The General Data Privacy Regulation, or GDPR, goes into effect May 25 and will change how companies handle users' personal information online. Facebook has been heavily criticized for improperly handling user data in recent weeks following the Cambridge Analytica data scandal.
Notably, during CEO Mark Zuckerberg's lengthy testimony before Congress about data privacy and fake news, a photographer was able to capture a photo of Zuckerberg's notes, one section of which warned him "don't say we already do what GDPR requires."
Here's what you need to know:
What is the GDPR, and when does it take effect?
The GDPR is a new set of rules that the European Parliament approved in 2016. The regulation contains rules requiring mandatory breach notification, "intelligible and easily accessible" requests for consent from users and steep penalties for noncompliance.
Who does the GDPR apply to?
The GDPR applies to companies both within and outside of the European Union that collect or access the personal data of users in the E.U., including American companies like Facebook, Google, Amazon and others. (Reuters noted this week that Facebook will soon change its terms of service so that its 1.5 billion users outside of Europe, the U.S. and Canada would not be governed by GDPR, since all those users had previously agreed to terms with the company's international headquarters in Ireland).
Why were these new rules created?
Companies like Facebook and Google that use personal data collected from users to help target advertising "thrived in the gray area" of internet regulations in the past, said Jason Kint, CEO of Digital Content Next, a digital publishing trade group. The new rules will force the companies to be more transparent about what data they collect and how they use it, requiring "specific, informed, explicit, unambiguous consent," Kint said. "Companies haven't had to do that up until this point."
What is Facebook doing in response?
Following the Cambridge Analytica scandal and ahead of GDPR enforcement, Facebook announced on April 17 that the platform will be introducing new privacy policies for all users, no matter where they live. The changes include asking users to opt in or out of situations such as receiving certain ads, sharing profile information and allowing the use of facial recognition.
"People in the EU will start seeing these requests this week to ensure they have made their choices ahead of GDPR coming into effect on May 25," Facebook said in its announcement. "As part of our phased approach, people in the rest of the world will be asked to make their choices on a slightly later schedule, and we'll present the information in the ways that make the most sense for other regions."
Speaking to CNN, Congress and on a conference call of reporters, Zuckerberg has previously equivocatedon whether Facebook's privacy settings would be available globally or whether the controls would be in the same format.
As part of its preparations for GDPR, Facebook also has new settings and privacy shortcuts that make it easier for users to access and control their data, and will be restricting aspects of Facebook for young users between 13 and 15 years old.
What have other companies been doing about GDPR?
Google has also released new data processing terms in order to comply with GDPR, though it is not clear whether the search giant will be following GDPR-related guidelines for users living in countries outside of the European Union.
What happens if companies don't follow the rules?
There can be a steep penalty for noncompliance: the most severe fine is up to 4% of the company's annual revenues, or €20 million ($24.6 million), according to the GDPR website.
Do these new rules mean that U.S. lawmakers will eventually require something similar?
Though some members of Congress called for Facebook and its peers to be regulated in their questioning of Zuckerberg, it's unclear so far whether the U.S. will end up instituting similar rules. "It's a little bit harder, given the free market perspective in the US," said Needham analyst Kerry Rice.