Over the course of two days and 10 hours of testimony, Facebook CEO Mark Zuckerberg was grilled by members of the U.S. Senate and House of Representatives this week. While questions about the Cambridge Analytica scandal and misuse of the personal data of tens of millions of U.S. citizens were what brought him there, many of the questions lobbed at Zuckerberg centered around how Facebook should be regulated in the future.

Just how clueless many members of Congress are about technology was made abundantly clear over the course of the hearing. Nonetheless, bipartisan consensus appears to be forming that Facebook can no longer be trusted to self-regulate and that Congress must step in. But consensus is still building around what exactly can be done.

There will no doubt be additional legislation proposed in the wake of Zuckerberg’s testimony, but based on statements made during the committee hearings this week and legislation that has been formally proposed in both the House and Senate, here’s a quick overview of five ways members of Congress might regulate Facebook and other tech giants.

1. A ‘privacy bill of rights’

The CONSENT Act (PDF) stands for Customer Online Notification for Stopping Edge-provider Network Transgressions and would require the Federal Trade Commission (FTC) to create data privacy protections for consumers. The bill was proposed by Sen. Ed Markey (D-Mass.) and Sen. Richard Blumenthal (D-Conn.), who have come to call the proposal a kind of “privacy bill of rights.”

In essence, the CONSENT Act would require companies to give users clear information about how their data will be used and would mandate that users be given the choice to opt into sharing their personal information instead of having to opt out.

Some form of legislation is necessary, Blumenthal said.

“My reservation about your testimony today is that I don’t see how you can change your business model unless there are specific rules of the road,” Blumenthal told Zuckerberg. “Your business model is to monetize user information to maximize profit over privacy. And unless there are specific rules and requirements enforced by an outside agency, I have no assurance that these kinds of vague commitments are going to produce action.”

2. Digital Consumer Protection Agency

Beyond formal legislation proposed thus far, Rep. Raul Ruiz (D-CA) suggested the creation of a Digital Consumer Protection Agency that can spring into action to deal with situations like the Cambridge Analytica breach and other high-profile breaches that have occurred over the years.

Like the Consumer Financial Protection Bureau created in the wake of the 2008 financial crisis, the new agency’s central purpose would be to represent the rights of consumers.

Ruiz suggests that such a body could oversee how consumer data is collected, shared, and used by companies and fight against things like identity theft, as well as the kinds of data misuse seen in the Cambridge Analytica affair.

Fears of overcorrection or the enactment of too much regulation were shared vocally by Republicans on the House of Representatives committee.

A 2011 FTC consent decree already provides consumer protection and financial penalties, some members of the House Energy and Commerce committee argued. Ruiz countered that Facebook was aware of the data breach in 2015, took no action, and suffered no penalty from regulators.

Zuckerberg told Ruiz that while notifying users might have been the right thing to do, he didn’t believe Facebook had a legal obligation to do so after learning about the Cambridge Analytica misuse of data in 2015.

“It doesn’t seem like the FTC has the necessary tools to do what needs to be done to protect consumer data and consumer privacy, and we can’t exclusively rely on companies to self-regulate in the best interests of consumers,” Ruiz said.

3. General data protection plan following Europe’s GDPR

News outlets including Reuters reported last week that Facebook does not have plans to extend consumer protections available in Europe to users in other parts of the world, something Zuckerberg pushed back against in a conference call with reporters last Friday.

Zuckerberg was asked about that topic again this week by several members of Congress. In response, he said Facebook will implement some policies — like making control of privacy settings easy to find and including consent for data usage — regardless of Congress’ plans to regulate. Tools to download or delete your data, also required by GDPR, have been available for years, he said.

In his response to the many questions about GDPR, Zuckerberg did not commit to extending every element of the European plan to consumers in the U.S..

Adopting a plan similar to GDPR would involve several essential elements:

  • a better definition of personal data
  • notifying users of a data breach within 72 hours
  • upholding consumers’ right to know if their data is being processed, where, and for what reason

What we know won’t be extended to the United States is financial penalties for failure to protect consumer data.

Multiple members of the House and Senate openly discussed the idea of a general data protection plan for the U.S., including Rep. Peter Welch (D-VT), who asked if the government should define the concepts of digital “privacy” and “personal information” to clarify what data needs to be protected most.

“Privacy cannot be based just on company policies, whether it’s Facebook or any other company. There has to be a willingness on the part of this Congress to step up and provide policy protection to the privacy rights of every American consumer,” Welch said.

4. Honest Ads Act

One of the only proposed pieces of legislation that has been endorsed by Zuckerberg thus far is the Honest Ads Act, which would require tech companies with more than 50 million monthly users to maintain a public file of all political ads purchased by anyone spending more than $500.

The bill also received support from Twitter Tuesday, just hours ahead of Zuckerberg’s testimony before members of Congress. Google was also asked to support the legislation but has not yet offered an endorsement.

The Honest Ads Act came up in Zuckerberg’s testimony when speaking with the bill’s author, Sen. Amy Klobuchar (D-Minn.), but was not a major topic of discussion, perhaps since Zuckerberg had already endorsed the idea.

Formally introduced to the Senate last October, the Honest Ads Act has 22 co-sponsors, more than any other piece of legislation being considered in the wake of the Cambridge Analytica scandal.

Sen. Tom Udall (D-NM) repeatedly asked Zuckerberg if he would be willing to advocate for the passage of the Honest Ads Act to convince others in the tech industry to support the bill, to which Zuckerberg responded that he would support it in writing and that Facebook is implementing the guidelines set out in the bill. To the rest, he added with a smirk “Well, Senator, I try not to come to D.C.”

5. Browser Act

The BROWSER Act requires internet service provides and websites like Facebook to receive opt-in approval for information about a person’s health, financial information, web browsing history, location, or information about children under 13.

BROWSER stands for Balancing the Rights Of Web Surfers Equally and Responsibly.

The legislation was introduced in May 2017 and was authored by Rep. Marsha Blackburn (R-Tenn.), chair of the House Committee on Energy and Commerce’s subcommittee on Communications and Technology.

Blackburn asked Zuckerberg to support the legislation at a hearing, but Zuckerberg said he wasn’t familiar with the details of the bill.

A news report by The Tennessean cites Blackburn as saying the bill has received additional support since the hearing but has yet to move beyond being introduced.