The GDPR (General Data Protection Regulation) is the law governing the handling of personal data about individuals within the European Union (EU) and the European Economic Area (EEA). It took effect in 2018 and applies not only within the EEA but also to organizations outside the EEA that offer goods and services to individuals within the EEA or monitor these individuals’ behavior.
The GDPR is important because it has specific requirements you must follow in order to collect personal data, including specific notice language you must post and in some cases, opt-in consents you must obtain before you collect the personal data.
The GDPR restricts what you can do with the data once you have collected it. It requires you to satisfy certain conditions in order to transfer personal data to countries outside the EEA, which can complicate things for multi-national organizations.
The GDPR applies to almost all organizations within the EEA, with few exclusions. It even applies to organizations outside the EEA, if they are offering goods or services to people within the EEA or monitoring these individuals’ behavior.
The GDPR is also important because it is being used as a model for privacy laws in other nations and jurisdictions, such as the recently passed California Privacy Rights Act (CPRA).