The European Union has already enacted comprehensive data privacy legislation, and many American states have followed suit. While Congress should pass updated data privacy protections federally, broad regulations won’t address the key issues in data policy and will impose high economic costs. To be effective, legislation should respect consumers’ consent and avoid overly broad restrictions.

Despite lacking comprehensive federal legislation, the United States does have sectoral data protection in place. One of the current federal data privacy laws is known as the Children’s Online Privacy Protection Act (COPPA). This law establishes obligations for platforms with actual knowledge of users under 13 years of age by requiring businesses to obtain parental consent, publicly post data practices and allow parents to view collected data.

Recently the Federal Trade Commission (FTC) issued fines and mandated behavioral remedies against Epic Games, maker of the popular game Fortnite, for violations related to COPPA. The complaint focused on the default settings of the game and the lack of effort by the company to establish strong parental controls and consent despite marketing the game to the age groups that COPPA covers.

The fact that the U.S. has some level of data protection doesn’t mean that level is sufficient. However, the weaknesses of the current proposed legislation aren’t easily overcome. While consumer consent should be the focus of data policy, maintaining that focus becomes difficult due to a lack of widespread knowledge regarding data practices.

Data is not a uniform term. In technological terms, data can be divided into three main categories: data that users directly provide to platforms­­­, often in the process of signing up for services, data that’s observed through web tracking or cookies and data that’s derived from these other forms of data.

While most consumers understand the data they explicitly enter, the other two categories are where consent becomes more complicated. A 2011 study conducted by CyLab at Carnegie Mellon University tested nine tools designed to prevent online behavioral advertising, which uses data from tracking and cookies. All nine tools presented a challenge for users. User error in this study made it difficult for consumers to take advantage of privacy settings even when they were available.

This lack of understanding contributes to the phenomenon that scholars Omer Tene and Jules Polonetsky refer to as the “creepy factor,” which occurs through unexpected uses of data. This factor was exemplified when the retailer Target used data from purchases to predict pregnancy and then engaged in targeted advertising for pregnancy-related products. Most consumers would not be surprised or upset by Target collecting purchase data, but the company’s ability to accurately predict personal health conditions can be perceived as a “creepy” violation of privacy.

Widespread unawareness and the special nature of the “creepy factor” make it difficult to establish privacy legislation that addresses consumers’ concerns. Consent-based legislation is important, but it’s difficult to meaningfully provide users with the opportunity to consent to processes that they don’t understand.

The right balance may be hard to strike, but it’s important to do so, as the current regulatory environment is costly.

In the absence of federal legislation focused on digital data, many states have enacted their own protections. This patchwork of laws makes compliance costly and difficult for businesses attempting to operate across state lines. According to estimates by the Information Technology and Innovation Foundation (ITIF), this inconsistency on the state level could impose compliance costs for out-of-state businesses between $98 billion and $112 billion. Roughly $20-30 billion of these costs would fall on small businesses.

Although the patchwork system is expensive, ill-conceived and broad federal legislation could be even more so. Additional estimates by ITIF found that federal legislation mirroring the General Data Protection Regulation (GDPR) or California’s expansive legislation would cost the U.S. economy roughly $122 billion per year. Any data privacy legislation will impose some costs, but the high price tag for broad legislation should steer lawmakers toward targeted solutions focused on consumer harm and increasing public understanding.

Federal privacy legislation is necessary, but it’s up to lawmakers to see past the limits of consumer awareness and craft protections that respect consumers’ consent while also striving to make sure that consent is informed. Ultimately, any legislation needs to balance the economic costs with the resulting consumer benefits, including benefits derived from data use.