It’s no secret that companies like Facebook and Google scoop up personal information to serve users ads. But if anything became clear this year, it’s that consumers have a lot more to learn about what happens to their data online—how it’s gathered, who gets to look at it, and what it’s worth.

American corporations are expected to have spent over $19 billion this year acquiring and analyzing consumer data, according to the Interactive Advertising Bureau, from names and emails to the unique way we fumble with our smartphones. That info is used by marketers, advertisers, analysts, and investors for a host of purposes that remain largely opaque to the average person. In some places, seemingly irrelevant factors like the type of device you have, your email address, or the time of day you make a purchase may be used determine whether you qualify for a loan. Despite all the power and value this data can have, there are few laws in the US regulating the collection and sale of it.

Want more? Read all of WIRED’s year-end coverage

This year’s revelations about Facebook served as a wake-up call, starting with the Cambridge Analytica scandal. In March, news broke that the political firm improperly obtained the info of some 87 Facebook million users via a personality quiz app. It quickly became apparent that the social network had allowed a plethora of third-party applications to hose up the information of its users. (Facebook said it implemented new restrictions around user info, although a recent Times investigation revealed more than 150 companies still had access to data.) A backlash erupted among lawmakers, advocacy groups, and everyday users, and nascent movements like #DeleteFacebook were born.

Facebook, for its part, began emphasizing the word “control.” The company stressed that users have the power to see and adjust what information it can collect about them, but a series of reports this year suggest that’s not always the case. After Cambridge Analytica, people began downloading and examining their Facebook data and were surprised to discover the company had gathered things like private text message and call logs. (Facebook insisted that users have always had to opt in to provide this information.) That was creepy in itself, but the downloadable file Facebook provides is far from the only information it has on users. Gizmodo reported in September that Facebook uses information you never shared with it—but that might have been shared by someone else—to target ads to you. Even if you don’t have a Facebook account, the company may collect your information, it admitted in April, and there’s few ways to control it.

The problem goes beyond Facebook, of course. An AP investigation from August, for instance, revealed that Google continued to track users’ location even if they had selected a privacy setting that said it would prevent Google from doing that. (The search giant later revised how it describes the privacy setting.) Even when location settings are spelled out clearly, adjusting them may amount to very little in increased privacy. In May, The New York Times revealed how the prison technology company Securus could allow law enforcement to track people’s location, nearly in real time, without a court order. Don’t care if the cops know where you’re going? Well, it turned out that all four major US carriers sold your location data to companies you’ve probably never heard of, without your permission. (All four stopped the practice within weeks of the investigations.)

And of course, this is a privacy disaster in the making if any of these companies have security breaches—which they do.