You don't need to make IP logging illegal to make collecting user info that's not absolutely necessary to a transaction illegal, and to make selling or using any necessarily-collected data for anything other than e.g. auditing or further service to the transaction (returns, say) also illegal. I don't know how this became about Apache logs or whatever.
[EDIT] my point is there's a ton of info being collected that goes way beyond web server logging, so I don't know how this became about why all this is impossible because server logs are a thing.
"absolutely necessary" does not mean anything. For example, tracking in banking systems has very good justifications such as fraud detection. That alone means banks have a blank check to connect tons of features about their users, and not for nefarious purposes.
[EDIT] to your EDIT point: even with server logs you could start building user tracking and if your net is large enough you can derive a massive amount of data just from that. Pattern analysis, sites/services users connect to, geolocation, etc... even without the most sophisticated tracking systems this is already good enough to build business value.
Cool. Can't sell it, can't leverage it against users (e.g. use it to select which products to try to sell them). If you're doing that on any significant scale it's gonna leave a hell of a trail and enough people will be involved that it'll be found out.
"waaaah but we need to share it with 'partners'" hahaha OK whatever, but bet you don't though. Illegal. Figure it out. Bet you can.
You forgot another vector of how companies monetize user data: using it to train ML models.
You don't need to keep the data long-term (though it would be more profitable if you could). You can still get a lot of value using the data to train an ML model, then use that model to build valuable decision-making systems, which few other companies could produce.
Oh, yeah, definitely that should also be illegal. If you want to train an ML model you should have to pay directly for that data, not in connection with any other service or product. The current system means every successful monopolist is also a de facto nigh-unassailable leader in ML, which clearly sucks. "Create or buy a massive spying service" shouldn't be a necessary step 1 to realistically competing in consumer- and human-focused ML.
I disagree, many times the very reason I gave the company my data was to leverage their ML capabilities. For example, the only reason I gave LinkedIn my data was so they could find me better jobs. No one would have bothered if it were just a glossier version of Craigslist.
Plus, banks training models for fraud detection has an obvious benefit to everyone.
[EDIT] my point is there's a ton of info being collected that goes way beyond web server logging, so I don't know how this became about why all this is impossible because server logs are a thing.