I think an important part of the solution is to look at the purposes for which information is collected and used. It's one thing for an organization, a company, to collect and use data to provide a direct service to an individual. That is totally legitimate, and this is the type of practice that should be allowed. It's another for an organization to collect so much information, perhaps under the guise of some type of consent, that the end outcome is something very close to corporate surveillance.
I think it's important to distinguish between the two. There are a number of technical rules that are at play, but the idea that we should define privacy beyond mechanical issues like consent and so on and so forth and define it by regard to what is the right being protected, i.e., the freedom to engage in the digital economy without fear of being surveilled, is an important part of the solution.