Remember ChoicePoint? The company collects and sells consumer data, and in late 2004, it had to reveal that it had sold such data to an identity-theft ring. One of the first big data breaches, the thefts sparked calls for a national identity theft law. ChoicePoint paid tens of millions of dollars in legal settlements and fines. Rep. Rick Boucher (D-Va.), chairman of the House Subcommittee on Communications, Networks and Consumer Privacy (who convened the April hearings on behavioral advertising), says he will in the fall that would strengthen privacy protection. But such legislation has gone nowhere in the past.

The Obama administration could go back to the privacy activism of the Clinton Administration's FTC, worries Jim Harper, director of information policy studies at the Cato Institute in Washington, D.C. Under Robert Pitofsky, the Clinton FTC pushed for a uniform regulatory regime for privacy. Harper thinks today's policymakers should take their cues from consumers, and especially from the dialogue between Google, Facebook and their users.

From a regulatory perspective, therefore, privacy and data control questions are by and large open. In fact, right now German courts are considering whether an IP address is personally identifiable information that needs to be protected. No matter what the court decides, Milla thinks companies will eventually find that consumers do think their IP address is akin to their Social Security number. That will at the least force many companies to rethink their marketing strategies.

Whether or not legal prescriptions for privacy change, the cultural shift toward consumer control of personal data seems to be gaining steam. At the World Economic Forum earlier this year, MIT's Pentland called for a "New Deal for Data." He wants companies to acknowledge the power of consumers by acknowledging:

* Consumers have the right to possess their own data.