I think there’s a difference here where there’s a reasonable expectation of privacy, and where there is not. Out on the sidewalk, you don’t have one. Selling someone’s CC is a violation of contract law because you do have an expectation of privacy there. So, we have to be very clear, what kind of data are we talking about? “Sharon Thomas visited this site, looked at these items, spent 14.2 seconds looking at that item, then clicked on this link,” I think, is not something you can expect privacy from.
However, there are some things I do think you have an expectation of privacy from, which is the collation and sale of personal information that the customer enters into the site for the purposes of business with that site, like the collation names with addresses, driver’s license numbers, social security numbers (or whatever local equivalents), etc. Another thing is that, and I don’t know if I’m 100% right here, but I believe that when you visit a site, even by typing an address into the address bar, the site you’re visiting is told, by your browser, what site you’re coming from. That doesn’t make sense to me, and that’s not a thing that should exist.
Nonetheless, I don’t think the GDPR is a good fit for addressing any of these issues.
I think there’s a difference here where there’s a reasonable expectation of privacy, and where there is not. Out on the sidewalk, you don’t have one. Selling someone’s CC is a violation of contract law because you do have an expectation of privacy there. So, we have to be very clear, what kind of data are we talking about? “Sharon Thomas visited this site, looked at these items, spent 14.2 seconds looking at that item, then clicked on this link,” I think, is not something you can expect privacy from.
However, there are some things I do think you have an expectation of privacy from, which is the collation and sale of personal information that the customer enters into the site for the purposes of business with that site, like the collation names with addresses, driver’s license numbers, social security numbers (or whatever local equivalents), etc. Another thing is that, and I don’t know if I’m 100% right here, but I believe that when you visit a site, even by typing an address into the address bar, the site you’re visiting is told, by your browser, what site you’re coming from. That doesn’t make sense to me, and that’s not a thing that should exist.
Nonetheless, I don’t think the GDPR is a good fit for addressing any of these issues.