GDPR is finally here, and it’s already chaos

The General Data Protection Regulation, or GDPR, goes into effect today, threatening huge fines for businesses that abuse Europeans’ data.

The dos: From now on, companies everywhere must:

• get EU citizens’ consent to collect their personal data and explain what it will be used for
• let them see, correct, and delete it upon request
• make it easy for users to shift their data to other firms

The don’ts: Companies must not ignore regulators’ requests to fix GDPR failings, nor take more than 72 hours to report a security breach involving personal data. Many still aren’t fully ready for the new regime.

The punishment: The worst offenders can be fined up to 20 million euros ($23 million) or 4 percent of their revenue from the prior year, whichever is greater. There are smaller penalties for less serious transgressions.

The panic: Some American media groups have already blocked EU users from their sites rather than run the risk of fines. The rules also have huge implications for social-media companies like Facebook, which has asked people to update their privacy settings. Privacy activists have already filed complaints against Facebook and Google.

Why this matters: Europe’s tough standards could influence how America and other countries shape their data protection regimes.

More background: Here’s the EU’s GDPR site; some implications for marketers; and an analysis of the new rules’ impact on publishers. And for fans of gamification, why not try a GDPR quiz?