The European Union's privacy law., and your email inbox has been slowly choking on alerts about the new
Using information about your browsing habits -- including products you've shopped for, websites you've visited and search terms you've used -- companies can make informed guesses about your age, location, marital status and, according to one infamous New York Times report, whether you're pregnant.
"The typical consumer has no idea how this happens," said Lorrie Cranor, director of the Carnegie Mellon Usable Privacy and Security Laboratory, who served as head technologist at the US Fair Trade Commission under President Barack Obama.
Cue the GDPR, a new law that gives EU residents more say in how their data gets used. The trouble is, the law doesn't apply to anyone outside of the EU.
Making inferences from your data
Privacy policies don't make it easy to wrap our minds around how data collection can affect us. To start with, many internet users don't understand how data collection tools work.
That's what researchers at Syracuse University and Sapienza University of Rome concluded after speaking with people who thought their antivirus software could stop websites and advertisers from tracking their browsing activity. That's reasonable, but it's also wrong.
Researchers and journalists have also found some clues as to how personal data collection can have negative consequences, intentional or not. They did it by creating fake ads and accounts, and seeing what tech companies did with the data.
Reporters from ProPublica, for example, bought housing-related ads on Facebook that excluded groups from Facebook-assigned "ethnic affinity groups." This appeared to fly in the face of housing laws that prohibit discrimination on the basis or race or ethnicity. The findings from seeing certain types of ads.
And researchers at Carnegie Mellon University created fake user accounts and collected information on Google display ads to see indications that men were able to view job ads that women couldn't. Google attributed the findings to factors that weren't based on gender, like an advertiser targeting websites visited primarily by men.
Cranor said companies don'tin order to know to know what they do about us. Good old-fashioned statistics can get number-crunchers pretty far in predicting your interests. Things can really heat up when you "add AI to the mix," she said, and that's when "you're going to see even more powerful predictions."
This is what has privacy experts like Cranor concerned.
New power in the EU
The GDPR could make things more transparent for residents of the EU. The law gives people the right to specify how they want their data used. That means EU residents can say, "Sure, collect my data, but don't use it to tailor ads for me."
They can also request copies of all the data a company has collected about them and ask companies to delete their data. The fines for breaking the law are steep -- up to 40 million euros or 2 percent of a company's annual global revenue, whichever is higher.
The law is prompting updated privacy policies for the rest of us outside of Europe -- and not a whole lot else. Yes, some companies including Apple, and have indicated they'll extend at least some GDPR-based rights to all their global users. But that's not the same.,
As Forrester analyst Fatemeh Khatibloo pointed out, the European Union isn't going to step in on your behalf if one of these companies doesn't live up to its promises.
"If you're on North American soil, GDPR doesn't apply to you," she said.
First published May 25, 5:00 a.m. PT
Updated, 11:52 a.m.: Adds information about internet user research.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Special Reports: CNET's in-depth features in one place.