One thing i learned yesterday was a certain broken-ness in policy. Essentially, we punish corporations far more for unwelcome interruptions (phone calls, email, sms) than we do for exposing our personal information to others. I realize it's due to the question of "what is the harm," and it's clear what the harm is when we have been bothered. ("Hey, you bothered me!") With exposure of personal information, there's potential harm, but it's not certain.
This aligns with something i heard a year or so at an "internet law" presentation. What with all the data breaches that have happened, proving that it was a particular data breach that let loose your private information is hard. Thus systemic harms accumulate, placing more burden on individuals to vigilant against identity theft, driving up other costs, etc.
