Looking at the Consumer Privacy Bills of Rights language (
Accordified), I see a framework that is aspirational, but it's still pretty familiar. It doesn't have a lot of needed specifics (as the author seems to agree).
As I've been pointing out for a while -- I may have shared my Nov 2016 Gartner talk on this subject at some point in a WG or legal subgroup call, see attachment for a relevant snippet -- we already have lots of sets privacy principles.
Also, its enforcement provisions have no private right of action; it would all be down to a government agency, somewhat EU GDPR-style, which wouldn't be my preference. It was my understanding that it's the different bases for privacy rights in the EU vs. US, human vs. property rights, that leads to the GDPR enforcement regime. Maybe somebody can explain why I'm wrong...
GDPR, of course, starts to get into what my talk called "sharper-edged criteria", deciding numerical boundaries and such (breach notification deadlines! fines! what consent means!), which of course is where arguments tend to crop up. That's where the US would have to go to have something meaningful.
I do think and hope that the UMA business model -- suitably abstracted away from UMA technology as required -- could usefully influence legislators and regulators when it comes to identifying some of the necessary sharper-edged criteria. As we noted on the last
WG call,
"...UMA can provide value in separating "personal information" services from "protection" services" -- and most laws have no conception that this is even possible or important.
p.s. You can check out my Identiverse slides on how consent needs to be retooled for IoT and the connected car era, involving UMA and IRM and potentially even AI,
here. (Worth uploading this to the UMA wiki home page?)