What is the GDPR?
It's complicated. Companies were given two years to become compliant after the EU adopted the regulation in 2016. Of course, as highlighted by The Verge, there are going to be a lot of companies unprepared for Friday's deadline.
To grossly simplify it, the GDPR is about the management of digital privacy. The law has been called one of the world's strongest protections for digital privacy rights. It's also been called "staggeringly complex." Without wading into the muck, there are two tenets of the law that are the primary cause of those emails you're getting. They were neatly summarized in a report by The New York Times: "The first is that companies need your consent to collect your data... The second is that you should be required to share only data that is necessary to make their services work."
The second point could be a little confusing, but the Times quotes Electronic Frontier Foundation director Danny O'Brien to make it easier to understand. "A birthday cake company needs your name to put on the birthday cake," he said. "If it isn’t essential information, you can deny them consent to use that data and you still have to get the service."
Companies are sending out these emails to share the policy changes with users and, in most cases, to request users accept the terms and opt-in to the company's data collection policies. Companies that aren't compliant with the regulations could be fined up to 4% of their global revenue. (Though, it remains to be seen how strictly fines and regulations will be enforced.)
There are other pieces to this, though they aren't necessarily the reason you're getting way too many emails. For instance, the GDPR expands what is considered "personal data" in the EU and requires that companies can explain to users exactly what is being done with data that is collected. Users also have "the right of access," which means companies must provide access to your personal data if you request it. While these are all a part of the GDPR, these are benefits that won't necessarily extend to Americans. Nonetheless, there are plenty of benefits that will extend to people in the US.
Part of the reason it's a good thing for US consumers to get peripheral benefits from these regulations is there seemed to be a security breach every week in 2017. Uber lost data on 57 million users and covered it up, Yahoo's data breach affected a billion accounts and wasn't announced for years, and more than 140 million people had their data hacked in the Equifax breach. People also had their data compromised in hacks of LinkedIn, Whole Foods, Chipotle, Pizza Hut, Sonic, Panera, and many more. In many cases, customers weren't notified for an extended period of time. Under the GDPR, companies need to notify regulators of a data breach within 72 hours. The law also allows people to access the private data a company has gathered about them and offers consumers the "right to be forgotten."