We are frequently asked how, during our recent tenure at the Federal Trade Commission, we came to create the National Do Not Call Registry, one of the most popular government actions ever undertaken. The answer lies in our search for an approach to regulate the exchange of consumer information in commercial transactions. Information exchange is the currency of the modern economy. The growth of the internet, and the resulting new possibilities for collecting, storing, and exchanging information, have sparked a renewed interest in privacy and the ability of consumers to control the use of information about them. We argue that information exchange is valuable and that regulators should be cautious about restricting it. The traditional approach to privacy regulation, based on the so-called fair information practices (FIPs), is inadequate. Instead, we argue, government should base commercial privacy regulations and policies on the potential consequences for consumers of information use and misuse. This approach focuses attention on the relevant questions of benefits and costs, and offers a superior foundation for regulation. It was this approach that suggested there would be large consumer benefits from Do Not Call. Finally, we apply this approach to privacy to the growing problem of breaches of information security. Companies with sensitive information about consumers that, in the wrong hands, could harm consumers should be expected to protect that information in ways that are reasonable and appropriate given the sensitivity of the information.