Google may be the first to formally make this link, but it is hardly alone. Among technology companies, the rush to create comprehensive offline profiles of online users is on, driven by the need to monetize online services offered free.

In practice, this means that we can no longer expect a meaningful difference between observability and identifiability — if we can be observed, we can be identified. In one recent study, for example, a group of researchers showed that aggregate cellular location data — the records generated by our cellphones as they anonymously interact with nearby cell towers — can identify individuals with 73 percent to 91 percent accuracy.

And even without these advanced methods, finding out who we are and what we like and do has never been easier. Thanks to the trails created by our continuous online activities, it has become nearly impossible to remain anonymous in the digital age.

So what to do?

The answer is that we must regulate what organizations and governments can actually do with our data. Simply put, the future of our privacy lies in how our data is used, rather than how or when our data may be gathered. Excepting those who opt out of the digital world altogether, controls on data gathering is a lost cause.

This is part of the approach now being taken by European regulators. One of the cornerstones of the European Union’s new regulatory framework for data, known as the General Data Protection Regulation, or G.D.P.R., is the idea of purpose-based restrictions on data. In order for an organization or public authority to use personal data gathered in the European Union, it must first specify what that data is going to be used for. The G.D.P.R. sets forth six broad categories of acceptable purposes, including when an individual has directly consented to a specific use for the data to when data processing is necessary for the public interest. If data is issued for an unauthorized purpose, legal liability ensues. The G.D.P.R. is far from perfect, but it is on to something big.

This method stands in stark contrast to the way data is protected in the United States, which might best be characterized as a “collect data first, ask questions later” approach. Sure, American technology companies disclose their privacy policies in a terms-of-service statement, but these disclosures are often comically ambiguous and widely misunderstood.

Many privacy advocates will no doubt find it hard to stomach that the way we think about protecting our data is outdated. But if we are to maintain the ability to assert control over the data we generate, we must also admit that our past ideas of what it means to be “let alone” no longer apply.