Indeed
"Yet each overlooks a basic fact: collection happens to be where the damage gets done. Passing laws to do something about it after the fact, while well-intentioned, does nothing to prevent the injury."
Precisely this. The Bad Thing is the collection of the data without the user's informed consent. What happens after the data is collected is a separate problem. I find it notable (but entirely unsurprising) that the businesses who depend on spying on people for their income like to pretend that the issue is all about what happens post-collection, and ignore the fact that it's the collection itself that is the problem.
Me? I prevent data collection (without my consent) to the greatest degree I can -- just as I prevent all other forms of attack to the greatest degree that I can. Collecting data about me or my machines without my consent is no different than any other form of malicious activity.