Data privacy is a red-hot topic nowadays.

Between the massive Equifax breach, the Cambridge Analytica and Facebook scandal, and all of the publicity generated by the European Union’s new GDPR legislation, now is as good a time as any to dive into the state of data privacy in America.

Earlier this month, security researcher Vinny Troia says he found “one of the most comprehensive collections [of personal data] I’ve ever seen” when he spotted a database owned by Exactis, a compiler and aggregator of business and consumer data.

The database allegedly contained the personal information of 340 million individuals. For some perspective, the Equifax breach that took the U.S. by storm in September “only” leaked the personal data of 145 million people.

And while thankfully it seems that the personal data in the Exactis breach doesn’t include Social Security numbers, credit card numbers, or bank account information, it does apparently include email addresses, home addresses, phone numbers, and other personal data typically collected online, like personal interests and habits, as well as the number, ages, and genders of people’s children.

Wait, what?

How is it possible that a company I’ve never heard of has a treasure trove of data about me and 340 million other people? Moreover, why does this keep happening?

In the U.S., our data isn’t our data (yet)

For all of the kicking and screaming we do about other companies buying and selling our data, none of this activity is actually illegal. When Cambridge Analytica misused the data of 87 million Facebook users during the 2016 presidential election, users responded with the #DeleteFacebook movement.

While we applaud people trying to take back control of their personal data and security, deleting a Facebook account is just the tip of the iceberg.

There are massive data companies that you’ve both heard of (like Equifax) and never heard of (like Exactis) that are scraping the internet for every ounce of your personal data they can find.

So, unless you contact every data collector in the world and somehow get them to erase your data from their servers, and you never use the internet again, your data isn’t really going to be your data.

Your personal data is free to collect because there are no laws against it—and because you probably agreed to give it up at some point

Until the U.S. takes drastic action to enforce data privacy measures similar to what the E.U. was able to accomplish with GDPR, good luck keeping your personal information away from these data behemoths.

GDPR requires companies that collect data on E.U. residents to explain to the consumer in clear and unbundled language what they plan to use it for. Companies must get explicit consent from each consumer in order to do anything with their data and must delete data associated with an individual if requested.

This is a huge win for data privacy advocates. A big first step towards a world where people truly control their personal data.

It happened in the E.U. because data privacy authorities there have consistently prioritized and promoted lawmaking focused around a consumer’s right to data privacy, and because those authorities wield enough power to push something as complex and far-reaching as GDPR through the appropriate channels.

In the U.S., there is no equivalent authority to act as the driving force of change. On top of that, trying to pass a GDPR-like law here would require legislators to be extremely motivated, given the hoop-jumping necessary and the likely heavy resistance from tech, data, and advertising giants that rely on loose regulation around data privacy to make money. Naturally, state governments will also resist federal government regulations because they want to determine the laws that govern their residents.

Progress is being made towards true data privacy, but we’ve got a long way to go

This week in California, a data privacy law was passed that would provide California residents with similar data protections to those of E.U. residents.

The law, which doesn’t go into effect until 2020 and could still be amended, will give consumers the right to prevent the sale of personal data to third parties (like Cambridge Analytica) and to opt out—different than GDPR’s more strict opt-in requirement—of sharing their personal data altogether.

News like this is distressing for companies like Facebook and Google that rely on personal data to fuel their multi-billion dollar ad businesses. And of course, they will fight back…hard. But until then, they will “support” the law and begin the process of “GDPR-ing” their products in case the law actually goes into effect.

You, the public, need to make your demands heard!

With all of the buzz around data privacy on the news and on social media, the general public is beginning to recognize the importance of data privacy legislation that keeps them safe.

And while deleting a Facebook account is a step in the right direction, actually demanding changes in legislation that make data privacy a right for all citizens is what’s necessary if Americans want to take back control of their personal data.

Given the law passed in California, it’s clear legislators are starting to take notice.

But don’t mistake a law being passed as the personal crusade of a security-conscious law maker. This law is only being passed in response to a growing chorus of Americans who are tired of hearing about their personal data being used for other people’s gains and are contacting local and federal legislators to make their voice heard.

In essence, it’s up to you.

Are you willing to put in the work to protect your private data?