Should there be a right to digital privacy?

I'm thinking something along the lines of the GDPR where companies must get consent to track you, and must delete your data upon request.

I see a few arguments here:

• yes, websites are like stores and have the obligations of a store to protect user data (IP address, HTTP headers, etc)
• no because the internet is "the commons," so no expectation of privacy (no expectation that the website follows your local laws)
• no because you're voluntarily providing the data, but you're well within your rights to block tracking attempts

So, some questions to spark discussion:

• does data collection violate the NAP?
• does sale of personal data (without a TOS in place) violate the NAP?
• if no to each of the above, is it worth violating the NAP to enforce a right to digital privacy?