Consumers have long wondered just what Google and Facebook know about them, and who else can access their personal data. But internet giants have little incentive to give straight answers — even to simple questions like, “Why am I being shown this ad?”

On May 25, however, the power balance will shift towards consumers, thanks to a European privacy law that restricts how personal data is collected and handled. The rule, called General Data Protection Regulation or GDPR, focuses on ensuring that users know, understand, and consent to the data collected about them. Under GDPR, pages of fine print won’t suffice. Neither will forcing users to click yes in order to sign up.

Instead, companies must be clear and concise about their collection and use of personal data like full name, home address, location data, IP address, or the identifier that tracks web and app use on smartphones. Companies have to spell out why the data is being collected and whether it will be used to create profiles of people’s actions and habits. Moreover, consumers will gain the right to access data companies store about them, the right to correct inaccurate information, and the right to limit the use of decisions made by algorithms, among others.

The law protects individuals in the 28 member countries of the European Union, even if the data is processed elsewhere. That means GDPR will apply to publishers like WIRED; banks; universities; much of the Fortune 500; the alphabet soup of ad-tech companies that track you across the web, devices, and apps; and Silicon Valley tech giants.

As an example of the law’s reach, the European Commission, the EU’s legislative arm, says on its website that a social network will have to comply with a user request to delete photos the user posted as a minor — and inform search engines and other websites that used the photos that the images should be removed. The commission also says a car-sharing service may request a user’s name, address, credit card number, and potentially whether the person has a disability, but can’t require a user to share their race. (Under GDPR, stricter conditions apply to collecting “sensitive data,” such as race, religion, political affiliation, and sexual orientation.)

GDPR has already spurred, or contributed to, changes in data-collection and -handling practices. In June, Google announced that it would stop mining emails in Gmail to personalize ads. (The company says that was unrelated to GDPR and done in order to harmonize the consumer and business versions of Gmail.) In September, Google revamped its privacy dashboard, first launched in 2009, to be more user-friendly. In January, Facebook announced its own privacy dashboard, which has yet to launch. Though the law applies only in Europe, the companies are making changes globally, because it’s simpler than creating different systems.

The law’s impact will extend well past the web giants. In March, Drawbridge, an ad-tech company that tracks users across devices, said it would wind down its advertising business in the EU because it’s unclear how the digital ad industry would ensure consumer consent. Acxiom, a data broker that provides information on more than 700 million people culled from voter records, purchasing behavior, vehicle registration, and other sources, is revising its online portals in the US and Europe where consumers can see what information Acxiom has about them. GDPR “will set the tone for data protection around the world for the next 10 years,” says Sheila Colclasure, Acxiom’s chief data ethics officer.