Numerous U.S.-based companies that operate online have customers from the European Union (EU) or other parts of the European Economic Area (EEA). If your business engages with these customers, it is subject to the EU’s General Data Protection Regulation (GDPR). This extensive data privacy regulation has an impact on many U.S. entities due to its extraterritorial reach.
In this article, I will discuss the requirements for GDPR compliance in the U.S., clarify why your business may be subject to it, and provide straightforward solutions to help you fulfill all necessary obligations.
The GDPR has a considerable influence on data privacy globally, but what does it mean for the US? Are American companies required to comply with it?
We will examine the effects of GDPR in the US and how businesses can adhere to this European privacy law. Does this imply that all US companies are at risk of facing penalties under GDPR? Let’s investigate the impact of GDPR in the US.
Does the GDPR Apply to the US and Its Companies?
Yes, companies in the US, as well as US companies inside of the EU, are bound by the GDPR’s regulations. This applies to all companies, regardless of where the processing of data occurs, according to the territorial scope of the GDPR under Article 3.
The “establishment” and “targeting” criteria are the two criteria that the EDPB guidelines use to determine GDPR applicability.
Article 3(1) states that any business outside the EU must comply with the GDPR if it has an establishment (employee, agent, branch, etc.) in the EU.
For instance, if a US-based retailer has an EU-based branch for marketing and advertising purposes, the branch is considered a stable establishment and subject to regulation (Recital 22 of the GDPR).
According to Article 3(2), a business that offers goods or services (even if it’s free) to individuals in the EU or monitors their behavior shall fall under the scope of GDPR.
Non-EU businesses monitoring activities such as cookies or other tracking technologies, behavioral advertising, geolocation, and market surveys can be subject to GDPR (Recital 24 of the GDPR).
Therefore, US business selling goods or services to EU consumers will fall under the GDPR’s scope in the US, even if it has no EU-based establishment (Recital 23 of the GDPR). It’s important to note that the law extends to any EU resident, irrespective of citizenship.
According to Recital 25 of the GDPR, controllers not established within the EU must comply with the GDPR if Member State law applies as per public international law. U.S. companies must comply with GDPR regulations as either data controllers or data processors.
If your website provides goods or services to EU or EEA citizens and/or collects personal information about them, it must meet all GDPR’s business requirements. The GDPR protects US citizens as data subjects while they use the internet in the EU or other EEA countries.
GDPR and U.S. Companies as Data Controllers & Processors
GDPR Applicability: Contrary to certain U.S. data privacy laws such as the CCPA and CDPA, which have thresholds based on company size or revenue, the GDPR does not impose such limitations.
Data Controller Classification: This implies that any U.S.-based company, regardless of its size, can be classified as a ‘data controller’ under the GDPR.
As per Article 4 (7), a data controller is defined as ‘a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data.’
Data Processor Classification: On the other hand, U.S. companies can also be classified as a ‘data processor’ under the GDPR, as defined in Article 4 (2).
Data processing involves activities such as:
- Collection
- Recording
- Organization
- Structuring
- Storage
- Retrieval
- Adaptation or alteration
- Consultation
- Use
- Disclosure by transmission
- Dissemination or other methods of making personal data sets accessible.
| Business Example | Does It Fall Under the GDPR? | Why? |
|---|---|---|
| A California-based e-commerce website that ships to the UK and France. | Yes | The business sells goods to consumers in the EU and monitors their behavior. |
| A New York-based news website that has a large readership in Germany. | Yes | The business processes personal data of EU residents for the purpose of offering goods or services. |
| A Texas-based online retailer that sells products to customers in Italy and Spain. | Yes | The business sells goods to consumers in the EU and monitors their behavior. |
| A Florida-based restaurant chain that only operates within the U.S. but has a website that collects personal data from EU residents. | Yes | The business processes personal data of EU residents for the purpose of offering goods or services. |
| A Colorado-based ski resort that only operates within the U.S. and does not target or monitor EU residents. | No | The business does not process personal data of EU residents. |
| A local bakery in Oregon that only operates within the state and does not have a website or any online presence. | No | The business does not process personal data of EU residents. |
This table illustrates how the GDPR can apply to U.S. companies of various sizes and industries, as long as they process the personal data of EU residents.
On the other hand, small, local businesses that do not have an online presence and do not target or monitor EU residents are not subject to the GDPR.
Does the GDPR Apply to US Citizens?
The GDPR applies to U.S. citizens who are physically located in a protected EU or EEA country. This is because the Article 3 (2(a)) of GDPR uses the term “data subjects” to refer to people whose data is being processed. However, the GDPR does not apply to U.S. citizens who are not physically located in a protected EU or EEA country.
| Example | Does the GDPR Apply? | Why? |
|---|---|---|
| A U.S. citizen visits France and uses a GDPR-protected service. | Yes | The individual was in a GDPR-protected region at the time they used the service. |
| A U.S. citizen visits Iceland, which is in the EEA, and uses a non-GDPR-protected service. | No | The service is not GDPR-protected. |
| A U.S. citizen visits the UK, which is no longer in the EU, and uses a GDPR-protected service. | No | The UK is no longer part of the EU, so the GDPR does not apply. |
Is the GDPR applicable to EU citizens residing in the US?
To put it in simpler terms, if you’re an EU citizen in the US, the GDPR doesn’t apply to you.
However, if an organization handles your personal data and you’re based in the EU, they must comply with the GDPR, even if they’re not based in the EU themselves. This is known as the “extra-territorial effect.” (Article 3 of GDPR)
It’s important to remember that the GDPR applies to the location of the data subject, not their citizenship. EU citizens in the US are protected by US federal and state laws like CalOPPA, COPPA, CCPA, and CDPA.
The GDPR isn’t limited to European businesses and citizens and can be enforced globally. Companies like ChatGPT, have faced penalties for violating GDPR regulations (Articles 5(1)(a), 12, 15, 16 and 25(1) of the GDPR). It’s crucial for organizations to respect GDPR regulations and ensure the safety of EU residents’ personal data.
Requirements for US Businesses to Ensure GDPR Compliance
If your U.S. business falls under GDPR’s jurisdiction, it must meet the same requirements as EU businesses. Wondering how to comply? Let’s break it down into simple steps to help you prepare for GDPR in the US.
1. Conducting a Privacy Audit to Assess Data Processing
When it comes to GDPR compliance, performing a privacy audit is a crucial first step (Article 47 and 58 of GDPR). This involves identifying and keeping track of all personal information collected from users on your website.
The data collected may include:
- IP addresses
- Names
- Email addresses
- Other types of data
- Cookies and trackers
Additionally, be sure to note any special categories of information, such as sensitive personal data. While not a legal requirement, this step lays the foundation for your business to ensure full compliance.
To further identify the types of personal data your business collects, stores, and processes, it is important to conduct a thorough audit.
This will help you determine if you are gathering sensitive data such as:
- Race
- Ethnicity
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic information
- Biometric information
In addition, employee data will also be subject to GDPR if your business employs EU residents. In such cases, you may need to implement additional measures such as DPIA or appointing a DPO (Article 37 of GDPR).
2.Create and Publish a Privacy Policy
Your privacy policy should include all the information outlined in Articles 13 and 14 of the GDPR.
Article 13 applies when data is collected directly from the data subject, while Article 14 applies when data is obtained indirectly.
A privacy policy should include:
- Types of personal information collected
- Methods of collection
- Legal justification for collection
- Categories of information (sensitive, non-sensitive, criminal)
- Retention duration
- Entities with whom information is shared
- Data subjects’ rights clarification
According to Article 15 and recital 63 of GDPR, the Right of access by the data subject is also important for privacy policy. If your business processes large amounts of data, it may require a Data Protection Officer, which should be included in the privacy policy.
3.Identifying and Establishing Legal Bases for Data Processing
Establish the Legal Basis for Data Processing Once you’ve identified what data your website collects from users, the next crucial step is to determine your legal basis for processing this information. This is a requirement outlined in Chapter 2, Article 6 of the GDPR regulation.
The GDPR outlines six unique foundations for the processing of data:
- Consent from the data subject.
- Necessity for the performance of a contract.
- Legitimate interest.
- Vital interest of the user or another individual.
- Compliance with a legal obligation.
- Execution of a duty performed in the interest of the public or in the exercise of formal power
Inform consumers about your legal basis for processing data in your privacy policy. Only one legal basis can be used at a time and must be established before processing. It must also be demonstrable to data subjects and regulatory authorities.
4.Use Third-Party Data Processing Agreements
To comply with GDPR regulations, it is essential to use compliant Data Processing Agreements (DPAs) when dealing with third-party entities that have access to or process user data.
These agreements must meet specific GDPR requirements outlined in Chapter 4, Article 28 and obligate data processors to adhere to various GDPR requirements, including:
- Processing data only on the written instructions of the data controller
- Maintaining confidentiality of personal information
- Listing measures that ensure security measures
- Outsourcing delegated functionality only with consent
- Deleting personal information after contract termination
- Being audited by the data controller as necessary
The DPA agreement should also state terms about the security of processing and data breach notification.
5.Implementing Appropriate Safeguards for International Data Transfers to the US
In order to comply with international data transfer requirements, US companies are required to follow the guidelines outlined in Chapter 5, Article 46 of the GDPR.
This is necessary because the transfer of personal data from the EU/EEA to the US has not yet been authorized by EU leaders.
In the absence of an adequacy decision, as stated in Recital 108 of GDPR, the controller or processor should take measures to compensate for the lack of data protection in a third country by implementing appropriate safeguards for data subjects.
Businesses must document compliance and take steps to protect data subjects’ privacy rights. EU and US leaders are discussing the EU-US Data Privacy Framework, which may serve as an adequacy decision if approved under GDPR.
6.Managing User Consent for Data Collection
To comply with GDPR regulations, track and log the data subject’s consent choices when using consent as the legal basis for processing personal information, as outlined in Chapter 2, Article 7 of the GDPR. This includes obtaining consent for the use of cookies on your website.
Here are some measures you can implement to ensure adherence:
- Set up a cookie consent banner on your site that links to a cookie policy and privacy policy and allows users to opt in or out of tracking.
- Provide users with a mechanism to withdraw their consent at any time.
- Keep a precise record of their consent preferences.
- Consider using an automated solution, like a Cookie Consent Manager, to simplify the process.
7.Accomplish Data Security and Storage Practices
US businesses that fall under the categories of controllers or processors, according to GDPR, have a responsibility to comply with data security and storage guidelines to ensure that users’ personal information is protected from breaches or leaks.
Article 32 of GDPR recommends implementing the following security measures:
- Pseudonymization and encryption of data.
- Ensuring that processing systems and services maintain confidentiality, integrity, availability, and resilience on an ongoing basis.
- Prompt restoration of data availability and access in the case of an incident.
- Routine examination, appraisal, and validation of the efficacy of technical and administrative measures.
The controller and processor are accountable for implementing these security controls and measures to safeguard the rights of the data subjects.
Additionally, Recital 83 of GDPR highlights the need for appropriate security measures to protect personal data from unauthorized processing, loss, destruction or damage.
Understanding GDPR Enforcement and Penalties in the US:
GDPR enforcement in the US is managed by Data Protection Authorities, who are responsible for ensuring compliance with GDPR across different EU member states.
Noncompliance with GDPR by US businesses or other entities can result in fines of up to €10 million ($12 million) or 2% of the company’s gross annual revenue from the previous fiscal year, whichever is higher.
Additionally, the EU/EEA presence or assets of noncompliant companies, such as servers, bank accounts, or real estate, may be subject to seizure.
Conclusion:
In conclusion, the GDPR is a European-based regulation that affects U.S. companies, citizens, and federal and state governments. It applies to anyone within an EU or EEA country regardless of their nationality or citizenship status, and businesses in the U.S. and around the globe fall under its jurisdiction if they process personal information about an individual within those protected territories. Any U.S. company that serves customers in the EU or EEA or tracks their behaviors must fully comply with the GDPR or face financial consequences. At VISTA InfoSec, we can help U.S. companies ensure GDPR compliance by providing expert guidance and support throughout the compliance process. With our help, U.S. companies can confidently navigate the complexities of GDPR compliance and avoid costly penalties.
