Starting tomorrow, a new framework for consumer data protection goes into effect in Europe. The European General Data Protection Regulation—better known by its acronym, GDPR—sets a new standard for data collection, storage, and usage among all companies that operate in Europe. It will change how companies handle consumer privacy, and will give people new rights to access and control their own data on the internet.

That is, if you live in Europe. On its face, GDPR only affects the European Union, meaning the rights outlined within it don’t translate to other countries. (The UK will get similar rules, despite Brexit.) People in the United States aren’t entitled to the same rights or protections—but that doesn’t mean people outside of the EU should ignore GDPR completely. There will be some residual benefits for them, and understanding how the law changes data privacy for Europeans could throw into focus the digital rights people still lack elsewhere.

What Is GDPR?

GDPR is a series of laws spelling out the digital rights for citizens of the European Union. It builds on an earlier policy, called the Data Protection Directive, which Europe adopted in 1995. Many of the ideas outlined in GDPR came from the earlier regulation, and an even older set of principles called the Fair Information Practices, which covers the ways consumer information should be used. Those practices have also shaped policies in the United States, though the outcomes have differed. The United States has historically regulated privacy in context, with piecemeal laws for the privacy of healthcare records, financial documents, and federal communications. There's nothing analogous to GDPR in the United States, and likely won't be any time soon.

In Europe, though, GDPR represents one of the most robust data privacy laws in the world. It also gives people the right to ask companies how their personal data is collected and stored, how it's being used, and request that personal data be deleted. It also requires that companies clearly explain how your data is stored and used, and get your consent before collecting it. "Personal data," in this case, refers to things like a person's name, email, and IP address, but also pseudonymized information that could be traced back to them. People can also object to personal data being used for certain purposes, like direct marketing. If you buy a pair of shoes through an online retailer and start seeing ads for similar shoes, you should be able to ask the retailer to stop using your personal data for direct marketing purposes. Under GDPR, those and other rights are guaranteed.

European citizens are granted these rights by law, but some companies may also give them to people elsewhere. "Some companies may realize it’s better to just extend GDPR protections to all their customers, period, rather than one one policy for European citizens and one policy for the rest of the world," says Richard Forno, a cyber security researcher and the Assistant Director of UMBC's Center for Cybersecurity. Microsoft, for example, announced that it would give all users control of their data under the new EU rules, including a privacy dashboard that lets any user manage their personal information. Other companies, like Facebook, are changing their privacy settings and tools for all users globally—but not giving all users the same rights to their data as EU users.

It remains to be seen how much the rest of the world will benefit from GDPR rules, but there are likely "some rights that companies couldn’t contain to Europeans even if they tried," says Yana Welinder, a fellow at the Center for Internet and Society at Stanford Law School. "For example, companies will now have to notify a European agency if they had a personal data breach within 72 hours of a breach. If the breach exposes users to high risk, the company also needs to notify users directly." Those kinds of rules could have spillover benefits to people outside of Europe, and could similarly influence how companies conduct business regardless of the country.

What You Can Do

If you live in Europe, a good first step would be to familiarize yourself with the European Commission's list of rights provided under GDPR. You'll find step-by-step guides for things like asking a company what kind of data it's collected about you, requesting that it stop processing that data, or delete that data altogether. It also shows you how to file a complaint if your personal data is leaked, and what to do about personal data collected about children.