Now more than ever, it’s important that all of us understand what GDPR really is.

The most important consumer protection milestone since Ralph Nadar’s 1965 auto industry exposé Unsafe At Any Speed came and went without much fanfare on May 25, 2018.

The formal name in the European Union is the General Data Protection Regulation, but it’s most commonly known as GDPR. Yes, it generated a blip of attention across the pond, but as with most things that aren’t born in the United States, Americans didn’t pay much attention. Nor did the rest of the world. Thousands of organizations, including Google, Facebook, Amazon, and Apple, all updated their privacy policies. Most of us simply clicked “accept.”

That was a mistake.

Without diving into the bureaucratic language, GDPR is a set of privacy protections for EU citizens. But it’s much more than that. GDPR is a new set of property rights — rights over the data created by all people as they walk through their digital lives: purchase records, locations they visit, surveillance of them, everything.

Specifically, GDPR guarantees:

the right to access your personal data (companies cannot hide it from you); the right to own your personal data (you can request it, a processed called “rectification” … and then take it to some other provider); the right to restrict how your data may be used, and most importantly, the right to be forgotten (you can ask to be purged from the data gatherer’s records).

GDPR says that you are more than a collection of data. GDPR is no less than a statement of basic human dignity.

There’s more to it than that, and the more you learn about the specifics, the easier it is to get lost in the technicalities. For our purposes, let’s see how GDPR works in practice.

Suppose you’re interested in a London production of Hamilton, and purchase tickets online from the theater’s website. On the day of the event, you leave your hotel (that you also booked online) and ride an Uber to the theater. Along the way, you are captured on no fewer than three surveillance cameras in the theater complex. You purchase a drink with your credit card, watch the show, and head back to the hotel after a thrilling performance.

If you had done that in New York, as an American citizen, you’ve given no fewer than five organizations (the hotel, Uber, the theater, the concession vendor, and the credit card company) your private information. They can use it, into perpetuity, for whatever purpose they like — usually to remarket other goods and services to you.

(Have you ever escaped one of these mailing lists? I thought not.)

But under GDPR, Londoners have a choice. With one email to each vendor, they can ask to purge all of that data. It would be as if they never attended the show. I’m oversimplifying, of course, especially as it relates to the financial transactions, but let’s pause to think about what a massive change this is. For the first time since the beginning of the internet and the creation of your digital footprint, EU citizens (and to an extent, anyone an EU-based organization touches) have control over a new type of property — their data. Organizations and marketers now must inform them, respect their rights, and up their game if they want the right to use that asset. And because EU citizens cross borders, and because the EU will take action against violators outside its borders, global organizations are forced to comply. In other words, London citizens can ask the New York vendors to purge their data, and those US-based companies will need to oblige them.

(As an aside, I find it ironic that a Brit has more freedom regarding their data than an American going to see a play about a key figure in the American Revolutionary War. But I digress.)

Up to this point, privacy and “data ownership” has been a one-sided battle. Your data freedoms are what data gatherers decide they are. The EU just gave its citizens the data equivalent of the Magna Carta.