The drumbeat to regulate Big Tech began pounding long before the Cambridge Analytica scandal rocked Facebook—six long years ago, the Obama administration pushed a “Privacy Bill of Rights” that, like most other legislative attempts to safeguard your data online, went nowhere. But this time, as they say, feels different. Thanks to repeated lapses from not just Facebook but all corners of Silicon Valley, some sort of regulation seems not only plausible but imminent.

US politicians have called for Facebook CEO Mark Zuckerberg to appear in person before Congress. Some tech-focused legislation is currently wending its way through the Capitol’s corridors. And regulators in other countries have already clamped down on tech.

'I think what tends to work well is transparency, which I think is an area where we need to do a lot better and are working on.' Facebook CEO Mark Zuckerberg

In an interview with WIRED editor-in-chief Nicholas Thompson Wednesday, Facebook CEO Mark Zuckberg seemed if not outright welcoming toward regulation, at least accepting of it. “There are some really nuanced questions though about how to regulate, which I think are extremely interesting intellectually,” says Zuckerberg, who points to the bipartisan Honest Ads Act, cosponsored by senators Mark Warner, Amy Klobuchar, and John McCain, as an example of the sort of bill his company can get behind.

The Honest Ads Act, legislation that calls for increased transparency behind who pays for political ads online, makes for a convenient example, though, in part because Facebook has already implemented many of its provisions. The bill, introduced last October, also appears to have languished, making it a non-substantive threat. Meanwhile, critics say it wouldn’t have stopped Russian propagandists from flooding Facebook in the first place.

Besides, even the Honest Ads Act’s sponsors have noted that it addresses a very small piece of a very large problem. And it does nothing to address the data privacy concerns that rightly create so much angst among anyone with any sort of presence online. Which is to say, everyone. For that, the US would need something much bigger.

“We do not have an omnibus privacy legislation at the federal level,” says David Vladeck, former director of the Federal Trade Commission’s Bureau of Consumer Protection. “We don’t have a statute that recognizes generally that privacy is a right that’s secured by federal law. And that puts us at the opposite end of the spectrum from some of the other major economies in the world.”

It’s not that living in the US puts you totally in the privacy hinterlands. The FTC has a modicum of authority, and has used it when companies grossly overreach—as it did against Facebook in 2011, when the company failed to keep its promises regarding how it treated their data. Facebook had made user information public, even if they'd previously had more restrictive privacy settings, and allowed third-party developers to mine the data not just of the Facebook users who downloaded their apps, but of all of those peoples' friends. (If that sounds familiar, well, it's precisely what allowed the Cambridge Analytica fiasco.)

Even then, though, Facebook got off with a scolding. It had to sign a consent decree, essentially a promise that it wouldn’t stray again. That's gone unchecked until this week, when the FTC reportedly opened an investigation into the Cambridge Analytica scandal, and could fine Facebook up to $40,000 per violation—with 50 million people impacted, the potential fine hypothetically stretches into the trillions.

But the threat of retroactive fines clearly hasn't done the trick. The FTC, meanwhile, can only work with the legislative tools it’s given. So what would it look like if Congress gave it better tools? Other countries might offer something like an outline, if not an outright blueprint.

In Finland, officials feel that their strong public education system and a coordinated government response have been enough to stave off Russia’s propaganda; Sri Lanka banned Facebook, WhatsApp, and Instagram entirely. Which is to say, it's a wide gamut.

On the data privacy front, the most recent high-profile model comes from the European Union, where General Data Protection Regulation becomes the law of the land on May 25. GDPR focuses on ensuring that people who use online services know not only exactly what data those companies will take, but how they put it to use.