If they're sending hashes of the data rather than the data itself, they could quite easily argue that it's not "personally identifiable information" (remember that data protection only covers certain things).

On the other hand, if they want to know if you have visited a certain site, they can just hash the domain name and compare it to the hashes that were sent over, so the privacy is just illusory.

Yeah, for my company I have to comply with some serious regulations over what I can do with customer data, what I can collect, etc... I can't imagine that ripping a customers entire web history is anywhere near compliant.

When I think about how much work I do on home machines with Steam installed, I can't even begin to imagine how much of a security breach this could be at larger companies.