Do Not Track and PrivacyShield
The Annex || document lays out 7 principles that US companies must abide by once they agree to be covered by PrivacyShield, including Notice, Choice and Access.
Principle 1) Notice. They have to declare who they are, including contact information, what types of data they collect, what their purposes are for collecting it, what third-parties they will share it with etc.
Principle 2) Choice. You must have choice over limiting use and disclosure of your personal data, usually an opt-out but there must be an opt-in for "sensitive" data. This has been diluted by obscure legalese but in the end whatever offered has to be "essentially equivalent" to the relevant requirement in EU DP law - freely given, specific, informed, unambiguous affirmatively given consent.
Principle 6) Access. You must have access to the data the company hold about you, and be able to correct, amend or delete it. This is also a pale imitation of the EU DP rights to object, access and erase but ultimately will have to be equivalent.
In the context of online data flows the W3C Do Not Track recommendation includes most of the building blocks needed to implement these principles. There is an extensible Tracking Status Resource that can be used to declare the notice requirements, a signal that can indicate a persons right to object to data collection, and API giving the continuous capability to register or revoke consent.
From the outset Do Not Track was designed to give people visibility of and control over the hundreds of third-party resources embedded in many websites, even in cases where the website owner has not contracted with the third-parties or taken responsibility for their privacy practices.
The clearest way for any US company offering third-party resources is to show their support and compliance with the PrivacyShield priciples would be to properly implement Do Not Track.