After news broke this week of Cambridge Analytica’s unauthorized siphon of millions of Facebook users’ data for political targeting, one particularly troubling reaction emerged: Some commentators implied that Facebook users themselves are also to blame for not being more discerning about or questioning how their data might be used. Coincidentally, this reaction echoed past comments by the social network’s chief executive, Mark Zuckerberg, who had derided Facebook users for giving up their personal data.

As a law and organizational scholar who studies platforms, I find the idea that users should bear any of the blame for the unauthorized exploitation of their data on Facebook outrageous. This notion goes against legal concepts that maintain that platforms to which we entrust our personal data should be expected to protect that data and not use it to manipulate us. Yes, there is always some onus on consumers to make informed choices about products and services they consume, but Facebook’s business model of ever-changing terms of service, riddled with the indecipherable legalese used by most platforms, and its general lack of information about data governance mean that consumers are often left in the dark about Facebook’s data collection practices.

And ultimately, after all, harvesting user data for targeted advertising was part of Facebook’s business strategy. Cambridge Analytica was able to obtain Facebook users’ data precisely because Facebook itself was already collecting and allowing third-party app developers to access that data. Facebook has extracted ever-more personal information as part of the bargain for using its platform; Cambridge Analytica may have done it in a way Facebook now says it shouldn’t have, but the firm was using the platform exactly as intended.

Facebook’s method of growth — constant expansion, accompanied by a business attitude of “move fast and break things” — left data protections for consumers as an afterthought. Facebook is no longer merely a social media company. Rather, it’s a catchall platform where users can find jobs and housing in between exchanging cat photos. These additional public functions make stricter regulations for Facebook even more crucial: Several lawsuits have recently been filed against Facebook alleging housing and age discrimination in employment. The idea that Facebook might think that simply being “a platform” for real estate or hiring transactions means it doesn’t need to follow well-settled laws against discrimination is troubling.

The Cambridge Analytica breach is one symptom of several problems with social networking platforms. One problem, as some scholars have noted, is that we have been lulled into acquiescence by platform surveillance masked as gamification — relatable and funny quizzes that trick us into giving up our personal data — and a lack of regulations to prohibit such data traps.

The Facebook site and others like it also promote “platform authoritarianism,” which is when platforms demand that we engage with them only on their dictated terms, without regard for established laws and business ethics. This isn’t simply a Facebook problem; it is also a feature of other platforms, such as hiring sites, which may be used to cull older workers through graduation dates, or customer relationship management software, which ultimately may be turned against retail and low-wage workers.

Although Facebook is now scrambling to address the data breach, the exposure of consumer data has serious consequences, and Facebook and its competitors cannot simply be left to regulate themselves. It is time to change the American hands-off attitude to data protection. Data protection in the United States remains a Wild West, with companies given carte blanche to collect consumer information and tech companies taking a cowboy mentality toward enriching themselves from users’ data. Perhaps we could look to the European Union and its new General Data Protection Regulation to study how to rein in data surveillance and protect American consumers. A start would be government-mandated privacy by design, with default settings that allow for no unauthorized data collection. There should also be clear rules about how consumers may opt into data collection and informed consent regarding how such data may be used.

These steps can help prevent the loss of privacy and data autonomy in exchange for the opportunity to use platforms, such as Facebook, which have made themselves integral to social and economic life.