Erin McCurdy spends quite a bit of time on the phone these days. As the sole in-house privacy lawyer for billion-dollar clothing retailer American Eagle Outfitters, it comes with the territory. Many of her calls are with contemporaries—other lawyers, for the most part—who call with privacy-related questions. With privacy issues recently grabbing headlines, many companies are just beginning to understand the need for privacy professionals. “Lots of friends, in different worlds, want to understand how I’ve developed my privacy skill set and how can they do the same,” says McCurdy, who describes her conversations as “privacy 101s,” since her contacts are now being tasked with privacy issues she began dealing with years ago.
This is due, in large part, to matters of privacy long being a back-burner issue in the US. When McCurdy was involved in e-commerce and technology for Dick’s Sporting Goods—taking on a rewrite of the company’s privacy notice—high-profile breaches had yet to rise to the surface at the alarming rate they do today. (And things are only likely to get worse: the average cost of a data breach is expected to surpass $150 million by 2020, according to data from Juniper Research.)
When McCurdy made the move to American Eagle in 2015, her privacy focus expanded internationally. That’s when she realized that some of the best lessons in privacy and data security were already learned abroad. The European Union (EU) recognizes privacy as a fundamental right, and now that its General Data Protection Regulation (GDPR) is being enforced, matters of privacy are impacting the US—and the rest of the world—in new ways. The California Consumer Privacy Law (CCPA), set to take effect in January 2020, is a first-of-its-kind application of privacy law in America and bears a strong resemblance to the GDPR.
Many companies in the US are scrambling to get up to speed with the required CCPA changes, according to McCurdy. “That law is a fundamental shift for many US companies that don’t have an EU presence,” she says. “If you haven’t gone through GDPR preparations, you’re right where American Eagle was three years ago.”
Today, American Eagle is standing quite tall when it comes to matters of consumer privacy among US-based companies—tall enough to be cited by a Gartner L2 report for having a privacy notice that is “best in class” among specialty retailers. It’s a notice—which McCurdy reworked in 2017—that is rooted in transparency and honesty; she compares it to the company’s Aerie Real campaign (which McCurdy says features “unretouched marketing photos promoting confidence and body positivity”), in terms of its intent.
“We want our customers to have confidence in us that extends past their initial purchase,” she says. “Ultimately, we’re giving our customers a choice of whether or not to trust us with their personal information. We’re telling them what we’re doing, and with all the other brands out there, they can choose to trust us with their data or they can choose not to shop with us. Their continued patronage supports this confidence—that we are using the data properly, sharing it properly, and protecting it properly.”
The concept of a nationally recognized privacy notice is especially gratifying, given that American Eagle has taken special efforts to grow its privacy team over the course of McCurdy’s tenure. Although the privacy team is a cross-functional effort, the core team now includes McCurdy, privacy analyst Natalie Roberson, program manager Melissa Kirwin, senior business intelligence developer Jenifer Trout Osborn, vice president of data technology Chris Stephens, and regional external privacy counsel.
Stephens has a particularly vital role as the face of an enterprise-wide data-governance effort that American Eagle kicked off in mid-2018. “The intent is to organize, improve, and harmonize our data and data processes,” McCurdy says of the program, a partnership with PricewaterhouseCoopers. “We have many silos of data in different pockets, and we are harmonizing them together into an integrated program that benefits the entire company.” McCurdy cites this effort and collaboration as key to adapting for American Eagle’s evolving efficiencies, corporate culture, and compliance goals.
In addition to dividing her time between privacy matters and the legal issues arising from the digital and corporate IT teams, McCurdy works to manage all of her business teams in person on a weekly basis—even the ones located away from her home office. For someone who embraces both the ever-changing world of privacy law and American Eagle’s desire to stay ahead of the curve, having a consistent presence and face-to-face time with her business partners is the only way to go.
“I enjoy working for a company that takes privacy and customer confidence seriously and one that supports its employees in pursuing these endeavors,” McCurdy says. “American Eagle is a great organization—one that is willing to adapt to change and one that values both its customers and employees.”
Holland & Knight LLP:
“Erin McCurdy easily navigates the legal opportunities and challenges facing American Eagle Outfitters, positioning the international retailer for success. Her deep knowledge of commercial law and privacy matters allows American Eagle Outfitters to take advantage of digital trends while safeguarding it against high-tech threats. It is a pleasure working with her.”
—Paul Bond, Partner