In 2005, Philip Tetlock demonstrated the difficulty that "experts" face when trying to assess what will happen in the future. His excellent book Expert political judgment: How good is it? How can we know? shows that even people with significant experience in a field bat .500 with regard to predictions.

Brass tacks: Making accurate predictions has never been easy. This is doubly true in a world that moves faster than ever.

Against this backdrop, in this post and the next I'll explore the likelihood of new US privacy legislation and what organizations can do about it.

A tipping point?

Based on what happened in the 2016 presidential election, the US may have reached a tipping point. The fallout from the Cambridge Analytica scandal resulted in Facebook CEO Mark Zuckerberg appearing before Congress and even suggesting government regulation "if it's the right regulation." Facebook lost $70B in market cap in the aftermath of the scandal. Elon Musk removed his companies from Facebook.

And the hits just keep on coming.

Apple head honcho Tim Cook and Zuckerberg are sniping at each other. Plenty of prominent folks are calling for the breakup of big tech. The Bloomberg expose on Palnatir is downright creepy.

It seems unlikely Facebook, Google, Twitter and other data-driven companies will remain unscathed. And tech is not the only industry with its feet to the fire. Look at the $1B fine that the Office of the Comptroller of the Currency and the CFPB recently levied against Wells Fargo. The bank played fast and loose with customer data and paid a steep price.

It's quite possible or even likely that the US might see something akin to the EU's General Data Protection Regulation (GPDR). The next logical question is what.

If not regulation, then what?

This is where things get dicey. Attempting to predict specific laws is a fool's errand in today's climate. At the federal level, many scenarios could conceivably take place next week – never mind next year. And who knows what individual states may do?

Consider two types of organizations:

  • Group A: Those that effectively govern themselves and take user/customer privacy seriously.
  • Group B: Those that clearly don't.

Which group is more likely to feel the sting of government regulations?

I suspect that many organizations with questionable data and privacy practices will attempt to self-regulate. That is, they will review their existing privacy, security and data governance policies in light of what bad actors appear to have done. The argument here is straightforward.

Simon says: Get out in front of the tidal wave.

As I've said many times, in crisis there is opportunity. Once and for all, organizations need to move beyond paying lip service to privacy matters. That ship has sailed. Whether the US passes laws with teeth or not, expect something to happen.


About Author

Phil Simon

Author, Speaker, and Professor

Phil Simon is a keynote speaker and recognized technology expert. He is the award-winning author of eight management books, most recently Analytics: The Agile Way. His ninth will be Slack For Dummies (April, 2020, Wiley) He consults organizations on matters related to strategy, data, analytics, and technology. His contributions have appeared in The Harvard Business Review, CNN, Wired, The New York Times, and many other sites. He teaches information systems and analytics at Arizona State University's W. P. Carey School of Business.

Related Posts


  1. Regulation of data must come if we wish to safeguard democracy against the collective misuse of data gathered by companies like Facebook (personal data or posts made by the user which Facebook keeps against the user's wishes). Not only must democratic governments fear data misuse – the common person should too. Those who post data must be treated as the rightful owners of that data, regardless of whether an organization chooses to keep the data. Data that users post is rightfully their data, despite any terms a corporation like Facebook may have asked the user to accept when they signed up. It amounts to cheating on a wide scale when a common person is legally duped into accepting such terms (which they don't fully understand).

    In short, no one – not even governments (until they have very stringent laws to protect personal data from political or other types of misuse on the part of ruling parties) – should have a right to hold and use such data against the user (unless they are involved in serious criminal or terror activities). Data could always be misused against anyone or any country, even if users have withdrawn consent and have been disabled, deactivated or deleted.

Leave A Reply

Back to Top