There’s no need to start from scratch. In 2012, President Barack Obama proposed a privacy bill of rights that included many ideas for giving people more control over their information, making data collection more transparent and putting limits on what business can do with the information they collect. The bill of rights fizzled out when Congress showed little appetite for it. But the European Union has used a similar approach in developing its General Data Protection Regulation, which goes into effect on May 25.

The new European rules are not perfect — they include the so-called right to be forgotten, which allows people to ask companies to delete personal information that they no longer wish to share. That could be implemented in ways that limit free speech. But the Europeans have made progress toward addressing some of the problems that have recently been highlighted in the United States. For instance, their laws require companies to seek consent before collecting sensitive personal information, to make the request understandable, and to give users an easy way to opt in to sharing such data, rather than forcing them to opt out if they don’t want to be tracked. Further, companies that want to collect data about Europeans will have to be upfront about how they use personal data, and they cannot collect more information than they need to provide the services they are offering. The Obama bill of rights included a similar concept, saying that personal information should only be used in “ways that are consistent with the context in which consumers provide the data.”

Today, it is standard procedure for many companies to vacuum up as much data as they can by getting users to agree to long, impenetrable terms of service. Companies might not even know how they will use the information being collected but collect it anyway, in case they later develop a specific use for it. Recently, some Facebook users discovered that the company’s Android app had been logging metadata from every incoming and outgoing phone call and text message, in some cases for years. The company said that users had consented to sharing this information and that doing so “helps you find and stay connected with the people you care about, and provides you with a better experience across Facebook.” That statement is positively Orwellian. It’s hard to believe that many people would have given the company access to so much personal data if they actually understood what they were agreeing to.

The new European regulation will also let people access their own data, transfer their information from one business to others that provide a similar service and delete it altogether under certain circumstances. Companies will have to notify customers within 72 hours if they become aware of a breach of personal information.

Many businesses will struggle to comply with the European Union’s new rules, and officials in member countries will have a hard time enforcing it consistently. “We will have a learning curve,” said Isabelle Falque-Pierrotin, who heads France’s privacy regulator, the Commission Nationale de l’Informatique et des Libertés. “We will have to adjust.”