If they're sending hashes of the data rather than the data itself, they could quite easily argue that it's not "personally identifiable information" (remember that data protection only covers certain things).
On the other hand, if they want to know if you have visited a certain site, they can just hash the domain name and compare it to the hashes that were sent over, so the privacy is just illusory.