That is the point. Make it illegal, and not something that can be handwaved away by an EULA or TOS.

Or at least make it a liability on the balance sheet rather than an asset. Sure, you can store as much user data as you want. Oh, what's that, if it leaks you owe each user $10,000 under the new law?