What the heck is GDPR?

The European Union is about to roll out sweeping regulations governing how companies collect, use, and share people’s data. And it doesn’t matter where your business is based–if you deal with E.U. residents online, you’re going to be affected too.

The EU’s General Data Protection Regulation (GDPR), which goes into effect May 25, is designed to give users more control of their information. In total, there are 99 articles in the new GDPR laws. The law will require companies to obtain consent from users before collecting any data. GDPR also requires companies to notify regulators and affected individuals of any breaches of security within 72 hours. Companies that don’t comply with the new rules can be fined as much as 4 percent of their global annual revenue.

To date, the GDPR is one of the broadest and most comprehensive laws devised by a Western country to regulate the Internet and personal data privacy, according to Trevor Hughes, president of the New Hampshire-based International Association of Privacy Professionals. (The United States has only sector-specific laws to protect personal data.)

While the crux of GDPR is about putting the power of data back in the hands of consumers, giving users a better understanding of where our data is and what it’s being used for, for large companies it has resulted in a big bill. British firms have spent over $1 billion dollars getting ready, and for American companies that bill is over $8 billion. And for many, that money is being spent on legal fees trying to navigate the vague regulations.

But what about smaller companies? As of January, only about 40 percent of businesses had heard of GDPR, and of those that had, only a quarter were prepared for it, according to a survey conducted by the University of Portsmouth and a U.K. market research firm.

Why its hot

GDPR is a big, complicated mess. Large companies like Google and Facebook, who make most of their money outside Europe, won’t have much to worry about. But smaller companies are already starting to shut European countries out rather than comply. It’s just easier. Looking specifically at Facebook, their year-over-year revenue growth is more than Europe’s percentage of Facebook revenue. Companies can either dump all their data or stop doing business in Europe.

One thing GDPR may do is kill the targeted ads business in Europe. That’s a big deal to smaller firms who cannot handle the drop in CPM. Facebook won’t have that issue. If anything GDPR may only further entrench giants like Google and Facebook in our every day lives.