The top administrator of the U.S. Conference of Catholic Bishops resigned last month after a newsletter used data from his cellphone to confirm his use of the dating app Grindr and track his movements to gay bars. Questions about hypocrisy aside, this invasion of an individual’s intimate life should be alarming when it happens to anyone — yet it could easily happen to everyone.

The problem of information privacy can seem abstract to the everyday American. Sometimes, the harms of unregulated data collection look negligible: Who cares if an advertiser is able to target a particular type of shoe to a particular type of person? The more insidious possibilities, meanwhile, can appear hypothetical: Would someone really purchase anonymous location data, go to the trouble of re-identifying its subject and then exploit what they find to publicly harass? Now we know that the answer is yes. The consequences of Congress’s failure to pass federal legislation governing how companies collect, process and sell the reams of data available in the Internet age are starker than ever.

In the case of the priest, it appears Grindr collected sensitive information and passed it along to third parties, who might in turn have passed it to other parties, until eventually it landed in the hands of a data broker: one of many companies that vacuum up personal data and spit it back out to customers. (Grindr disputes that it is the source of the data.) Exactly the route that information traveled is uncertain, because there are few rules of the road. Something similar happens to most smartphone users most days as they tap on virtual jewels of candies for high scores, or as they check the weather. Information including their location is gathered and sold, usually for the end purpose of advertising: to greet people who recently went to nightclubs with deals on party dresses, for instance, or to lure them into a nearby store.

The possibilities for abuse of this already intrusive ability are manifold. A private investigator in a divorce case might try to figure out whether someone is cheating; a domestic abuser might try to track down a fleeing victim. Journalists have used these tools to speak truth to power in authoritarian states, but authoritarian states have also used them to shut truth-tellers down. Law enforcement here has purchased location data to go after criminals — a noble end, perhaps, but also a cynical means of bypassing constitutional restrictions on warrantless surveillance.

The data-brokerage business is so lucrative because it’s so easy. There are scarcely any limitations on who can sell information, who can buy it and who can sell it all over again. Any thoughtful federal privacy legislation would restrict the data that companies can collect from consumers, as well as what those companies can do with it. Simply selling it to the highest bidder should be out of the question. Otherwise, a society stripped of any expectation of personal privacy pays the price.