The testimony of Facebook whistleblower Frances Haugen sparked the latest flare-up in a never-ending series of revelations on how companies and governments mine and commercialize our personal data. In an attempt to put consumers back in the driver’s seat, recent updates to data protection regulations such as the GDPR in the European Union and the CCPA in California have mandated transparency and control as critical pillars of privacy protection. In the words of the European Commission: “It’s your data—take control!”

Empowering consumers by giving them a say is a noble goal that certainly has a lot of appeal. Yet, in the current data ecosystem, control is far less of a right than it is a responsibility—one that most of us are not equipped to take on. Even if our brains were to magically catch up with the rapidly changing technology landscape, protecting and managing one’s personal data would still be a full-time job.

Think of it this way: Being in charge of your sailing boat is absolutely wonderful if you are drifting along the Mediterranean coast on a beautiful day. You can decide which of the many cute little towns to steer toward, and there are really no wrong choices. Now let’s imagine being in charge of the same sailing boat in the middle of a raging thunderstorm. You have no idea which direction to go in, and none of your options seem particularly promising. Having the “right” to control your own ship under these circumstances might not be very appealing, and could very easily end in disaster.

And yet, that’s exactly what we do: Current regulations drop people in the middle of a raging technology sea and bless them with the right to control their personal data. Instead of forcing the tech industry to make systemic changes that would create a safer and more amenable ecosystem, we put the burden of safeguarding personal data on consumers. Taking this step is protecting the creators of the storm more than the sailors.

For users to be able to exercise control over their personal data successfully, regulators need to first create the right environment that guarantees basic protection, in the same way the Securities and Exchange Commission regulates the investment world and protects individuals from making bad decisions. Under the proper conditions, individuals can choose among a series of desirable outcomes, rather than a mix of undesirable ones. In other words, we first need to tame the sea before handing individuals more control over their boats. There are a few steps that regulators can take immediately to calm the waters.

First, we need to make it costly for companies to collect and use personal data by taxing companies for the data they collect. If they have to pay a price for every piece of data they gather, they will think twice about whether they really need it.

Regulators also need to mandate that defaults are set to sufficient levels of protection. Users’ data should be guarded unless they choose otherwise, a concept termed “privacy by design”. Nobody has time to make privacy protecting their full-time job. Safeguarding information needs to be easy. Privacy by design reduces the friction on the path to privacy, and guarantees that basic rights are automatically protected.