One of the major issues we are struggling with in this flood of data is the question of what data belongs to whom and in particular how much access and control endusers should have over their data (or for that matter what “their” data even means). In California a “Right to Know" bill has been introduced that would require companies to let endusers access what data has been stored about them and which third parties that data has been shared with. The definition of personal data in the bill is quite broad "including inferences or conclusions drawn from other information" if those are shared with third parties. The bill has the support of EFF and the ACLU. Not surprisingly over a dozen companies and several trade groups have come out against this arguing that it would put an unreasonable burden on them.
I actually think this kind of regulation could be very helpful even though there are some details that need to be thought through. For instance, it will generally be easier for large companies to comply with this as they have more resources that smaller companies, so there might be some time period or scale threshold for which companies would be exempted. I also think it is critical that completely electronic request (a button in the user’s profile or setting page) and electronic delivery in plain text or even something like JSON can be used to satisfy the requirement. The current draft still mentions such things as “addresses” as if it should or could be possible for users to request this over the phone or by mail.
This kind of act could be particularly powerful in conjunction with another set of regulation that I would really like to see: legalizing personal internet bots. By that I mean a law that makes it clear that as an enduser I can authorize a third party service to interact with a service on my behalf. And if I have explicitly authorized the third party service then this cannot be a terms of service violation. The combination would allow for the emergence of third party services that monitor information on my behalf across other services. This would be all that we need for market solutions to emerge around privacy. With the right amount of work both of these bills could be quite concise.