Here's the thing though, you realize you just described Walmart right?

I mean, the HN crowd probably doesn't overlap much with the market that Walmart serves with their financial services, but it's actually a significant portion of the american populace. For them, Walmart is the marketplace, the ad firm, and the financial services provider all in one.

So what everyone's asking is:

1 - why is there no attempt to go after Walmart? or big finance?

and

2 - why are we doing this anyway, because what we really want is a HIPAA-like law criminalizing the sharing of personal data for commercial purposes? Such a law would be more simple, and would stop more privacy violating behaviors in their tracks.

These are very reasonable questions, given the assumed intent of the proposed legislation.

Ideally this legislation would also prevent Walmart from minting their own currency or opening up their own bank (conveniently placed in their stores and available on their website). My understanding is that Walmart is more like Amazon-plus-physical-stores at this point; they do not yet provide their own bank. If they did, maybe they could be cast as a "tech company".

IMHO, the concern over privacy is _my_ concern; I'm not sure it's something this piece of legislation is worried about. Based on the article it seems like the concern here is more about Facebook creating their own currency and less about consolidation of people's private data. I would guess no one in government likes Bitcoin much and it's one saving grace is it's lack of widespread popularity among the general population. Facebook could conceivable make Libra so easy to use that it could turn into a real thing.

https://en.wikipedia.org/wiki/Arvest_Bank

which is owned by the Waltons. They only seem to be in Arkansas though, which is less scalable than the entire internet.

A thousand times yes! I am a free market kind of guy and your proposal fits with that philosophy because while I might do business with <some credit card or bank> I am not doing business with their “partners.” And, the term “our partners” that come with the privacy policies is so nebulous as to be worthless. Does <some bank> have a partnership with a flower delivery service? Maybe, I have no idea and no reasonable expectation that they do. So why can my data be sold to such out of scope “partners” under a generic consent. I should have the right to consent to each and every specific partner that the institution wants to sell my data to.

This is the Great Asymmetry, as it were. They want to be able to invade your privacy and capitalize on your information, but will raise all Hell against being forced to reveal anything that could give anyone else a leg up on them.

Until this is reconciled via either a return to a non-invasive business environment, I.e. companies collect only enough state to do business with you, and the norm is not to data share, or companies are forced to explicitly reveal who they are doing business with in order to get explicit permission, abusive data harvesting/sharing will win the day.