If they fail to prove they have been handling data correctly, don't report security breaches within 72 hours, or hold data for longer than is necessary, they face penalties.
"Many users do not know yet that this annoying way of pushing people to consent is actually forbidden under GDPR in most cases".
You may have noticed your email inbox overflowing this month with emails from companies and apps-from Quora to Ticketmaster to Apple to Spotify-appealing to let them keep in touch with you and outlining changes to their privacy policies.
GDPR has brought headaches and significant costs for many companies, which have had to update their systems with very little benefit to show for it. Critics say the regulations will stifle innovation and risk blaming the victims of cyber crime - companies that are hacked - for the behaviour of the criminals that target them.
GDPR, short for General Data Protection Regulation, is created to give European Union citizens greater control over how their information is used online. The regulation expands the scope of what companies must consider personal data, and it requires them to closely track data they have stored on European Union residents.
Also affected was USA Today, whose European site - although not entirely blocked - was very sparse compared to the usual US version.
At any rate, it seems a few companies aren't adapting to the GDPR as quickly as some would like - Austrian privacy activist Max Schrems has filed numerous legal complaints against Facebook and Google for allegedly violating the GDPR's new rules.
USA Today says its site does not collect "personally identifiable information or persistent identifiers from, deliver a personalized experience to, or otherwise track or monitor persons reasonably identified as visiting our site from the European Union". Some are obvious, such as to fulfill contractual obligations - for instance, when an insurer pays out a claim.More news: US Senate votes to save net neutrality
More news: YouTube Red turns into YouTube Premium
More news: Two Dead as Communal Clashes Erupt in Maharashtra's Aurangabad
Apple has said that it will offer the same protections to users in other countries, but hasn't yet specified a deadline for this.
There's also a somewhat vague category called "legitimate interests".
Facebook, which has more than 2 billion regular users, has also said that advertising allows it to remain free, and that the whole service, including ads, is meant to be personalized based on user data.
Facebook, Google and their ilk may be headquartered in Silicon Valley, but they have millions of users in Europe - and so have to comply with the new rules.
Regulators will also look to hit the pocket books: Companies can be fined up to 4 per cent of their global revenue or €20 million, whichever is larger.
Okay, what are the specific rules a company must follow?
They need to have a plan for notifying authorities and users if there's a hack, and they need to make sure they're verifying the ages of their users - children's data is a big part of this, too.