More companies are hiring professionals to help them navigate the waters of data collection and privacy, but the windfall of the privacy professional does not necessarily equate to more privacy for consumers.

In a survey released this week, the International Association of Privacy Professionals (IAPP) found companies in the Fortune 1000 spending an average (mean) of $2.4 million on their privacy programs, with most of the budget being spent on staff and legal fees. A third of the companies responding to the survey plan to increase their privacy program staff, while only 2 percent plan to cull workers.

But good news for privacy professionals is not necessarily good news for consumers. Such programs typically focus on minimizing risk to companies from the regulations focused on protecting consumers, not necessarily on improving consumer privacy. The approach that businesses take to privacy typically depends on their customers, J. Trevor Hughes, president and CEO of the IAPP, told Ars.

“Consumers have a role to play, whether explicitly in demanding that the organizations that they do business with are paying attention, or implicitly, in that organizations have to consider their interest when building a new product or service,” Hughes said.

The burgeoning interest in privacy follows more than a year of leaks of classified documents describing the extent that intelligence agencies and governments are monitoring citizens. The documents, taken from the National Security Agency by former contractor Edward Snowden, has galvanized many companies in the technology industry into renewing their commitment to customer privacy, while other companies recognize the need for more a more strict privacy program to protect the business.

Privacy professionals can be both enablers for a business (making sure that they can collect data without falling afoul of regulations) and cops (shutting down programs that violate privacy rules). Companies planning good data collection practices can use privacy professionals to avoid costly mistakes, said Hughes.

“You can almost always get to the result that you are hoping to get to, but you are so much better off and you have mitigated so many potential problems if you add privacy into the process early,” he said. “You don’t want to be the company that launches a new product or service to find that you have stepped in it, with regards to privacy.”

Increasingly, companies are treating the field of privacy as separate from information security. Following a breach, for example, an information security professional may close down the exploited security vulnerability, clean the company’s systems, and perform an investigation, but a privacy professional will work with regulators, find ways to help any employees or customers impacted by the breach, and attempt to minimize the legal and brand damage, Hughes said.

The survey estimated that the Fortune 1000 will spend $3 billion on managing privacy and data collection in 2015, an increase of 25 percent over 2014. About half of all external budget, about $250,000 annually, was spent on outside legal counsel, while about a half of all internal costs, an average of $950,000 annually, went to salaries, according to the IAPP.

Much of the spending, however, is by large data-centric firms, such as Google and Microsoft, which have large privacy teams. The median Fortune 1000 company spent $1 million on their privacy program. Overall, companies are spending about half on privacy compared to what they spend on security, according to the IAPP.

But companies are increasingly cognizant that delivering services and products that respect consumers’ privacy is also good business. Following the Snowden leaks, more technology and Internet companies are changing their products and services to offer stronger privacy protections.

Apple and Google, for example, have made encryption the default for their smartphones and tablets, making it harder for any third party to gain access to the data on the device.

“Apple [and Google] clearly saw that concerns over NSA access to cell phone data and law enforcement access to cell phone devices was a consumer issue,” Hughes said. “So without a compliance mandate—as a product feature—they added encryption that will help ensure the privacy of communications and data on phones. So there is an ability for privacy to become not just risk management but a product or service feature.”

Listing image by Courtesy of the International Association of Privacy Professionals