May 25th is the day the European Union’s General Data Protection Regulation (GDPR) goes into effect. It’s more likely than not that any reader of mine already knows all about GDPR, but for those who don’t, it’s the most significant new framework for data regulation in recent history. Not only does every company that does business with an EU citizen have to comply with GDPR, but most major Internet companies (like Google, Facebook, etc) have already announced they intend to export the “spirit” of GDPR to all of their customers, regardless of their physical location. Given that most governments still don’t know how to think about data as a social or legal asset, GDPR is likely the most important new social contract between consumers, business, and government in the Internet’s history. And to not bury the lede here, I think it stinks for nearly all Internet companies, save the biggest ones.

That’s a pretty sweeping statement, and I’m not prepared to entirely defend it today, but I do want to explain why I’ve come to this conclusion. Before I do, however, it’s worth laying out the fundamental principles driving GDPR.