I just came across a bill introduced in New York which seeks to regulate behavioral advertising (2009 N.Y. S.B. 616).  When you read the preamble you get a sense that people may look back at what was drafted and cringe ("Recently, the state has enacted a series of laws to address problems arising from the ubiquity of the internet.") . . . . 

A few key provisions:

1. Personal Information:  No collection of "personally identifiable information" for the purposes of "online preference marketing" - personally identifiable information which is consensually provided by the user is excluded. 
   
   
2. Non-personal Information:  No collection of any other information for online preference marketing unless the consumer is given an opportunity to opt-out.
   
   
3. Clear/Conspicuous Notice: A website and advertiser have to post clear and conspicuous notice about their privacy policy and data collection and use practices.
    
4. Protection Against Breach:  Advertising networks are required to adequately safeguard information.

The million dollar question is what type of notice and opt-out is required for websites that collect non-personal information (zipcode, websites visited, products bought) which is routinely used to target and fine tune advertising.  Most websites who contract with network advertisers already have an opt-out link, but this is typically buried inside a privacy policy.  Amazon.com's link to the opt out is here, for example. Other than saying that websites have to post "clear and conspicuous" notice the bill does not offer a definition of what "clear and conspicuous" notice would be.

There is a New York statute which talks about what font size and placement is required in the context of a "consumer transaction" but this statute seems to only apply to printed agreements.  (NY CLS CPLR section 4544 (prohibiting use of evidence of a consumer contract "where the print is not clear and legible or is less than eight points in depth or five and one-half points in depth for upper case type").)  A similar California statute (the California Online Privacy Protection Act of 2003) contains some specifs as to what it means to conspicuously link to or post a private policy from a website.  [link]

We'll see where this legislation goes.  But it seems like we could be headed into patchwork state regulation regulation territory.  And we all know what that means.  A great excuse for federal regulators to step in.