There is, however, no dearth of proposed legislation attempting to treat our privacy ills. The Commercial Privacy Rights Act of 2011 (aka the Kerry-McCain bill) would limit the type of data companies could collect without permission and require opt-outs for the rest. The Do Not Track Online Act would require all online companies to honor do-not-track requests from Web surfers. There are bills aiming to limit how much data mobile apps can collect and what they can and can't do with location data.
But with Congress mired in seemingly perpetual gridlock, it's hard to find anyone who is optimistic about the future of these bills. However, we are likely to see a move to modernize laws that govern how law enforcement can access data stored online, says Justin Brookman, director of the Project on Consumer Privacy for the Center for Democracy and Technology.
For example, Congress is expected to modernize the Electronic Communications Privacy Act of 1986, increasing judicial oversight over law enforcement and treating data stored in the cloud the same as if it were stored on our personal computers.
"The ECPA should be updated," says Brookman. "Ultimately we need an overall privacy law built around Fair Information Practice Principles, one that provides for transparency in data collection, protections for sensitive data like health or location, and the right to control your information. In the short term, that's going to be a hard sell."
While the Obama Administration's proposed Consumer Privacy Bill of Rights is a good start, it's no closer to being law than when it was introduced more than a year ago, he adds. The White House has asked private companies to follow the principles outlined in the document, but they're under no obligation and will suffer no penalties if they don't.
Some privacy advocates look to Europe to lead the way. The European Union has traditionally taken a much tougher stance on information sharing than U.S. regulators, which in turn could force U.S. data collectors to choose between operating under two sets of rules or adopting the EU's more stringent guidelines.
"There is some cause for hope out of Europe," says Jonathan Mayer, a graduate student in computer science and law at Stanford University, whose research is focused on consumer privacy. "Some very high-level policy makers in EU member states really want to change the game when it comes to online privacy. We could become the beneficiaries of new EU privacy regulations, just as some scholars argue that Europeans have benefited from U.S. financial regulations."
Self-regulation: Moving beyond the minimum standard for privacy
Some argue the flip side: When it comes to data collection, the marketplace can do a better job of regulating privacy than technologically stagnant, one-size-fits-all legislation can. This system of self-regulation has largely ruled the Internet since it went commercial in the mid-1990s. Depending on your point of view it's been either a dismal failure or a raging success.
For example, efforts to reach a compromise over data collection have proved fruitless. More than two years ago the Federal Trade Commission asked advertisers, advocates, publishers, and technology companies to come up with a voluntary Do Not Track standard everyone could live with. After more than 50 meetings of the W3C Tracking Protection Working Group, they are no closer to a consensus, says Mayer, who has attended nearly every meeting. Meanwhile, the number of companies tracking consumers across the Web has grown from nearly 800 to more than 1,300 over the past year, according to Evidon's most recent Global Tracking Report.