According to Medium.com, the strictest data protection act in the world is the EU’s GDPR. As of May 25, 2018, the General Data Protection Regulation (GDPR) went into effect regarding customer data collection. If an individual who resides in the EU visits your website in the U.S. and you collect personal identifying information from them, then you need to be GDPR compliant or face fines. According to Intersoft Consulting “fines must be effective, proportionate and dissuasive for each individual case.” In the most severe cases fines can be in the tens of millions of dollars. Google, the first U.S. company to be fined under the GDPR, was fined $57M.