Jo Ann Davaris, Global Head of Privacy for Booking Holdings Inc: Captains of Industry Interview

Jo Ann (Jo) Lengua Davaris serves as the Global Chief Privacy Officer at Booking Holdings, a role she has held since 2019, where she has pioneered a unified privacy framework across the company’s iconic brands, including Booking.com, Priceline, KAYAK, OpenTable, and Agoda. Her leadership ensures that privacy and data protection are seamlessly woven into global operations while driving innovation, maintaining consumer trust, and enabling the safe expansion of business opportunities. Jo is deeply passionate about shaping policies at the intersection of privacy, cybersecurity, and AI governance, ensuring that ethical frameworks guide emerging technologies and align with organizational goals.

Prior to joining Booking Holdings, Jo was the inaugural Global Chief Privacy Officer at Mercer, where she developed a robust privacy program designed to protect data, fuel innovation, and unlock new business opportunities. She also led global privacy policy and program development for the Institutional & Network businesses at American Express, strengthening privacy governance across complex ecosystems. Earlier in her career, as an attorney with the Administration for Children’s Services in New York City, Jo’s advocacy work focused on protecting vulnerable populations. Jo is a sought-after speaker on privacy, AI governance, regulatory change management, and women’s leadership development. She actively contributes to shaping the future of data protection and technology ethics through her roles on advisory boards, including the Corporate Counsel Women, Influence and Power in Law ALM Event, the Women in AI Governance Group and Pace University’s Seidenberg School of Computer Sciences.

As part of our Captains of Industry Interview series, Lawrence Brown, Sr. VP Legal, Houston, had the opportunity to sit down with privacy leader Jo Ann Davaris, Global Head of Privacy for Booking Holdings Inc. With more than 20 years of corporate experience, Jo Ann has built transformative privacy programs and data governance structures at three Fortune 500 companies. She is widely recognized as a leader in consumer and institutional data protection. We're excited to share Jo Ann’s invaluable insights with you. Enjoy!

Introduction

Q: Can you tell us about Booking Holdings? Booking Holdings is a global leader in online travel and related services, operating through five major brands: Booking.com, Priceline, Agoda, KAYAK and OpenTable. We connect consumers looking to make travel reservations with travel service providers around the world, offering everything from accommodations and flights to rental cars and restaurant reservations. Our mission is to make it easier for everyone to experience the world.

Q: Tell us about your career journey and how it led to your current role. My career has been an evolution, driven by a deep desire to protect people and their data. I began as a prosecutor representing the City of New York in child abuse and neglect cases after graduating from Fordham University School of Law. That experience instilled in me a strong sense of advocacy and protection that continues to guide my approach to privacy.

From there, I joined American Express, where I spent 16 years progressing through roles in contracts management, merchant relationships, marketing, and eventually leading Global Privacy & Policy. This gave me firsthand experience balancing business objectives with customer trust.

In 2016, I became the Global Chief Privacy Officer at Mercer, where I built their privacy program strategy and governance frameworks from the ground up. That role gave me a broader global perspective and the opportunity to work across professional services and consulting.

In 2019, I joined Booking Holdings as its first Global Head of Privacy. My focus is on building a unified privacy framework that fosters a culture of privacy and responsible data use across all five brands, enabling innovation while safeguarding customer trust.

Q: Transitioning from prosecutor to privacy leader is a big shift. How did you successfully pivot industries and careers? My path has been guided by continuous learning and adaptability. After starting my career as a prosecutor, I moved into commercial legal work where I learned to balance legal guidance with practical business realities. My time as an account manager gave me valuable experience managing client relationships and understanding business drivers firsthand. Later, leading policy governance and serving as a data protection technical industry standards leader deepened my knowledge of operationalizing compliance and creating frameworks that work in complex organizations. Each step, whether inside or outside a traditional legal role, helped me build credibility as a business partner who understands commercial pressures, can navigate complex environments, and drive change that supports both business objectives and responsible data use.

Q: What privacy or data security challenge keeps you up at night—and how has that changed across your roles at American Express, Mercer, and Booking Holdings? The concerns have certainly evolved. Early in my career, it was payment fraud and protecting financial data, while balancing the opportunity to use transaction data to deliver value. Later, the focus shifted to safeguarding sensitive employment and benefits information and ensuring robust access controls. Today, my biggest concern is the growing sophistication of cyber threats across highly complex, global ecosystems of brands and technology platforms. I also think about the importance of maintaining customer trust as companies pursue more personalized experiences. The regulatory landscape has become more complex, making it critical to maintain compliance without compromising the customer experience.

Privacy Team Structure and Best Practices

Q: If you were building a privacy team from scratch, where would you have it report? Privacy is inherently cross-functional, so the reporting line depends on the organization’s culture, maturity, and industry. I’ve seen successful structures reporting to Legal, Compliance, Risk, and even directly to the CEO. What matters most is that the privacy leader has executive sponsorship, access to decision-makers, sufficient resources, and organizational influence. At Booking Holdings, I report into the General Counsel, which allows me to set standards across our brands while partnering effectively with other functions.

Q: Who are the key cross-functional peers for a privacy leader? The relationship with the CISO is foundational—privacy and security must move in lockstep. Beyond that, strong partnerships with legal counsel, corporate governance, risk, compliance, internal audit, technology leadership, data governance, communications, marketing, product, and HR are critical.

Q: For new privacy leaders, what does building effective partnerships with business units and executives look like? It starts with listening and understanding business priorities. I position privacy as an enabler rather than a blocker, showing how good privacy practices drive trust, improve data quality, and support innovation. Practical steps include embedding privacy into product design, providing actionable guidance rather than theoretical advice, and showing up as a partner in solving business challenges.

Q: Privacy teams often struggle to gain executive sponsorship and resources. What strategies have worked for you in managing up and securing buy-in? I focus on positioning privacy as a business enabler, not just a compliance requirement. This includes using business language, presenting clear risk-reward scenarios, benchmarking against peers, and demonstrating how privacy investments protect brand value and support customer trust. As privacy teams increasingly take on expanded responsibilities—including cybersecurity counsel, AI governance, and broader trust initiatives—it's also important to show where capabilities can be centralized for efficiency and where the team can drive consistency across the organization. Proactively communicating this scope and finding smart places to integrate or align functions helps build executive confidence and unlock strategic support.

Q: How does being part of a highly matrixed organization impact the role of the Privacy Officer? It adds complexity but also opportunity. You have to be skilled at navigating different structures, building trust, and empowering brand privacy leaders while providing centralized guidance. At Booking Holdings, I am fortunate to work with highly engaged privacy leaders within each brand who understand their business and collaborate closely with the Booking Holdings team.

Q: Why is the title 'Chief Privacy Officer' preferred over titles like 'Chief Privacy Counsel' or 'General Counsel for Data'? Because the role is more than legal advice. It’s about strategy, risk management, operations, and culture. Using titles like 'Chief Privacy Counsel' narrows the scope. Privilege is determined by the nature of the work and communication, not the title. While the title itself may need to evolve as responsibilities grow, what I think is most important is the ability to advise more broadly than through a straight-up legal lens—because privacy is more than a compliance exercise. It requires understanding business strategy, technology, governance, and trust. I collaborate closely with legal teams to ensure privilege is maintained where necessary.

Q: With the scope expanding, is 'Chief Privacy Officer' still the right title? The title continues to hold strong recognition and value, both internally and externally. However, as the responsibilities of the role expand to include areas like data ethics, governance, and trust, it's worth considering whether the title or team name fully captures that breadth. Some organizations opt for evolving titles or proactive marketing efforts to articulate the full scope of responsibilities. Ultimately, what is most important is that the organization clearly communicates the role's authority, scope, and impact so stakeholders understand and engage with the privacy function as a strategic partner.

Management and Operations

Q: How do you manage change given the fast pace of evolving privacy regulations? We build our program on enduring principles—knowing our data, providing transparency, offering user control, and embedding governance and security. We also have a public affairs team that keeps on top of the ever-evolving regulatory landscape, and specific to privacy, we have a shared services team based in Bucharest skilled at identifying regulatory developments and trends. Just as important is having a foundation built on principles and an understanding of the company's risk appetite. In addition, we have a privacy intelligence function to anticipate regulatory developments and a modular program structure that allows us to adapt without constant reinvention.

Q: How do you determine privacy team staffing and budget levels? We look at metrics like volume and complexity of reviews, incident response activity, regulatory engagement, and geographic footprint. We also factor in business maturity and upcoming strategic initiatives. Benchmarking against peers and aligning with industry best practices helps us make the case for resources.

Q: What do you look for in outside counsel? Practical, business-oriented advice; global expertise with local depth; regulatory relationships; sector knowledge; responsiveness; and a value-driven approach. I value long-term relationships with a small number of trusted advisors who understand our business.

Q: When hiring for your team, what are the top qualities you look for?  Someone with a learner mindset, always curious (about the business, about technology, about privacy and all of the areas privacy is expanding into) and wanting to learn, someone who is ready to be pragmatic and someone who is patient. Business acumen, strong collaboration and communication skills and the ability to influence are non-negotiable. Privacy professionals must be pragmatic problem solvers who can build relationships and drive change. Scenario-based interviews help me assess whether candidates have truly operationalized privacy in past roles.

Q: What advice would you give an up-and-coming privacy lawyer? Learn beyond legal frameworks. Understand technology, business models, and project management. Take the time to learn about AI to be able to advise on it through the lens of privacy, AI governance, trust and responsibility. The best privacy lawyers can translate requirements into actionable guidance that supports business goals.

Q: Any final thoughts? Privacy is a catalyst for trust and innovation. Done well, it helps organizations clarify their data use, improve quality, and build lasting relationships with customers. I’ve found the privacy community to be an invaluable resource, and perhaps the most welcoming and friendly community. 

I encourage those entering the field to engage with peers, share knowledge, and be part of shaping the future of data-driven innovation.