The new European Union rules, which go into effect this month, are based on the premise that we all have a broad right to control data about ourselves. We should have a right to know what data companies have about us, how it will be used and with whom it will be shared. We should be able to take our information from one company and give it to another or to have it deleted altogether. Presenting users with massive, legalistic privacy policies that cover myriad situations won't cut it. Users will have to be given clear and specific yes/no questions about whether they consent to share their data, and companies will be required to report breaches within 72 hours. There are and have to be some obvious exceptions to the rules related to public and historic records and journalism, but in the wake of the Cambridge Analytica scandal, Facebook and companies like it need to follow rules that protect their customers, not business models that treat them as exploitable commodities.