The European Union's new rules on data protection and privacy took effect last week. While the General Data Protection Regulation (GDPR) is designed to protect EU residents, its impact is being felt globally. Netizens everywhere have been receiving email informing them of the new regulations as companies that engage those customers must now manage data in new ways. The GDPR is no panacea — much depends on its interpretation and implementation — but it is an important step in the protection of privacy and rebalancing the relationship between firms and customers.

Digital foot- and fingerprints are large and growing. Every time you visit a website or input information into a browser, a record is made and stored, often in your computer — the ubiquitous "cookie" — and more often on the server of the company you visited or the entity that hosted that website. Those records quickly accumulate and together they yield an extraordinarily detailed profile of each user. Traditionally, that data belongs to those companies and the user has no right to it, and often no knowledge that it even exists.

In theory, that profile helps improve the user's experience in cyberspace. Search for an item and suddenly ads on web pages relate to that search. For many users that is convenient; for others, it is creepy. When that data is used to create personality profiles that enable "psychographic microtargeting" — identifying the best ads to "punch buttons" and manipulate readers, as Cambridge Analytica purported to do — then it gets sinister.