Ever since news of the Cambridge Analytica scandal broke last year, lawmakers have been poised to pass a federal privacy law. After a year of posturing, there is finally considerable bipartisan support for such a law. Some privacy groups and lawmakers have suggested the U.S. needs to adopt an intrusive policy similar to Europe’s GDPR or California’s recent privacy law. Instead, Congress should pass a law that maintains U.S. tech leadership by passing light-touch regulation that doesn’t hinder innovation or competition—and protects user privacy.

The fundamental problem with passing heavy regulation is that it hurts smaller firms. So big tech firms, which can handle paying larger compliance fees, are ultimately just given greater influence in the lawmaking process while smaller firms are crushed.

Europe’s General Data Protection Regulation (GDPR), the onerous privacy rules that came into effect in May 2017, is already having this effect there. As AEI scholar Roslyn Layton points out, the market share of smaller European ad-tech firms is down between 18 to 32 percent while Google and Facebook have seen almost no change.

To make sure regulation isn’t unnecessarily difficult to comply with, Congress should stop state privacy laws in their tracks. They’d need a federal regulatory scheme that disallows states from passing their own privacy laws, since more states are likely to follow California’s lead and do just that. But if they do, it’ll only create a nightmarish patchwork of regulation––meaning different privacy standards per state. It’d be nearly impossible for firms to comply with all of these individual mandates because the internet is a boundless medium. Congress’s intervention, dubbed “preemption,” would avoid this scenario, and it’s a move that’s supported by both privacy advocacy groups, big tech companies like Amazon, Google, AT&T and smaller firms and startups. Without preemption, states with the most restrictive policies will likely set federal policy because it’s difficult to provide services while complying with different privacy frameworks based on location.

Firms can also choose to offer certain services only in areas with lower compliance costs. Overbroad regulation like the GDPR has increased the costs of compliance and some US websites are still unavailable in Europe because of compliance costs.  This is certainly a problem for news websites like the Chicago Tribune and New York Daily News, the third and fifth biggest US newspapers respectively, that aren’t available to European residents even though GDPR’s been in effect for almost a full year.

Consumers should come first when planning, which is why new rules should be centered around consumers’ privacy expectations. More stringent regimes don’t translate into an increase in consumer trust, which should be the goal of a privacy regime. The GDPR, which has remained at the center of the privacy and data protection conversation in Europe for almost a decade, hasn’t noticeably improved consumer trust.

Third, Congress should not import opt-in mandates, as some have suggested, from GDPR. These mandates that would require all websites receive affirmative consent from users for using cookies, but a cookie just helps identify users and assist providers in preparing web pages customized for them. For example, YouTube’s welcome page gives suggestions based on your viewing history instead of a welcome page that is same for all users. It’s the cookie that, in this case, captures all the personal information that YouTube utilizes to customize the page for you.

If an opt-in requirement were adopted, providers would have to see affirmative consent at every instance in which information is collected or recorded by the site. This’ll just be annoying for consumers, since they’ll be prompted with tons of consent messages on any given website. It also translates into negative effects for businesses. Europe’s “Cookie Law,” for instance, mandates that websites seek affirmative consent from each new user—and costs European businesses $2.3 billion per year in compliance and productivity costs.

When deciding to opt-in, consumers are essentially performing a mini cost-benefit analysis before accessing the service or website. This is where smaller firms suffer, because they don’t have the requisite name recognition that users would want before consenting to data collection. Consumers might not be willing to try these services when they know there are services like Facebook and Google they can use. And this can have a chilling effect on competition and, by consequence, innovation.  

And an opt-in regime might just incentivize more unnecessary data collection. The FTC’s Privacy Guidelines require companies seek affirmative consent when companies are using user data in “in a materially different manner than claimed when the data was collected” and when sensitive data, like location services and health records, is collected.

An opt-in regime would include all data and would flood consumers with consent requests which would desensitize them to opt-ins. Then websites, worried that consumers might not opt-in in the future, would just be more likely to increase the scope of data they collect. In the end, consumer privacy will be in even more jeopardy than it was before.

Instead, Congress should incentivize firms to voluntarily prioritize user privacy by allowing them to innovate and build “privacy by design” services. Essentially, this means that firms will take privacy into account while building services instead of doing so after the fact. This would make things better for consumers, since firms would be able to utilize technology to enhance privacy. Legislation like the bill introduced by Senator Klobuchar (D-MN) features a safe harbor provision that precludes “privacy-enhancing technologies” from penalties. This would work beautifully, since it wouldn’t punish firms who actually try to implement “privacy by design” services.

It’s also important to realize that Congress can’t just wave a magic wand and incentivize firms to care about privacy. An IAPP survey of 800 enterprises around the world found that firms in traditionally unregulated industries invest more in privacy. Industries such as online, software, and retail that are traditionally unregulated, invest more in privacy programs and have a stronger focus on risk mitigation and consumer expectations. Moreover, privacy teams in such industries “exert far greater influence” over product managers than the general industry. On the other hand, regulated industries like healthcare and banking, focus more on compliance and accountability.

This suggests that onerous, top-down regulations are not the best way for governments to incentivize firms to preserve their users’ privacy. The IAPP survey shows that burdensome regulation shifts firms’ incentives, spurring them to focus on compliance and accountability at the expense of building privacy focused services. Therefore, lawmakers should, instead, focus on aligning  firms’ incentives with user privacy interests.

As Congress thinks about adopting a federal privacy law in 2019, it must be wary of borrowing from the heavy-handed policy regimes of Europe or California. An overbearing regime can have unintended consequences—reducing innovation and competition. Let’s give small firms, and consumers, the chance to win.