Consumers are concerned about these revelations because many of these practices are unexpected. Even though technically users might have agreed at some point to Facebook’s partners getting access to their data, it is difficult to anticipate the extent of data sharing and secondary data use that this might enable. A company’s privacy policy is typically little help in that regard given that they are often written in a way to provide lots of leeway for companies to use and share user data without clear descriptions of how users’ data is actually used or who has access to it. Rather than relying just on privacy notice and consent, a larger emphasis needs to be placed on privacy by design – building privacy protections into systems and making privacy the default. The U.S. needs a federal privacy law that establishes strong and consistent privacy protections across industries and provides regulators, such as the FTC, with better enforcement powers.