[JohnFen]

That would be insufficient for a number of reasons, including that even if you only collect non-PII (and don't let's get started on what "PII" actually is), if you collect enough of it and correlate it in databases (like ad companies do), then it's all personally identifying.

But I think that's not the main reason it's not sufficient. The main reason, in my view, is because it's still companies spying on me, my machines, and/or my use of my machines. Even if the data is genuinely anonymous, if you don't have my informed consent then collecting it is spying and unethical.

If we're going to have regulation (and it's increasingly looking like any solution will have to be), then the regulation should be about the collection of the data.