May 25 is circled on the calendars of just about every retailer, technology executive and business that in any way interacts with European consumers. That’s the day a European privacy law, the General Data Protection Regulation (GDPR), takes effect.

The regulation empowers consumers by forcing retailers, marketers and others to explicitly state to consumers in the European Union’s 28 member countries how they’re collecting, using and storing consumers’ personal data such as their name, location, IP address and—perhaps most importantly to retail marketers—identifiers that track their web and app use on their web-connected devices. While there is a carve out for businesses that can demonstrate a “legitimate interest” to the data, such as for direct marketing purposes, such as email marketing, GDPR leaves a lot of gray area that regulators have yet to map out. At the same time, GDPR gives consumers the right to access the data that retailers and others store about them, the right to correct inaccurate information and the right to delete their information (also referred to as the “right to be forgotten”).

A failure to comply comes with serious costs because the regulation has teeth; the regulation carries stiff fines of 20 million euros or ($24.7 million) up to 4% of a company’s annual global revenue. That would amount to more than $7.11 billion for a company such as Inc., which generated $177.87 billion in revenue last year.

Because of those stiff fines, every retailer, marketer and technology company that interacts with European consumers needs to…

To get immediate access to the rest of this article and thousands more, sign up for a free Strategy Membership using the Join for Free button below. If you’re already a member, please sign in.

Want to read more? Unlock Free Strategy Membership