Because the American credit reporting system relies on both good and bad reports of creditworthiness, a consumer must have some kind of credit—not just the absence of bad credit. (In some countries, the lack of a credit report can establish good credit). “The American system, on other hand, relies on total surveillance,” writes Chris Jay Hoofnagle in his primer on privacy law and the Federal Trade Commission.

From the end of the Civil War to the mid-20th century, the breadth and detail of information collected by the reporting agencies only increased. Control over the access to that information, however, did not seem to keep up. “People do not realize, for example, that their own credit files are accessible to virtually anyone who understands the workings of credit bureaus and has a few dollars to spend on a report,” said one study in 1969. And those credit reports contained personal information ranging from the deeply prejudicial to the utterly inane.

The reports were compiled using information from retailers, from the public record (court records, newspaper clippings), and from interviews with friends and neighbors. In 1972, a Senate aide testified before a committee about the type of information that was collected by the automobile insurance industry: “If they, in any way, have some deviant behavior characteristics, they wear pink shirts, or have long hair and a mustache, they read Karl Marx … They can look in your library and see what books you read, what magazines you subscribe to…”

Today FCRA is still at the forefront of fighting privacy violations—but the transition to the new frontier of digital privacy has not been a smooth one. In the 70s, FCRA looked like a white knight charging into the dragon of credit reporting. Today, it sometimes more closely resembles Don Quixote tilting at windmills.

The effect of letting someone sue without showing harm is obvious: It makes it really easy to sue. If you see the world in terms of privacy-invading behemoths that need to be slapped down by buccaneering class action attorneys, then that’s a good thing. But if you see a pack of over-litigious lawyers squeezing settlements out of Silicon Valley as the real villains, then of course it’s a bad thing.

Yet when it comes to privacy invasion, it’s difficult to show real life injury. LinkedIn leaks your password to the world. You change all your passwords, and so nothing happens. So what? Tracking links monitor your web activity. Someone at the other end collects that information, files it away, and never does anything with it. So what? Having to show harm, or not having to show harm, can make or break an entire genre of lawsuits.

But is this type of litigation actually doing any good? It’s a controversial question, for which there is no easy answer. Squint at these lawsuits from one angle, and you’ll see a privatized regulatory system that keeps data monsters in check. Squint at them from another angle, and all you see is a flock of vultures in suits, picking away at deep-pocketed tech companies.

We peer into a future where our software spies on us, our data defines us, and our hardware reinforces existing power imbalances. What’s slowing it down are a federal agency whose remedies often feel unsatisfactory, and a cohort of attorneys whose motivations are of course capitalistic. And while it’s tempting to simply call for more federal intervention, paternalistic impulses sometimes harm the most vulnerable among us.

Regardless, the status quo is not enough. Before FCRA, the credit reporting industry was limited mostly by the technologies they had access to. The bureaus could compile dossiers and accumulate lifetimes of information, but they couldn’t run algorithms on the entirety of this data. And in 1969, the “systematic collection” of information about people from newspapers and court records was “expensive and time-consuming,” whereas today data about people can be scraped automatically from the internet.

Combined with new forms of financial control over subprime borrowers exercised via the cars and devices they buy, creditors have at their fingertips a web of technological control over debtors. If left unchecked, the future of financial surveillance looks dark. If FCRA trimmed back the worst excesses of the last century of financial surveillance, perhaps it’s time to look to something similar, before it’s too late.