When taking a quiz on Facebook leads to an unknown analytics firm gathering information on you, your friends and your family, the uncomfortable truth starts to settle in: There's almost nothing you can do online without digital eyes following you.
Trackers have long been widespread across the internet, with advertisers and social networks collecting as much information on you as possible. Even when you create an account with almost no personal details on it, it doesn't take long for a company to relearn everything about you.
The only difference now is we're starting to open our eyes to all of it.
Suddenly, we're much more aware of how our data is being collected without our permission. Awareness has gone from an obscure band only a few friends knew about to the Grammy-winning tune you can't get out of your head -- it's everywhere. The number of consumer complaints over privacy issues sent to the Federal Trade Commission jumped by more than 14 percent to 8,000.
"In 2018, we really do view it as the year where there was a reckoning with privacy practices across the industry and people waking up to these concerns," said Marshall Erwin, Mozilla's director of trust and security.
With that momentum, advocates, tech companies and lawmakers see an opportunity for real change -- beyond just changing your own privacy settings.
People are flocking to privacy tools online that block trackers following your every click, companies are hiring more privacy experts, and politicians are fighting for legislation to force companies to be more open about how they use your data.
Winds of change
Facebook's mission statement since 2017 has been to "bring the world closer together."
With its Cambridge Analytica scandal, Facebook did just that. Privacy experts pointed to this incident as a unifying moment that put data concerns in the spotlight.
The UK data analytics firm gathered data on 87 million people without their permission, using an innocent-looking personality prediction quiz. That information included access to a person's profile, location and likes, as well as data on friends linked to the account.
Facebook's scandal hit home in many ways that past data misuse didn't. The social network is a household name used by almost everyone on a daily basis. The shock also came from Cambridge Analytica's political ties: The firm worked with the Donald Trump campaign and with Sen. Ted Cruz's campaign during the 2016 presidential election.
"The Cambridge Analytica story was a rude awakening for a lot of people," said Omar Tene, vice president of the International Association of Privacy Professionals.
These experts aren't the only ones seeing a positive side to more people being aware of privacy issues. Facebook is too.
"We think it's a good thing that people are more interested in using privacy controls and managing their information online," a Facebook spokesperson said in a statement. "In 2019, we want to keep making sure people know about the controls they have available and how to use them."
While Cambridge Analytica was the biggest event, other privacy mistakes throughout the year continued to grow people's concerns. Reports found, for instance, that Google's services tracked and stored people's location data, even if location history was disabled, while lawmakers learned that wireless carriers were selling real-time location data from your phones to tracking companies.
When reached for comment, Google pointed to a September blog post from its chief privacy officer, Keith Enright.
"People deserve to feel comfortable that all entities that use personal information will be held accountable for protecting it. And we believe that regulation can support a dynamic marketplace for businesses of all types and sizes," Enright wrote in the post.
Wireless carriers including T-Mobile, Verizon and Sprint didn't respond to requests for comment. AT&T declined to comment.
While the laws apply only to the EU, tech companies with a major global footprint changed their policies across the board. This gave users more control over how companies collect their data.
Along with more people becoming aware of privacy issues online came an increased desire to control their own data.
Analysts at Forrester Research found that 79 percent of US adults were using at least one privacy tool online this year. A Pew Research study also found that more than half of Facebook users in the US adjusted their privacy settings after the Cambridge Analytica scandal.
Privacy tools have been available online for quite a while, but there's been a spike in traffic over the last year, developers found.
DuckDuckGo started as a privacy-focused alternative to Google in 2008, offering a search engine that didn't track people around the internet. Its traffic had steadily been growing since, but it boomed in 2018 as Facebook's privacy issues blew up, said Gabriel Weinberg, CEO and founder of DuckDuckGo.
He compared the spike in traffic to what happened after Edward Snowden's revelations in 2013 about the NSA's surveillance.
"If you had two points of data that you wanted to mark, I would mark Snowden and 2018," Weinberg said. "Snowden got the awareness and people to care, but not to act. 2018 made people want to act. 'OK, this is real. My information got leaked. I'm getting targeted.'"
From 2015 to 2017, searches on DuckDuckGo steadily increased by about 1 billion every year. By November 2018, the number of searches jumped by 3 billion over last year.
"The last three months alone, we gained almost 50 percent," Weinberg said in November. "It used to be 50 percent for an entire year."
In the wake of the Cambridge Analytica scandal, Mozilla announced a Facebook Container extension for its Firefox browser, which blocked the social network from tracking people across the internet. The tool was a massive hit, Erwin said.
"We saw demand for that add-on, and the add-on itself drove a lot of Firefox downloads," he said.
Adjusting the sails
Tech companies were fully aware of the tides turning in the public's focus on privacy issues.
In June, for instance, Apple announced new privacy features for its Safari browser, which would block web trackers from following people online.
Apple CEO Tim Cook has been at the forefront of privacy discussion, as the first tech executive to openly call for a US data privacy law.
"Our own information, from the everyday to the deeply personal, is being weaponized against us every day," Cook said at the European Parliament in October. "We shouldn't sugarcoat the consequences -- this is surveillance. This should make us very uncomfortable, it should unsettle us."
The changes aren't limited to Apple.
Before Pokemon Go's boom in July 2016, the Pokemon Company didn't consider itself a tech company. Sure, it had its line of video games, its trading card game and its animated series, but it didn't have data on every single person that indulged in Pokemania.
Then Pokemon Go arrived, giving the company data on more than 800 million people, including names and location history.
While millions of people continue to play Pokemon Go, it's provoked privacy worries from the beginning. When the game debuted, then-Sen. Al Franken wrote a letter to Niantic Labs, which developed Pokemon Go, demanding to know what data it collected and shared.
The company hired John Visneki in May 2017 to serve as a data protection officer -- almost a year after the game released. The Pokemon Company recognized a growing demand for privacy protection from players, he said, and also knew just how sensitive the information it collected was.
"Privacy isn't something that's just a rainy day fund, or something we do because there are fines associated with it," Visneski said. "We believe it's our customers' rights, and it helps us as a business."
Since Visneski joined Pokemon, the IT team has expanded from 10 people to more than 100, many of them working on security and privacy, he said.
That trend goes across the industry.
In the last year alone, the International Association of Privacy Professionals picked up more than 20,000 members, according to Tene. The group has 45,000 members in total, he said.
"Once something transforms and crosses the divide from a niche industry topic to driving the agenda for the biggest company in the world, then yes, privacy awareness has arrived," Tene said.
For most people, platforms like Google and Facebook are often too convenient or ingrained into their social life for them to up and leave.
Companies know user backlashes don't last, and it's why you often don't see much change.
"If you want to see real changes for consumers, it'll have to come from regulations," said Bénédicte Dambrine, a privacy counsel for OneTrust, privacy management company. "The only way to make things better for consumers is for companies to change their practices, which regulations would force them to do."
It's why GDPR had such an effect on your privacy settings. It's also why tech companies have now changed their stance on regulation, supporting the push for laws but hoping to shape how they look.
"Google welcomes this and supports comprehensive, baseline privacy regulation," Enright said in Google's framework for privacy legislation.
While experts say regulation is the best-case path to real change, the downside is that legislation takes time to pass. You won't see these changes in privacy policies immediately, but 2019 could be a good starting point.
Sen. Jerry Moran, a Republican from Kansas, said at a hearing on Nov. 27: "It has become clear the US needs a federal consumer data privacy law."
He's working on a bipartisan privacy bill with Sen. Richard Blumenthal, a Democrat from Connecticut, which they hope to pass in 2019.
The advent of a federal privacy bill would've seemed impossible just a year ago, Weinberg said. Privacy groups would tell the DuckDuckGo founder that it was a "waste of time" back then.
"We talked and backed off any work on it because it seemed completely impossible," he said. Now DuckDuckGo is a major supporter of Sen. Ron Wyden's proposed privacy bill, which would include potential jail time for CEOs involved in data breaches.
Privacy isn't an issue that'll just be forgotten, thanks to breaches and data abuse scandals that continue to surface. Once you've seen what companies can do with your data, you can't unsee it, Weinberg said.
While 2018 got everyone aware, 2019 is looking like a good starting point for getting legislation passed.
Until then, feel free to change your own privacy settings.
CNET's Holiday Gift Guide: The place to find the best tech gifts for 2018.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at nght.