (playing goalie) to proactive participants in product and data strategy (playing central midfield). We see the shift as a need to focus on:

• Orchestrating strategic initiatives: privacy leaders now connect risk, legal, product, marketing and engineering to translate data strategy into action
• Enabling forward movement: privacy leaders now need to help other teams enable AI responsibly, launch new products and earn customer trust
• Covering more ground: privacy leaders are at the center of every strategic play when it comes to data, not just a last line of defense against worst-case scenarios

The above requires building tooling and processes that scale with AI’s complexity—not fighting it retroactively.

5. Boards want business value from privacy (and how vendors can help)

Several panels tackled how to make the case for privacy investment, and we were struck by the clarity of advice: tie privacy to outcomes that leadership already values. What sounds fairly obvious doesn’t always play out obviously in large enterprises: teams tend to stick to their own lane and play it safe. This call to action for privacy leaders indicates a new way that privacy can be embedded in revenue generating, or cost-cutting, initiatives at the business level.

In one session, a panellist put it bluntly: “Our board doesn’t want monks scribbling on papyrus. They want automation, dashboards, and real-time visibility into risk.” The best privacy teams are learning to speak the language of trust, brand value and growth—not just enforcement, assessments or checklists.

This shift is reflected in how privacy teams are adjusting how they measure success. Rather than framing success as a number of monthly incidents, they are tying work to the launch of a new product, new market expansion or new go-to-market initiatives initiated with the discovery of new data patterns are how privacy teams will grow their influence in the enterprise.

Final thoughts: Privacy’s moment—with challenges

If the Consero CPO Summit confirmed anything, it’s that privacy is no longer a back-office function. It’s become a cross-functional discipline with an outsized impact on customer trust, business growth and AI readiness. It’s a function that no longer acts purely as the last line of defense, but instead has become a key strategic player that enables growth with partners in marketing, product, engineering, security and more. This requires CPOs and privacy leaders to become more technically literate enablers for all teams.

As one CPO said in his closing remarks on a panel, “Buckle up. My need to move faster is higher than ever. I thought I was moving fast. But now it’s time to go even faster.” At Ethyca we’re proud to be a part of the engine helping privacy leaders do just that.