In 2005, Philip Tetlock demonstrated the difficulty that "experts" face when trying to assess what will happen in the future. His excellent book Expert political judgment: How good is it? How can we know? shows that even people with significant experience in a field bat .500 with regard to predictions.
Brass tacks: Making accurate predictions has never been easy. This is doubly true in a world that moves faster than ever.
Against this backdrop, in this post and the next I'll explore the likelihood of new US privacy legislation and what organizations can do about it.
A tipping point?
Based on what happened in the 2016 presidential election, the US may have reached a tipping point. The fallout from the Cambridge Analytica scandal resulted in Facebook CEO Mark Zuckerberg appearing before Congress and even suggesting government regulation "if it's the right regulation." Facebook lost $70B in market cap in the aftermath of the scandal. Elon Musk removed his companies from Facebook.
And the hits just keep on coming.
Apple head honcho Tim Cook and Zuckerberg are sniping at each other. Plenty of prominent folks are calling for the breakup of big tech. The Bloomberg expose on Palnatir is downright creepy.
It seems unlikely Facebook, Google, Twitter and other data-driven companies will remain unscathed. And tech is not the only industry with its feet to the fire. Look at the $1B fine that the Office of the Comptroller of the Currency and the CFPB recently levied against Wells Fargo. The bank played fast and loose with customer data and paid a steep price.
It's quite possible or even likely that the US might see something akin to the EU's General Data Protection Regulation (GPDR). The next logical question is what.
If not regulation, then what?
This is where things get dicey. Attempting to predict specific laws is a fool's errand in today's climate. At the federal level, many scenarios could conceivably take place next week – never mind next year. And who knows what individual states may do?
Consider two types of organizations:
- Group A: Those that effectively govern themselves and take user/customer privacy seriously.
- Group B: Those that clearly don't.
Which group is more likely to feel the sting of government regulations?
I suspect that many organizations with questionable data and privacy practices will attempt to self-regulate. That is, they will review their existing privacy, security and data governance policies in light of what bad actors appear to have done. The argument here is straightforward.
Simon says: Get out in front of the tidal wave.
As I've said many times, in crisis there is opportunity. Once and for all, organizations need to move beyond paying lip service to privacy matters. That ship has sailed. Whether the US passes laws with teeth or not, expect something to happen.