It’s not the first time we’ve seen this argument, and other companies have made similar arguments in privacy lawsuits. In addition, major industry players, including the U.S. Chamber of Commerce, have put forward similar views. They are fighting legislation that would grant consumers the ability to sue companies for privacy violations and are lobbying for federal privacy legislation where enforcement is tied only to “concrete” harm, not necessarily to violations of the law.

It’s easy to see why.

Huge privacy violations have become commonplace. Without a private right of action, consumers have little practical ability to seek relief in cases where their data was mishandled or misused. This eliminates a powerful enforcement stick that can be used to dissuade companies from violating the law. A private right of action is also important because government agencies often do not have the resources to investigate and take action in every case where consumers’ privacy is violated. So, a private right of action may be the only avenue to hold a company accountable.

In rare cases, the harm from a privacy violation may be clear, such as losing a job, money or sense of safety. But in most cases, the harm, while staggering, can be virtually impossible to measure. For example, how do you prove the collective impact of having companies profile you based on sensitive health data, affecting things like the content you see and the ads you’re served? How do you measure the national-security or societal impact of having people targeted with divisive and exploitative ads? How do you determine the collective impact of consumers’ being stripped of control over information they own and having intimate details of their life, like relationship status and political views, shared with countless entities?

Industry players often seek to take advantage of the extreme difficulty that most people face in showing exactly how they have been hurt by a privacy violation. The bar is almost impossibly high for consumers or regulators who seek to rein in abusive data practices. Under the view that consumers must show “concrete” harm, it would not be enough to show that a company violated the law by, for example, sharing information without permission. And it would not be enough to show that millions of consumers were affected or that billions of pieces of information were improperly shared. For a fine or damages to be imposed, consumers would instead have the difficult burden of demonstrating that the unlawful collection of their own data damaged them in a tangible and measurable way, like causing physical, emotional or financial harm.

This limit on consumer suits might be good for industry, since it may insulate companies from legitimate lawsuits stemming from their irresponsible data practices and helps them emerge virtually unscathed following large-scale privacy violations that affect millions. But it’s a bad deal for everyone else.