The General Data Protection Regulation (GDPR), which came into effect on May 25th, has given startling insight into just how many people and organisations have or want our data.

Like everyone else in the EU, in the lead-up to GDPR I was swamped with irritating emails asking me to click to stay on someone’s email list (in most cases: er, no). For many of us, that email storm was the first inkling of the tangible positives of GDPR.

But the real eye-opener, for me, came when I clicked this week on a Twitter link to a story on the Huffington Post website. In compliance with GDPR, the Huffington Post, as part of parent media group Oath, revealed the extraordinary scope of just how many third parties – heretofore unknown to users – could gain access to their data.

Explaining that I would have to give consent to access their services, the message invited me to either say okay to everyone, or manage which third-party “partners” I wished to share data with to receive targeted ads (er, no). I counted a staggering 112 partners on the first list, of companies that adhere to the Interacting Advertising Bureau (IAB) Transparency and Consent framework.

But wait, there’s more.

There’s a second page of “advertising partners that do not participate in [the framework], but with whom we have direct contractual agreements around user privacy rights.”

There were 301.

So in the past, if I read a single Huffington Post story, 413 third parties potentially were granted access to my data, way off the scale of what I’d imagined.

Hooray for GDPR

To Oath’s credit, it has taken its GDPR duties seriously and has an extensive set of privacy pagesthat allows people to fine-tune how their data may be used (although the initial pop-ups are confusing, and imply people should just click okay and enable data sharing).

However, you can use sliders to manage each of these 413 partners (correctly, they all by default in off-mode, and I cannot imagine many would choose to turn them on). Somewhat laughably, alongside there’s a link to every single one’s privacy policies (who’s going to read all of those?).

But hooray for GDPR. The difference between May 24th and May 25th in the EU is that this kind of data sharing is now transparent (or is supposed to be).

A timely investigation and report out this past week from UK consumer advocates Which? provides further copious and alarming evidence of how widespread and opaque data gathering is by websites and the devices we own.

Think you’re just using your phone, TV or toothbrush? A Which? investigation found “a staggering level of home surveillance” from devices. One Samsung smart TV could connect to 700 different web addresses within 15 minutes of turning it on, and a Philips smart toothbrush passed on location data and – for no particular reason – could access your smartphone microphone. Security glitches in some devices, such as security cameras, meant they could be hacked.

Greater control

A related Which? report released on Tuesday calls for consumers to be given greater control over their data and “reveals a widespread sense of disempowerment” among consumers, who know their data is harvested by sites and services but may not conceive of the sheer scale at which this is done – as my Huffington Post experience reminded me.

“The majority of consumers envisage that the use of data about them is relatively generic, anonymised, and specific to a single transaction with a product or service. When learning more about data profiling, most are surprised about the extent and detail of their ‘digital self’,” notes the report.

“Most ordinary people have a poor understanding of how their data is collected, shared and sold,” Alex Neill, Which? managing director of home products and services, said in a statement that also calls for greater political awareness and improved transparency and oversight.

He adds that Facebook, Google and the others “have been able to take advantage of this knowledge gap to rake in data – and therefore profits – on an unprecedented scale.”

Meanwhile, in a separate development, the New York Times has revealed that over time, Facebook has had data sharing arrangements with “at least” 60 device manufacturers, including Apple, Samsung, Microsoft and Amazon, raising “concerns about the company’s privacy protections and compliance with a 2011 consent decree with the Federal Trade Commission. ”

Those connections will also prompt questions in Europe, with its greater privacy protections.

An even bigger question: as ever more of this covert data-grabbing insanity come to light, and is revealed by GDPR, how long will it be before US consumers demand the same rights Europeans now have under GDPR?