In 2016, Uber was hacked. The hackers stole personal information — including driver’s license numbers, cellphone numbers, and email addresses — from 50 million riders and 7 million drivers. Uber then did not disclose it for a year, paying ransom to the hackers and withholding the risks of identity theft from its customers and the public at large.

The massive breach echoed an incident 10 years earlier, in which a Countrywide Financial employee stole millions of customers’ private information, according to federal investigators, including bank account information and Social Security numbers. Countrywide’s customers went to court and won a class-action settlement that provided free credit monitoring and reimbursed anyone who lost money. But when Uber’s customers tried to band together in a class action and sue, they were thrown out of court. The reason? Between 2006 and 2016, they had effectively lost the right to protect themselves in court as part of a dramatic change in American law: the rise of forced arbitration.

Right now, Congress is considering a new federal privacy law — the kind that would govern these kinds of massive data breaches. There’s lots of momentum behind such a law, with support from many Democrats and Republicans, and even major tech companies such as Apple, Google and AT&T. But nearly all of the proposals on the table have ignored the crucial issue of forced-arbitration clauses in consumer contracts. Companies use these clauses to prevent customers from suing them, often leaving no practical options for consumers whose rights have been violated. No matter what rights a new federal privacy law purports to provide, those rights could be hard to enforce unless the law also addresses forced arbitration.

Public awareness of the problems associated with arbitration clauses is growing, as the #MeToo movement has shed light on how they can prevent employees from suing employers over sexual harassment and other forms of discrimination. But arbitration clauses — a few words inserted into contracts that prevent customers or employees from going to court — can turn up in just about any commercial transaction. Large companies often use them to prevent people whose rights have been violated en masse from joining in a class action. You might think, for instance, that Uber’s customers should have been able to hold it to account just like Countrywide was. But Uber’s terms of service contain an arbitration clause; if you’ve ever used Uber, it’s almost a sure bet that you’re bound by the clause, regardless of whether you realized you were giving up your rights (though it ended this practice last year for sexual misconduct allegations).

These clauses get their legal power from the Federal Arbitration Act, a law passed nearly a century ago. For most of its existence, the law did not affect many people: It was designed to apply mainly to businesses dealing with each other and not to their consumers or employees. But a string of Supreme Court decisions over the last 20 years dramatically broadened the law’s scope, often with only a narrow majority of the court’s conservative members supporting the expansion. Now, companies are allowed to require their customers and employees to sign contracts that essentially waive any effective remedy for broad categories of legal claims.

Arbitration clauses are especially harmful when it comes to the Internet, because almost everything we do online involves a contract. When your ISP delivers a Web page to your computer, when you buy something online or share a photo or video, when you send an email to a friend — all of these actions take place under a company’s terms and conditions, the one-size-fits-all contracts that we each must accept if we want to use a company’s services. Those terms often contain an arbitration clause. Even though these terms of service are nonnegotiable, hard to decipher and rarely read, courts generally enforce them. And because arbitration clauses are empowered by federal law, states can do little to change their own laws to protect citizens from them.

Companies have learned to use arbitration clauses to evade what limited state and federal privacy laws exist. In 2013, for instance, Yahoo suffered a massive data breach. Because its customers were not all bound by an arbitration clause, they were able to band together in a class action and go to court to argue that Yahoo had legally inadequate data security. But then Verizon acquired Yahoo in 2017 and rolled out a new contract complete with an arbitration clause forbidding class actions — ensuring that no similar lawsuits can be brought in the future.

This tactic is widespread. Courts have recently forced arbitration, for instance, on people alleging that Barnes and Noble unlawfully shared customer information with Facebook; that the corporate transparency site Glassdoor publicly revealed anonymous contributors’ information; and that Snapchat has been illegally gathering and storing its users’ biometric information. In these disputes, the problem isn’t that there’s no law on the books, it’s that arbitration clauses prevent people from enforcing the laws that already exist.

And those are just the cases that we know of because someone tried to go to court anyway. The deeper problem with arbitration clauses is that they prevent legitimate claims from being made in the first place, especially when they forbid class actions. Nobody is going to hire a lawyer to dispute a wrongfully added charge of $5 or $6 on their monthly Internet bill; combining many such claims is often the only feasible way for private citizens to enforce their legal rights. When that route is not available, many potential claims will just never be made.

The rare consumer who does decide to take a dispute to arbitration has to plead their case in front of a private arbitrator, who, unlike a judge, usually rules in secret. The result is that the rest of us — other consumers, other companies, and law enforcement entities — may never know the extent of a company’s legal violations, or even whether the people who brought the lawsuits were victorious. But the limited data available indicate that success rates are shockingly low. A review of one arbitration company by the consumer group Public Citizen, for example, found that in a sample of 19,000 cases, the arbitrator ruled against consumers 94 percent of the time.

When private citizens can’t bring lawsuits, the enforcement of the law rests entirely with government officials. The Federal Trade Commission, for instance, has entered into a settlement with Uber regarding the data breach mentioned above, as has a nationwide coalition of attorneys general. But the recent record of public enforcement is mixed, at best. Public agencies have limited resources, and they can be hard-pressed to tackle violations by some of the world’s largest companies. The FTC has repeatedly been criticized for failing to enforce its long-standing consent decrees against Facebook and Google, and for refusing to enforce antitrust laws against Google despite the recommendations of its own staff. More broadly, the Trump administration has staffed federal agencies with leaders who are often explicitly anti-enforcement, hitting home the fragility of a system that does not allow consumers and citizens to defend their own interests.

Any new privacy law should include a “private right of action,” meaning a provision that allows individuals to sue someone who violates their rights under the law, as the ACLU’s Neema Singh Guliani argued persuasively in a recent New York Times op-ed. But that’s only a first step, because it is precisely those rights to sue that individuals can be forced to give up through arbitration clauses. To be more than just words on a page, a new federal privacy law will have to include a specific exemption from the Federal Arbitration Act. There is precedent for this: The Dodd-Frank Act, for instance, prohibited forced arbitration in mortgage agreements; the Military Lending Act barred it for consumer loans to troops; legislation introduced in the House of Representatives last term would ban it for claims of sex discrimination. Because so many privacy issues arise online, and because so much online activity is governed by contracts, a new privacy law is a natural candidate for a similar provision.

An arbitration carve-out in a federal privacy law wouldn’t fix all of the problems surrounding arbitration. Ultimately, the Federal Arbitration Act should be amended to scale back some of the Supreme Court’s more far-reaching decisions. But given the consensus building around the need for greater consumer protections online, it’s important to ensure that whatever laws Congress passes are as effective as possible. There are many debates ahead about just what a new privacy law should look like. Whatever the outcome of those discussions, though, forced arbitration should not be on the table.

Read more: