BREAKING NEWS: The GDPR has forced some U.S. companies to shut down their websites, or to convert them to plain text versions. Tronc, which owns the Chicago Tribune, Los Angeles Times and other publications, has blocked EU access to its sites, fearing fines for non-compliance with the new regulation. Other sites have redone their privacy policies and/or placed easy opt-out features on their home pages, including the Wall Street Journal.

If your company’s website can be accessed by people living within the European Union, there’s a good chance you may have to update your terms of service and privacy policy and make other modifications, especially if you sell goods or collect any kind of data in the affected countries. Please note: your business does not have to be located in the EU for your web presence to fall under the regulation’s purview.

gdpr-takes-effect-today-may-25Approved in April 2016, the General Data Protection Regulation (GDPR) becomes enforceable today after a ramp-up compliance period.

The GDPR is big on personal data and includes a revolutionary new principle that allows users of your website to request that you remove all data stored about them. This provision is known as the right to be forgotten, or the right of erasure. Requests for personal data removal can be made in writing or orally (by phone or in person).

For those firms that re-use, re-purpose or sell the data they collect, the GDPR places new restrictions: “Personal data should not be used for purposes outside of the original intended and specified purpose, except with the consent of the data subject or the authority of the law.”

Google, Amazon and Facebook, among other cyber-giants, have been gearing up for this challenge for several months now, as they are privy to hundreds of millions of users and their personal data, many in the EU.

While the EU is rushing to protect data, the United States is rushing to get its hands on data with a recently enacted piece of legislation. The Clarifying Lawful Overseas Use of Data (CLOUD) Act will effectively allow U.S. authorities to compel companies to provide requested data stored on servers regardless of whether they are located within the U.S. or in foreign countries.

Similarly, the EU is prepared to fine companies for violations of the GDPR, which can go as high as €20 million, or 4 percent of the worldwide annual revenue of the prior financial year, whichever is higher. However, fines are seen as a last resort. You will first get a warning, then a reprimand if matters continue, capped by a suspension of data processing before a fine is assessed.

Enforcement begins today.

Read the full text of the GDPR.