Facing mounting criticism after news broke that his company shared users’ data with political consulting firm Cambridge Analytica, Facebook CEO Mark Zuckerberg has said in recent days he would accept some federal regulation.

The question is what sort of rules or legislation would even begin to address the authorized data sharing that appears to be at the heart of the Cambridge Analytica case.

Zuckerberg has suggested it would be sufficient for Congress to treat advertising on Facebook like political advertising on television and radio.

“On the basic side, there are things like ads transparency regulation that I would love to see,” Zuckerberg told CNN in a March 21 interview. “If you look at how much regulation there is around advertising in TV and print, it’s just not clear why there should be less on the internet. You should have the same level of transparency required.”

But that kind of legislation does nothing to address the practices now under scrutiny. Facebook allowed a researcher to run an app on the social media company’s platform that eventually gathered information on 50 million users.

Dozens of bills in Congress address data breaches, but they pertain to deliberate hacking and stealing of information, such as the breach in the 2017 Equifax case when the credit-rating company lost data on 145 million Americans.

Watch: Rich Uncle Pennybags Look-Alike Trolls Equifax Hearing

“We focus much more on breaches that look like car accidents than situations where you let someone drive a car and they did something to the car,” said Lee Tien, a senior staff attorney at the Electronic Frontier Foundation.

The Facebook case is also complicated by how little we know, beyond the details revealed by news reports, about the data Facebook may have shared with other developers, Tien said.

It will take time to write legislation that not only addresses the questions posed by the Cambridge Analytica case but also covers other industries, technologies and social media companies, Tien said.

Authorized sharing of individuals’ information routinely takes place in the health care industry, where patient data is accessible beyond doctors and insurance companies, he said. “Now you have another layer of questions: Has anyone else done what Facebook did?”

[Stormy Daniels Is No Kim Jong Un]

When it comes to privacy legislation, social media companies such as Facebook may throw their support behind weak federal bills in order to preempt tougher state laws, Tien said.

Massachusetts Attorney General Maura Healey announced this month that she has launched an investigation into the Facebook-Cambridge Analytica data-sharing case.

Even if tighter rules and laws are written, weak enforcement could render such regulations meaningless, Tien said, noting that the Federal Trade Commission, which is supposed to oversee technology companies, has seen its power steadily curtailed in recent years.

One of the quickest legislative responses from Congress could be to strengthen FTC’s enforcement capabilities, said Joseph Jerome, policy counsel at the Center for Democracy and Technology.

FTC could be given fine-imposing authority as a way to enforce consent decrees relating to protection of users’ data that the agency has reached with technology companies such as Facebook and Google, Jerome said.

[Overview: Where the Omnibus Money Is Going]

In 2012, the FTC reached a settlement with Facebook in which the social media company agreed to safeguard the privacy of its users’ data and also to conduct a third-party audit every two years on compliance with the consent decree.

But companies like Facebook end up having enough flexibility to interpret what an audit entails, and such watered-down assessments are not even made public by the FTC, Jerome said.

Eventually, the United States may have to move toward legislation like the European Union’s General Data Protection Regulation, or GDPR, which goes into effect May 25, Jerome said. The new rules govern all major technology companies operating in the 28-nation EU bloc and are designed to protect the personal data and privacy of its citizens, as well as any export of EU citizens’ data outside the union.

Instead of mandating every step of how companies communicate data-sharing practices with their users, a U.S. data privacy law could act as a legislative backstop guaranteeing basic transparency while allowing companies flexibility to try different approaches and offering incentives to go beyond the bare minimum, Jerome said.

Crafting legislation that would apply to all technology and social media companies without undoing their business models, which rely on customer data, could take some time.

In excerpts from an interview set to air on MSNBC, Apple CEO Tim Cook nods to the inevitability of new rules: “I think the best regulation is no regulation, is self-regulation,” he said. “However, I think we’re beyond that here,” referring to the Facebook’s data practices, adding that the company should have curbed its sharing of users’ personal data.

There is an emerging consensus for more regulation, Tien said. “You know the direction you want to head but not the exact path you want to take, which freeway you’re going to use, and how you’re going to navigate” toward such legislation, he said.