The GDPR in the EU and, to a degree, the new California Consumer Privacy Act, which will come into effect in 2020, offer us models for setting limits. One limit that you proposed is a limit on data retention. One interesting part about GDPR is the requirement to disclose the data retention duration at the moment of gaining consent. When you sign up for a service the requirement is, “we will hold your data for six months”, and you are learning that limitation at the moment of signing up and giving consent.
I think we have some good models now to work from to evaluate and to see how these limits are set. The other limits that my colleague Mr. Kint has been referencing—limiting use based on the context of collection and prohibiting uses across contexts—would be also important frameworks to establish. The key here is also enforcement. My experience working with the Information Commissioner's Office as well as the court system in the U.K. shows that enforcement of these limits is where the rubber hits the road.