Beyond the law, her organization has proposed a number of moves the industry could make to educate consumers about how their information is collected, and give them more control over advertising that is targeted to them online. The IAB has proposed an opt-out system, similar to the Do Not Call list for telemarketers, but applied to all behavioural advertising on the Web.
"The industry is doing its best in a rapidly changing environment," Ms. Gignac says. She argues that there's no cause for alarm. "If you really see what a cookie looks like, it's unintelligible," she says. "There's no identifying information in a cookie," such as a name, phone number or address.
But PIAC's Mr. Lawford points out that consent with regards to behavioural targeting is also a problem when children are the ones visiting websites. As with any user, their clicks and movements can be analyzed to determine their interests, and they can be targeted.
"They have potential to build a profile on someone before that person's developed the personality they're going to have," he says.
HIDE AND SEEK? GAME OVER
There is another option available to users - call it re-anonymization. But it's becoming harder and harder to do.
Traditionally, websites can detect where a user is coming from because the request to view a page comes with the user's IP address. However, there is software that is meant to disguise that information from sites. A program called Tor, for example, routes the user's request through its own internal maze first, so the website sees only the request from Tor, not the original user.
It's not perfect, but using a system such as Tor restricts access to many of the bits of information the Electronic Frontier Foundation managed to collect during its research study in January, and cuts down on marketers pinpointing consumer data.
However, there are powerful opponents to this kind of anonymity software, and they aren't online advertisers; they're security agencies. Simply put, the same technology that allows people to maintain their privacy online also makes criminals tougher to catch. As such, there is a push to limit anonymity on the Web.
A perfect example is Research In Motion's BlackBerry. For years, big businesses have purchased the devices in droves because of their strong encryption, which makes messages sent from BlackBerrys much more difficult for outside parties to monitor. But now, a host of countries are threatening to ban BlackBerry services precisely because RIM keeps the data too private.
The Indian government, for example, is threatening to shut down RIM's enterprise-grade devices and its BlackBerry Messenger service by the end of the month unless the company gives state authorities access to the data. The Indian position was prompted at least in part by the fact that some of the perpetrators of the 2008 Mumbai attacks communicated using the devices.
Within Internet security circles (those charged with stopping cyber-criminals), there is growing talk about issuing virtual "passports" online, according to Ronald Deibert, director of the Citizen Lab.
"There is this pressure bearing down on anonymity with the coming securitization of the Internet," Mr. Deibert says. "The irony is that a lot of those [security agencies]themselves use anonymity services."
Many of the same tools that enable privacy online are also helping criminals organize the largest theft and fraud rings in history. Mr. Deibert, for example, divides his time between working with dissidents who are trying to communicate with one another without getting caught, and working to catch cyber-criminals trafficking in stolen credit cards and other such data.
It is difficult to conceive of too many ways to empower or restrict one side without doing the same to the other.
He adds that anonymity is almost never entirely possible, since there are always chunks of personal data floating around on the Internet. Think of all those networking sites that build profiles from searchable information on the Web; think of all those times a friend tagged you in a Facebook photo without your permission.
"There are traces of us everywhere [online] some of which we don't even generate," Mr. Deibert says. "There are digital doppelgangers of us all over the place."