It's not a secret that if you're an researcher, you can get ISP traffic for your research. It is (or at least should be) anonymized, however.
Suprise? Rather not. What's more, the thing is rather not regulated in most countries, there's also nothing about that when you subscribe for your Net access. It seems logical. Website-based tools do not give very acurate results, because you can deal with them using Adblock and such things. The request that come from your machine... That's another source for analysis and a very good one.
Then we come to EU data retention, which does look like a distant subject, but it is not. What is the data to be stored under the retention law? The same thing that I think is sold (probably in slightly more aggregated form). That rises an concern about the use of the stored data. Having it on the disks will make it much easier to sell in huge volumes and also run certain data mining techniques and then sell the results. With or without notifying the users. Legally or not. With such amount of data (in Poland the project has 5 years of mandatory data storage, when EU max is 2 years) it's easy to imagine that the data will leak. What we currently have may be just a start of that.
Should the users be notified that their habbits, even websites they visit are (or will be) monitored? I think they should. Clearly notified.
The defence is encryption. Unfortunately not so many sites support it (banks and financial institutions are exceptions here). Also, there are sites where passwords fly unencrypted, sometimes even clearly in the URL line. Trying not to use sites without even basic security is quite hard. Every unencrypted action (most of web browsing, many IM messages, emails etc) just travel the Net in plaintext. Are you aware of that?