Government regulation has traditionally been a lagging indicator of problems that have already materialised in a country’s economy. Data privacy regulation for the private sector has developed differently. Legislative hearings, regulatory guidance, and international conferences do not dwell on the injuries that people actually experience. Policymakers focus instead on preventing the possibility that companies will misuse their customers’ (or employees’) information in a way that could cause harm. These risks are theoretically plausible, but how often do they really happen?