On May 25, 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, known as the General Data Protection Regulation (GDPR) will usher in a new era of online data regulation. Due to the broad scope of the regulation, it may affect U.S. companies that have an online presence in any European Union member state.

Through nearly 90 pages of regulations, the GDPR outlines collection and use of “personal data” which is broadly defined as “any information relating to a data subject.” Personal data not only includes identifiable data such as names and contact information but also “online identifiers” provided by the users’ devices, application tools and protocols such as internet protocol addresses, cookie identifiers or other identifiers. Therefore, the GDPR applies even when an unregistered user visits a website and no financial transaction occurs.

Website operators who interact with natural persons (so-called “data subjects”) are “controllers” and their agents are “processors”. A “controller” determines how and why personal data is received and processed. A “processor” processes personal data on behalf of the controller. A controller must deal directly with natural persons by obtaining their consent, managing consent-revocation, and facilitating their control of personally identifiable information collected from them. Those persons are entitled to have that information corrected, erased (the “right to be forgotten”), or restricted. The GDPR also provides a right to sue a controller for non-compliance with GDPR.

The GDPR focuses on protection of consumers in the European Union. The GDPR attempts to regulate operators outside of the EU who are “offering of goods or services . . . to data subjects in the Union” or “envisage” doing so (as shown, for example, by use of EU languages or acceptance of currencies of the EU or its members).

The implementation and territorial scope of the GDPR will likely remain uncertain for years to come. However, due to the significant potential penalties (up to €20 million or 4% of the offender’s total worldwide annual turnover of the preceding financial year), a U.S. website operator that has EU visitors or users should take steps to modify its website, terms of use and privacy policy to ensure compliance with the GDPR.