It’s not a U.S. law, but the GDPR applies to all companies, located anywhere in the world, that offer goods or services to EU residents, or that monitor online activities of people in the EU. As a result, many large multinational companies have chosen to comply with the GDPR worldwide, rather than trying to differentiate between customers and users located in the EU and elsewhere.
Although the GDPR is in many ways similar to the EU’s previous privacy rules, it offers the tantalizing possibility of giving people real control over their data for the very first time—though it might take years to sort out.
Like many privacy rules, the GDPR is based on the principles of notice and choice. A company that wants to collect your personal information must first give you notice about what data it proposes to collect and what it plans to do with it. You then choose whether to allow the company to collect the data. The concept is part of the Fair Information Practice Principles, a set of privacy guidelines first formulated in a 1973 federal report that now form the basis of many privacy regulations in the U.S. and abroad.