I have three points in answer to your question. I agree with everything Dr. Geist just said.
The first point is to put in place hard limits where we can. For example, when it comes to protecting children and seniors, just say in the act under subsection 5(3), which is already a hard limit but is vague, that it include no marketing of children or seniors; no collection, use, or disclosure of personal data of children and seniors for marketing purposes. That's already in the marketing industry's code of conduct. Put it in the legislation.
The second point is on real consent. As Dr. Geist said, forget this fiction of negative-option consent. Require express opt-in consent for all non-essential uses of customer data, including marketing. What I found in my research is that companies across the board are now including marketing as one of their primary purposes of collecting our data in order to provide the service we've asked them to provide. They are now treating marketing as a primary purpose. They're certainly not getting express consent. In many cases they're not even getting negative-option consent; they're not even letting us opt out of that.
The third point is on order-making powers. As Dr. Geist said, penalties should be easy to impose. Penalties should not require intent, proof of intent, and quasi-criminal proceedings, but should be administrative monetary penalties such as what the anti-spam law is using.