On Wednesday, lawmakers in the House narrowly defeated a measure proposed by Rep. Justin Amash that would have dramatically curtailed the National Security Agency’s ability to collect phone records. While concerns about the breadth of the NSA’s surveillance are far from behind us, privacy advocates will do themselves a grave disservice if the NSA remains the sole focus of this discussion. We will never truly ameliorate the privacy concerns raised by this surveillance so long as there remain virtually no restrictions on commercial entities’ ability to track us and retain massive amounts of highly personal data.

Much of the story about contemporary concerns over electronic surveillance involves rapidly developing technology that in turn produced massive shifts in the way we communicate. Twenty years ago, the amount of information that could be obtained about an individual by monitoring cell phone metadata and online activities was relatively miniscule compared to today. This is because, as technology developed, more and more people had online lives; a higher percentage of communications became electronic; the Internet became users’ preferred source for obtaining information of any kind; and there was an explosion in social media usage. All of these evolving uses made it easier for the government or Google to understand every dark niche and corner of a person’s life. Unlike twenty years ago, this kind of surveillance will in almost every case uncover virtually all of a person’s contacts, the angry emails they sent at 3 am, and every purchase they’ve made or thought about making.

These developments in technological capabilities and how we use technology have far outpaced all legal frameworks for safeguarding individual privacy. Over time, the concept of privacy we had in 1995 or 2000 became outmoded, with few people realizing the extent to which this shift had occurred.

The privacy concerns that we now have about the government watching us apply also to commercial entities. And whether or not they are sufficient, safeguards do exist limiting the NSA’s ability to spy on Americans. In contrast, restrictions on commercial entities’ ability to track and store information about Internet and cell phone users are virtually nonexistent. In Europe, there is currently a great deal of concern about commercial entities tracking people; that concern should exist in the United States as well.

When Amash’s proposal failed, legislators who voted against it spoke of national security considerations. Rep. Mike Rogers commented, “This isn’t a game. This is real. It will have a real consequence.” Indeed, it’s difficult to draw an optimal line delineating precisely how much collection, retention, and analysis of metadata and other personal information the government should be allowed to undertake. After all, we want our privacy, but we also want the government to be able to disrupt terrorist plots.

Just as for government, there is reason to allow commercial entities to track our online activities and store data on us to some extent: they can make money this way (e.g., through ad sales). While that may sound like a trivial concern, it should not be dismissed: if Google and Facebook were not as adept at understanding their users—and using that understanding to generate revenue—we would not be able to enjoy their remarkable services for free.

But do commercial entities really need to know what websites you visited, and who you sent instant messages to, and the location of your cell phone eight or ten years ago in order to understand your consumer preferences today? Almost certainly not. So a good place to start, in beginning to reclaim our electronic privacy, is regulation of commercial entities’ retention of data. A persuasive piece of legislation could require these entities to purge all digital user data (including messages sent, websites visited, records of individuals called, and geolocations) that is more than five years old if the user is not explicitly storing it. Over time, as commercial entities’ algorithms for understanding consumer preferences improve, the amount of data that these entities can retain about their users could be further constrained.

It goes without saying that such a measure would fall far short of solving all the concerns we have about digital privacy. But the conversation about digital privacy in the twenty-first century has to begin somewhere; and having legislation that constrains the NSA get shot down year after year seems like a poor way to begin that discussion. Legislation aimed at commercial entities is more likely to pass; and placing constraints on these entities can begin to both reclaim a small part of our digital privacy and also establish our expectations at a time when it is no longer clear what “privacy” means.

Daveed Gartenstein-Ross is a senior fellow at the Foundation for Defense of Democracies, and an adjunct assistant professor in Georgetown University’s security studies program.