Initially, developers likely didn’t consider what information was needed to run the app,said Alan Butler, senior counsel at the Electronic Privacy Information Center. Instead, they built their programs to collect all of the data they could possibly need.

But that is the wrong approach, Butler said.

Beyond the type of information collected, app developers need to determine how long the information will be stored and how will it be kept secure, he said. The more data that is collected and stored, the great the threat for data breaches, Butler said.

So what data is being collected? Well, it depends on the company.

Some companies, like cell phone providers, automatically collect consumer information such as called numbers, times of calls, locations and cellular data usage.

Cell phone companies are limited in acting on automatically collected data. Companies can choose to archive and never use information or discard it after a certain amount of time said Paul Rosenzweig, author of Cyber Warfare: How Conflicts in Cyberspace are Challenging America and Changing the World.

With all of the information collected in addition to how frequently users bring their phones with them, Rosenzweig said, “your cellphone is you.”

Rosenzweig likened the process to something called the mosaic theory. According to the theory a collection of small data points can create a picture more representative than each piece of information individually.

Smartphones play into this mosaic by contributing to the information available about a user, especially one who chooses to use social media.Rosenzweig said a comprehensive image can be created of any individual, in part by just interacting with some of iPhone’s applications.

With data collection comes increased responsibility

The relationship that an iPhone user has with the company’s application is a business one.“Sharing is something we do in kindergarten,” Butler said. But when a user gives information access to apps such as Snapchat, they are doing so under the assumption that their data is going to be used properly.

But when it’s not, what then?

Ensuring companies are using data for the right reasons is not an easy task, Butler said. That’s why EPIC supports a strong consumer bill of rights, guaranteeing consumers online protections, he added.

President Barack Obama has supported such legislation since 2012, but none of his efforts have made it out of Congress.

The administration’s 2015 proposal is scaled back in comparison to its 2012 approach, EPIC said in a March statement.  Not only does the proposal lack adequate consumer protections but may also burden businesses, EPIC said.

EPIC has a code of fair information practices, which is rooted in five principles–no personal record-keeping systems can be kept private, a person must be able to find out information recorded about them, prevent it from being used incorrectly, amend incorrect  information and organizations with collected data must protect against its misuse. EPIC suggests crafting better legislation that aligns  with its code.

“This is a direct threat to the economic security of American families and we got to stop it. If we’re going to be connected, then we need to be protected. As Americans we shouldn’t have to forfeit our basic privacy when we go online to do our business,” he said.

According to research from eMarketer, more than 3 billion people will be Internet users in 2015.

David Inserra, a research associate specializing in homeland and cybersecurity at conservative think tank Heritage Foundation, likened cyberspace today to a jungle in warfare.

The jungle is neither inherently good or bad, but it can be used by both sides in the war, Inserra said. Whoever uses the jungle better wins, which for cybersecurity means information and data either can be either protected or lost.

During Tuesday’s State of the Union address, Obama is expected to further outline a proposal to create a national standard for companies to inform customers within a certain timeframe if their information has been compromised.

Forty-seven states already have data breach notification legislation.

Obama said he hoped a national standard would eliminate some of the confusion and extra costs surrounding multiple state policies.

Inserra said a national standard made sense and would be acceptable if it was not overly restrictive.

“Moving to a single standard is wise so long as that standard isn’t burdensome,” he said.

Mark Jaycox, a legislative analyst at the pro-civil liberties nonprofit Electronic Frontier Foundation, said an ideal law would ensure at minimum that a state attorney general could still act in accordance with his or her state law if it is tougher than the federal standard.

Obama also proposed legislation protecting consumer and student privacy.

Consumers should know what personal data is being collected by companies and be able to decide how those companies use their data, Obama said on Monday at the Federal Trade Commission.

His student privacy act would focus on protecting information of students who have to use technology to participate in classes at the elementary and secondary school level. Because students have to surrender some of their information to use the Internet for school, Inserra said, some level of protection is appropriate. He said it may be easier for businesses to have one federal rule that a number of different state rules.

Actual legislation detailing with the specifics of Obama’s proposals have yet to be released publicly.

Rep. Pete Olson, R-Texas, said in a statement Monday he is anticipating working on consumer privacy with the president but “the devil is in the details.”

“I agree that we need a federal standard for data breach notification, but we must take a balanced approach to protect consumers without putting unnecessary burdens on companies or hindering important uses of data.”

A number of companies have had national attention for recent data breaches: Target, Home Depot and Sony Pictures.

Five Things to keep in mind while watching the State of the Union

1. Cyber security is a leading issue: 2013 and 2014 saw data breaches at companies such as Sony Pictures, Target and Home Depot
2. The 114th Congress is controlled by Republicans: Obama’s hope of cybersecurity being a unifying issue may be unfounded.
3. Obama appears to be in good spirits heading to the State of the Union: At engagements this week, Obama seemed relaxed, even making jokes, a sign he is confident in his proposals.
4. Obama is proposing measures but no specific legislation has been released. What he’s mentioned so far are a national data privacy standard; free access to credit scores, a measure applauded by banks such as JP Morgan Chase and Bank of America; a consumer privacy bill of rights; and a student data privacy act.
5. A number of people and groups seem open to a discussion on cybersecurity, but the details surrounding Obama’s proposals will be a main thing to look out for during and after the State of the Union.