One could be forgiven for expecting the Federal Trade Commission’s third PrivacyCon to be disheartening. Data breaches continue to increase in size and scope; hardly a month goes by without a story about inadequately secured databases, surveilling “smart” toys, and session-replay scripts that steal passwords. As a kickoff to National Consumer Protection Week, this year’s PrivacyCon focused on the economic consequences of privacy and the economic incentives—or lack thereof—to protect users’ digital privacy.

The system of free-flowing data as a commodity supports a wealth of products and services that expose consumer data. As Princeton University’s Gunes Acar explained in a presentation about session-replay scripts, systems can expose information in ways a company would never expect. Session-replay scripts allow websites to capture the exact browsing experience a user goes through while visiting their website, recording everything from the movement of a cursor across the page to the exact amount of time a user hovered over a button before clicking. As Acar revealed, because websites will sometimes temporarily store information in formats that are accessible to the session-replay script, a consumer researcher hoping to learn about a user’s website experience may also receive plaintext usernames and passwords, private health information, driver’s license numbers, or other sensitive information.

Without thinking actively about what information a wide net may capture, companies put themselves on shaky legal ground by collecting protected data without realizing it. Presenters emphasized that, in some cases, the company or service provider may not even realize that their actions have compromised consumers’ security until it is brought to their attention by a third party. Facebook, for example, was unaware bad actors could use Facebook’s targeted advertising service to de-anonymize a list of email addresses by inferring their phone numbers en masse until a team from Northeastern showed them how.

While consumers sorely need tools to navigate the wilds of digital privacy, they have shown a reluctance to spend money on them, especially if they do not believe it will make a difference. Toulouse School of Economics’ Ying Lei Toh discovered that when consumers have both the will and means to punish a company for mishandling their data, they can force firms to be more cautious. When consumers lack leverage or the data has already been exposed, they will continue patronizing the firm even after a breach occurs, as there is no perceived purpose in pursuing data protection. Given that many consumers’ lifetime information may have already been exposed in one of several major data breaches, how can consumers motivate companies to invest in better securing their data?

In many of the conference presentations, researchers determined that companies shared user information by default. Consumers are expected to either not participate in the technological ecosystem or to take proactive—and often unreasonably onerous—steps to discover the way companies expose and exploit their data. There are researchers and activists working to improve digital privacy hygiene, such as presenter Pardis Emami-Naeini, who discussed designing a digital privacy assistant app—shoring up consumers’ ability to respond to data overreach.