In an op-ed in TIME last week, Apple CEO Tim Cook called for a new federal privacy bill and a registry for data brokers that buy and sell data from third parties. Doing so would shed light on an insidious industry that many people may not even realize exists. It also wouldn't be easy.

For all of the talk over the last year about cracking down on companies like Facebook, Cook wrote that it’s this “shadow economy” of companies, most of whom the average consumer has never heard of, that deserves a closer look.

“You might have bought a product from an online retailer—something most of us have done. But what the retailer doesn’t tell you is that it then turned around and sold or transferred information about your purchase to a ‘data broker,’” Cook wrote. “We think every user should have the chance to say, ‘Wait a minute. That’s my information that you’re selling, and I didn’t consent.’”

Cook proposes that these brokers register with the Federal Trade Commission, allowing consumers to see which information is bought and sold, and enabling them to delete it if they want to. The pitch received resounding praise from senators Ed Markey (D-MA) and Ron Wyden (D-OR), as well as some skepticism from industry executives like Facebook’s vice president of ads, Rob Goldman.

But floating such a broad idea is far easier than implementing it. How would a data broker registry work? What companies would it include, and which would it leave out? And what would it really accomplish? As with all privacy legislation, answering those questions will likely require a messy battle between powerful interests in the data economy.

License and Registration

Requiring certain industry groups to register with the federal government is hardly a novel ideal. Lobbyists in the United States already have to register at the state and local level. Attorneys register in the state where they’re licensed. Anyone who wants to can probe public databases to find out more about the people doing this work.

"A good federal bill has to cover data brokers. But it has to cover the tech giants and brick and mortar stores, too." Privacy Advocate Mary Ross

That those disclosures are commonplace in some industries doesn't mean data brokers would accept them without a fight. Just this month, Vermont's data broker law—the first of its kind in the United States—went into effect after a hard-fought battle in the state legislature the year before. That law stops short of Cook’s proposal, requiring only that companies that handle data from people who are not their direct customers register as data brokers with the state. As part of that registration, they must also disclose whether they allow people to opt out of having their data collected and sold, as well as the number of data breaches they’ve experienced in the prior year.

The law was narrowly focused by design, says Ryan Kriger, assistant attorney general of Vermont. "We wanted a registry of actual data brokers, not 100,000 companies," he says. "Creating a definition was very tricky."

They also needed a law that stood a chance of passing in a state as small as Vermont, says Mary Ross, who was part of the group that pushed for a far more expansive privacy bill that was signed into law in California last year. That bill doesn't create a formal registry, but it does allow consumers to ask businesses that sell their data about the categories of data they're sharing, and with whom they're sharing it. The California law also requires businesses to stop selling a person's data at their request. These far-reaching policies passed, despite staunch criticism from business groups and members of the tech community. "Companies aren't going to not do business with Californians," Ross says. "But in Vermont, they don't have that protection."

The Vermont bill's narrow scope means it doesn't require anything of businesses, like Facebook, that collect data directly from their customers. It doesn't require companies to let people opt out of data collection and sales, and it doesn't require that data brokers give people access to the information they’ve collected.