It is easier than ever for sensitive information to spread, and we urgently need legislation that allows the Federal Trade Commission and state attorneys general to protect Americans from having their personal data collected and sold without their consent.

According to a 2014 F.T.C. report, data collected and sold by data brokers “can be used to facilitate harassment, or even stalking, and may expose domestic violence victims, law enforcement officers, prosecutors, public officials, or other individuals to retaliation or other harm.”

States aren’t waiting for the federal government to act. Last year, former Gov. Jerry Brown of California signed the California Consumer Privacy Act, which requires businesses to tell consumers what data they’ve collected about them when requested. But it puts the burden on consumers to fight for their own data protection, rather than placing the burden on companies to ensure that data is used in ethical and responsible ways.

Instead of requiring individuals to fight for their own data privacy (something that is increasingly impossible for them to do), we need a federal standard that requires data collectors to use consumer information ethically. Among other things, Congress must take several steps to ensure data brokers can’t continue selling private data without serious repercussions.

The F.T.C. should have the power to incentivize ethical data use and punish companies that act unethically by sharing information that could cause harm to individuals. This irresponsible behavior by data brokers has included making available rape survivors’ contact information, using personal information to enable racial and ethnic discrimination or providing information on seniors who suffer from dementia.

Big data has the power to transform our world in industries from education to health care to manufacturing. But current law doesn’t discriminate between a company using your data responsibly to develop new cancer treatments and one selling your phone number to an online predator. Congress must give the F.T.C. authority to go after bad actors while still allowing for innovative uses of data to improve lives.

Furthermore, data privacy legislation should take the burden off individuals and place it on companies. Most people don’t have the time or legal background to read and understand pages and pages of terms and conditions just to keep their personal data off the open market. Companies must make it easy to understand how they are using data and to whom they are they’re selling it.