No sale of personal (even unidentifiable) data without consent coupled with no punishment for not consenting and a requirement of explicit affirmative consent.
Deletion of data upon request.
As a bonus third, retrieval of data on request.
I want those in that priority. I'd be pretty happy with just the first one.
I don't see your reason for downplaying the GDPR. That plus saying you're willing to forgo your second/third ask (deletion is paramount!) just feels like trying to bargain with the surveillance-industrial complex for something it'll accept. But most anything in that direction is just creating loopholes for the surveillance industry to nullify the intent of such law.
Your simple regulations sound great for the cases they address, but there are a lot of corner cases that the GDPR addressed that your "simple" requirements do not. For example, what happens when a surveillance company uses a third party data processor outside the jurisdiction? That is not a sale, and yet the processor can proceed to do whatever they want. Or when a company insists that it has obtained indefinite "consent" by some claimed assent to a contract of adhesion, or as part of a contract with a third party?
The surveillance industry would love nothing more than to pass fig-leaf regulation that purports to create rights but actually just enshrines their regime into law while giving them further protections. That's precisely what they managed to do with the "Fair" Credit Reporting Act, which is why that segment of the surveillance industry has continued to spiral out of control, pushing nonsense like "identity theft" onto us.
The problem is that you can't just write those three things down on a single sheet of paper and call it a day. There -- unfortunately -- needs to be a lot of legalese that addresses various loopholes and edge cases, some of which will also increase the scope of the law/regulation. And so you either end up with something simple that's so riddled with holes that it doesn't work, or you end up with something like the GDPR.
The problem is that we'll have to consent to allowing the sale of our data just to use a service. From what I've seen a statement to that effect is already in the click through license fine print.
No sale of personal (even unidentifiable) data without consent coupled with no punishment for not consenting and a requirement of explicit affirmative consent.
Deletion of data upon request.
As a bonus third, retrieval of data on request.
I want those in that priority. I'd be pretty happy with just the first one.