The second driver I see is the changing nature of the market. Business models have become more risky from a privacy perspective. In the past five years, companies have steadily outsourced their noncore functions, Web-ified their business applications and globalized their operations, all in an environment of a global war on terrorism and increasingly sophisticated hackers, malware producers, phishers and identity-theft rings. I don't see any of these trends abating in the next five years, short of a wholesale societal rejection of online conveniences.

Eisenhauer agrees: "It used to be the case that only certain industries had to worry about privacy compliance, but now all companies need to think about how privacy and security considerations affect their information-handling practices."

But will companies keep turning to privacy consultants to solve these problems for them? Or will they bring these functions in-house? The financial, health care and technology industries have done both--formed internal privacy offices with budgets for external consulting. But outside these sectors, it's a mixed story, and the future outlook is uncertain.

Companies facing tight earnings this year may be holding back from investing in this hard-to-understand area. With qualified CPOs in short supply, since few people have the needed backgrounds in law, technology and business, their base salaries at Fortune 500 companies are easily topping $200,000 this year. Privacy consultants are charging similarly high rates--typically $300 per hour for consultants, $550 for privacy lawyers and $700 for senior partners, with a significant range on either side of these medians.

Sotto sees privacy evolving like environmental law did in the 1970s, becoming so regulated that it becomes an in-house function in every company.