GDPR, or Why Privacy Is Now Stronger in EU Than U.S.

The European Union’s stringent regime governing how data collectors gather and use its citizens’ information and give consumers more control took effect Friday. It’s known as the General Data Protection Regulation and covers any company that has EU residents’ personal data. That means businesses from neighborhood restaurants and hotels to Amazon to Google have been scrambling for months to make sure they comply to avoid penalties that can go as high as nearly $25 million or 4 percent of global annual revenue -- a hefty sum for the likes of Facebook, which endured a tough round of questioning by EU politicians just days before the rules took effect demanding to know how the social-media titan will apply the new rules.

Companies have to post clear notices for users and get their “unambiguous” consent to collect data, instead of burying an OK inside fine print and legal jargon. That means the EU no longer tolerates the confusing “terms and conditions” that must be agreed to while signing up for a fitness tracking app or ordering groceries online. (Whether you’re actually seeing all the emails and absorbing everything in them is, of course, up to you.) The new rules are also supposed to make it easy for consumers to refuse for their data to be used for direct marketing purposes, as well as to retrieve their data and give (or sell) it to another business. Collection of data on children under the age of 16 without parental approval is banned.