BERLIN, GERMANY - JUNE 22: In this photo Illustration hands typing on a computer keyboard on June 22, 2016 in Berlin, Germany. (Photo Illustration by Thomas Trutschel/Photothek via Getty Images)
PHOTO: Thomas Trutschel/Photothek/Photothek via Getty Images
BERLIN, GERMANY - JUNE 22: In this photo Illustration hands typing on a computer keyboard on June 22, 2016 in Berlin, Germany. (Photo Illustration by Thomas Trutschel/Photothek via Getty Images)
Now playing
01:36
5 of the biggest data breaches
Apple iPhone Xr models rest on display during a launch event on September 12, 2018, in Cupertino, California. - New iPhones set to be unveiled Wednesday offer Apple a chance for fresh momentum in a sputtering smartphone market as the California tech giant moves into new products and services to diversify.Apple was expected to introduce three new iPhone models at its media event at its Cupertino campus, notably seeking to strengthen its position in the premium smartphone market a year after launching its $1,000 iPhone X. (Photo by NOAH BERGER / AFP)        (Photo credit should read NOAH BERGER/AFP/Getty Images)
PHOTO: NOAH BERGER/AFP/Getty Images
Apple iPhone Xr models rest on display during a launch event on September 12, 2018, in Cupertino, California. - New iPhones set to be unveiled Wednesday offer Apple a chance for fresh momentum in a sputtering smartphone market as the California tech giant moves into new products and services to diversify.Apple was expected to introduce three new iPhone models at its media event at its Cupertino campus, notably seeking to strengthen its position in the premium smartphone market a year after launching its $1,000 iPhone X. (Photo by NOAH BERGER / AFP) (Photo credit should read NOAH BERGER/AFP/Getty Images)
Now playing
02:03
Apple may have most to lose with China tariffs
PHOTO: CNN
Now playing
03:09
First impressions of iPhone XS and XS Max
PHOTO: Photo Illustration: Shutterstock/CNNMoney
Now playing
01:25
Amazon is worth $1 trillion
The small rovers, MINERVA-II1. Rover-1A is on the left and Rover-1B is on the right. Behind the rovers is the cover in which they are stored.
PHOTO: JAXA
The small rovers, MINERVA-II1. Rover-1A is on the left and Rover-1B is on the right. Behind the rovers is the cover in which they are stored.
Now playing
01:49
See the images rover took on asteroid
The Airlander 10 airship is pictured airborne in its hangar during its media launch at Cardington Airfield in Shortstown near Bedford on March 21, 2016.
The Airlander, which was originally developed for the US military, is 300 feet (91 metres) long, according its British maker Hybrid Air Vehicles. The Airlander is essentially three streamlined airship-type bodies merged into one with wings and rotary engines. / AFP / ADRIAN DENNIS        (Photo credit should read ADRIAN DENNIS/AFP/Getty Images)
PHOTO: ADRIAN DENNIS/AFP/AFP/Getty Images
The Airlander 10 airship is pictured airborne in its hangar during its media launch at Cardington Airfield in Shortstown near Bedford on March 21, 2016. The Airlander, which was originally developed for the US military, is 300 feet (91 metres) long, according its British maker Hybrid Air Vehicles. The Airlander is essentially three streamlined airship-type bodies merged into one with wings and rotary engines. / AFP / ADRIAN DENNIS (Photo credit should read ADRIAN DENNIS/AFP/Getty Images)
Now playing
01:59
World's largest aircraft prepares to take off
PHOTO: Gravity
Now playing
02:23
The man behind the world's first jet suit
PHOTO: Disney
Now playing
01:18
Disney's high-flying acrobatic robots will floor you
PHOTO: Courtesy MIT researchers
Now playing
01:10
'Blind' robot can climb stairs, leap on desks
Elon Musk flamethrower
PHOTO: INSTAGRAM/elonmusk
Elon Musk flamethrower
Now playing
00:51
Elon Musk releases new torch devices
PHOTO: Houben/Van Mierlo architecten
Now playing
00:53
Watch these 3D-printed homes being built
PHOTO: CNN
Now playing
04:02
We took to the sky in Kitty Hawk's flying car
PHOTO: CNN; Reviver Auto
Now playing
01:08
California tests pricey digital license plates
PHOTO: Amazon.com/CNNMoney
Now playing
01:18
Amazon under fire over Echo recording error
PHOTO: Boston Dynamics
Now playing
01:21
Humanoid robot runs through the park by itself
blockchain thumb
PHOTO: CNN, Consensys
blockchain thumb
Now playing
03:00
What is blockchain?

Editor’s Note: Jeff Sovern is a professor of law at St. John’s University School of Law and a coordinator of the Consumer Law & Policy Blog sponsored by the Public Citizen Litigation Group. The views expressed here are his. View more opinion articles on CNN.

(CNN) —  

Many aspects of privacy protection in our country are broken and Congress is not doing its part to fix them. For example, when hackers obtained the private information of 148 million Americans in the 2017 Equifax breach, Congress did virtually nothing – not even coming close to voting on bills, like the proposed Data Breach Prevention and Compensation Act, which would have done more to protect consumer information in the hands of credit bureaus.

Meanwhile, breaches such as the ones at Marriott – that affected about 500 million consumers – Quora, and Dunkin’ Donuts continue to afflict Americans. Those three happened all in less than one week at the end of 2018. And data breaches often lead to identity theft, which hit record highs in 2017, with 16.7 million victims.

Jeff Sovern
PHOTO: courtesy of Jeff Sovern
Jeff Sovern

If it were up to Congress we might never have learned of any of these breaches. No law required companies suffering data breaches to notify the public until California required breach disclosures in 2003. Other states followed, and that is why we know of the Equifax and other breaches. California has once more stepped into the privacy gap. It has enacted a new law which in 2020 will give Californians the ability to learn what companies know about them and direct that the information not be sold to others. Just as with its 2003 data breach law, the new California statute will change what we know about what businesses know about us, perhaps in ways we cannot now predict.

California passed its new law because, at present, consumers cannot ascertain what businesses know or have figured out about them. Sometimes it’s not obvious: for example, Target can tell from a woman’s purchases whether she is pregnant and tailor its marketing accordingly, according to a 2012 report by the New York Times. (In a statement, to the Times, Target declined to say what demographic information it buys or collects.)

But the California law may never take effect. Businesses are urging the Congress that did little after the Equifax breach to pass a federal privacy law to protect companies from state privacy laws. Businesses argue that complying with the laws of different states is expensive. It may indeed add to the expense of operating in multiple states, just as complying with many other different state laws does, but it is a cost worth incurring. If we hadn’t allowed states freedom to choose their own course on privacy, California might never have passed its 2003 data breach notification law, with the result that we might never have learned how prevalent data beaches are and businesses would have less of an incentive to protect data.

Not only has Congress stalled on passing important bills, it has failed Americans by not giving the Federal Trade Commission – the leading federal privacy protection agency – the tools it needs to protect consumers. The FTC staff is only two-thirds the size of what it was during the first year of Ronald Reagan’s administration, despite the more than 40% increase in the country’s population since then, and the fact that the Commission now polices internet privacy.

And the Commission’s budget – less in 2018 than in 2012, even without taking inflation into account – constrains its ability to bring cases against offenders, even though during FY 2018 the Commission returned $1.6 billion – more than five times its budget – to mistreated consumers.

The federal government has also made it so much harder for the FTC to issue most rules, including privacy rules, that rulemakings take more time than they used to, and often the Commission doesn’t even try to write rules (to make matters worse, the Commission has been largely shuttered by the partial government shutdown).

One reason consumers need help from the states and the FTC is that they can’t protect themselves. Obviously, consumers cannot prevent companies from suffering data breaches. But even when consumers theoretically have control to protect their privacy, many of them fail to do so.

Get our free weekly newsletter

Take privacy policies. Many are unclear. A majority of consumers incorrectly think that companies that post privacy policies will keep their information secret. The length of privacy policies makes reading them impracticable. One Wall Street Journal reporter discovered that the privacy policies from her most frequently used apps, services, and operating systems spanned a football field. Not surprisingly, few consumers read disclosures. Thus, in one study, all 543 students invited to sign up for a social network agreed to the privacy policy and terms of service (TOS), even though they obliged the students to give up their first-born child.

When it comes to these varied privacy problems, Congress has somehow managed to be both comatose and angry. Given its inability to respond nimbly in the rapidly shifting privacy arena, Congress should avoid hamstringing those who can. Any federal privacy law should preserve the power of states to protect consumers so states can continue experimenting and respond quickly to privacy challenges. Congress should also increase the FTC’s budget and give the Commission the power to issue regulations. Congress should follow California’s lead in obliging companies to tell consumers upon request what they know about them and what they do with the information. If Congress cannot help, it at least should not make things worse.