zuckerberg
© Getty
Facebook and other internet companies are racing to prepare for a sweeping new European Union (EU) privacy law that aims to give consumers greater control over the use of their data.

The law comes at a critical time for the industry, which is already facing tough questions over its data practices.

The General Data Protection Regulation (GDPR), which goes into effect across the EU on May 25, will drastically change what internet companies can do with customers' data.

Users will have greater control, including the ability to learn what information companies have on them. The GDPR will also codify what's known as "the right to be forgotten," meaning consumers will be able to order web services to delete their data or stop distributing it to third parties. The rules will also require companies to give users the ability to easily revoke consent for handing over personal information.

"I think it's going to have a fundamental seismic shift in the whole industry because it grants people rights over their data that they don't currently have," said David Carroll, an associate professor at the Parsons School of Design who studies digital media and data practices.

"It really empowers consumers to get a better deal; we've never really had a say in the deal," Carroll added.

Companies must also be upfront about what they are doing with users' personal information. Regulators say that web services will no longer be able to cloak the terms of their data practices in legalese.

"One of the main tenets of GDPR is to make sure that there is trust and to make it clear what the data is being used for," said Greg Sparrow, vice president and general manager of CompliancePoint.

The impending deadline has companies scrambling to bring themselves in line with the new law. Violations under the new rules would be met with hefty fines of $24.6 million or 4 percent of a company's global revenue - whichever is larger.

Hovering over those efforts is the data scandal that saw a political consulting firm with ties to President Trump's 2016 campaign improperly obtain the personal information of 50 million Facebook users.

Cambridge Analytica, which did work for the president's campaign and several other Republican politicians, reportedly paid a researcher for data he obtained through a third-party app on Facebook. The researcher obtained the data even though users had not consented to handing over their information for political purposes.

Věra Jourová, the EU's consumer protection chief, thinks the incident underscores why privacy regulations like the GDPR are crucial.

"In my view this is not only about data protection [from] breaches, this is about a threat to democracy and individual freedoms," Jourová said in an interview with Bloomberg earlier this month.

"I can say that in Europe we are ready for these cases," she added.