10 min read
Many businesses operate in the US but have loads of customers in the EU, meaning they fall under the scope of the General Data Protection Regulation (GDPR). Alternatively, some companies monitor the behavior of EU or EEA users, which also requires ensuring compliance with the regulation.
In this guide, I’ll explain what US companies must comply with the GDPR. You’ll also find out the simplified steps to comply with the GDPR as a US-based company.
Free plan availableBeginner-friendlyDoes the GDPR apply to the US?
Yes, the GDPR applies to the U.S. and its companies that fall under the GDPR jurisdiction as data controllers (who decide how data is used) or data processors (who handle and transfer data in various ways). Additionally, based on the Article 3 text, the GDPR applies to U.S. citizens who are physically located in a GDPR member state.
Does the GDPR affect US companies?
Yes, the GDPR applies to US companies even when they don’t have a physical EU presence but offer goods or services to EU residents or monitor the behavior of individuals in member states. A company that doesn’t ensure GDPR compliance can face large legal ramifications.
According to the scope outlined in the GDPR Article 3, the regulation applies to data controllers and processors that aren’t necessarily established in the EU under two circumstances:
- They offer goods and servers to EU citizens (no matter if there’s a financial gain or not)
- They monitor behavior in the EU.
This means that even if US citizens visit the EU, companies must comply with the GDPR if they monitor their behavior in any member state.
Does the GDPR affect US citizens?
The GDPR applies to US or any other country citizens when they’re physically located in a membering state of the GDPR (European Economic Area countries). While the GDPR doesn’t specifically mention US citizens, its definition of “data subjects” does not include nationality but does specify location.
Here’s the full explanation of the data subject definition under the GDPR Article 4:
“... an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…”
GDPR requirements for US businesses
GDPR requirements for US businesses are very similar to EU companies. However, there are a few things that are more often important only to non-member countries, such as following data transfer requirements.
So, let’s cover in detail what you have to do to comply with the GDPR in the US:
Step 1. Map out data
While it’s not a legal requirement by the GDPR, it’s highly recommended that you map out the data your organization processes. A proper understanding of data flows can help comprehend if you’ve established a proper legal basis, ensure transparency, and identify any potential risks.
Here are some of the factors you should consider when mapping out data:
- Locate data flows. Find the channels where your data is collected from and where it’s going, like third-party integrations or social media.
- Categorize data. Make sure you list what data is collected from all flow channels, including names, email addresses, and more sensitive information, like health data.
- Store data securely. Take a look at where the data you collect is stored and document it.
- Track data access. Evaluate who has access to the data subject information that you collect and secure or limit it if needed.
- Document data transfers. If your company gathers data outside of the EU, document how it travels in your organization and through third parties.
Step 2. Establish a legal basis for processing
According to the GDPR Article 6, data processors must provide a legitimate basis for processing user data. It helps ensure that the data collection practices protect user rights and correspond to the core principles of the GDPR.
Here are the 6 lawful basis for processing:
- Explicit consent
- Contractual obligation
- Legal obligation
- Vital interests of a user
- Carrying out a task in the public interest
- Legitimate interests of an organization or third party
You should always make sure you communicate the legal basis to data subjects by mentioning it in the privacy policy or the consent form.
Step 3. Create a clear privacy policy
GDPR Article 12 states that companies must provide clear, transparent, and easily accessible information for users about their data collection practices. That’s why companies adopt privacy policies.
Here’s the main information you should include in a privacy policy to make it GDPR-compliant:
- What data is collected. Be transparent and state what types of personal information are gathered.
- Legal basis. Mention under what lawful basis you’re collecting data.
- User rights. List the rights users have, which you can find in the GDPR Chapter 3, Articles 13 to 21. They include the right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, and right to object.
- Data retention time. Disclose how long you’re going to retain each type of data category.
- Data processor details. Provide contact details of the organization that processes data or its representative.
Step 4. Acquire user consent before collecting data
The GDPR Article 7 requires data processors to obtain freely given, active, unambiguous, and informed consent. This is achieved using a consent management platform. Here’s an example of how a cookie consent banner looks like on the TinyCookie website:
Note that unlike the California Consumer Privacy Act (CCPA) or some other privacy regulations in the US, the GDPR requires obtaining consent before data collection. So, here’s what to keep in mind when managing European Union user consent:
- Use a cookie banner. Make sure you use a GDPR cookie banner to clearly state the fact that your website collects private user data and for what purpose.
- Add an opt-in button. It’s obligatory to add an “accept cookies” button because the GDPR doesn’t allow data collection without consent.
- Allow consent management. Ensure you give users the choice of what they want to consent to specifically. For example, let them control if they want to accept all cookies, only necessary cookies, performance cookies, and so on.
- Include a rejection option. Under the GDPR Article 7, users have the right to reject data collection practices. This option should be as easy to find as the consent button.
Don’t forget to include a link to your privacy policy in the cookie banner. This ensures your site visitors can always review what they’re agreeing to, guaranteeing transparency.
Step 5. Create Data Processing Agreements
If your company is working with third-party companies that can access the collected data, you must create Data Processing Agreements (DPAs).
According to the GDPR Article 28(3), data processors under a DPA must:
- Ensure confidentiality of user data
- Process only the data that was agreed to
- Ensure security measures are taken to protect user data
- Refrain from engaging another processor without the specific approval of the data controller
- Comply with the GDPR
- Delete collected data after the contract is terminated
- Agree to an audit by the data controller
Step 6. Protect the personal information of data subjects
The GDPR Article 32 requires companies to adopt security measures that would ensure the security of user data. Let’s take a look at the main required security steps:
- The pseudonymization and encryption of data
- Data confidentiality and integrity
- Ability to quickly restore data in case of an incident
- Regular testing of security measure effectiveness
However, data protection isn’t just technical. A firewall, full-disk encryption, and data backups alone aren’t going to cut it. Organizations must also review their organizational security measures.
This includes checking who has access to personal data, adopting identity management tools, and creating a breach response plan. This way, even if unauthorized access does occur, your company is prepared to isolate the issue and solve it faster.
Step 7. Appoint a Data Protection Officer (DPO)
A Data Protection Officer (DPO) is a dedicated person or organization that is responsible for the company's compliance with the GDPR.
According to the European Commission, companies must appoint a DPO if sensitive data processing or data processing on a large scale are its core activities. Additionally, the Information Commissioner’s Office (ICO) states that a DPO is necessary for public authorities.
Here are a few things to note when getting a DPO:
- A DPO can be a staff member or it can be any person or organization under a contract
- The DPO must be an expert in data protection laws, especially the GDPR
- The goal of the DPO is to assist you with compliance and be the contact person for data subjects and the Data Protection Authorities
You can take a look at a complete DPO checklist on what to know when appointing one.
Step 8. Follow GDPR data transfer requirements
On July 10, 2023, the European Commission adopted the EU-US Data Privacy Framework (DPF). Under the basis of adequacy decision, this framework states that personal data can be transferred freely between EU and US companies if they comply with it.
This means that US companies must first certify their compliance with the DPF to the US Department of Commerce.
Alternatively, US companies must at least ensure compliance with the GDPR Article 46. It outlines that data transfers can only happen if data controllers or processors apply appropriate safeguards.
GDPR enforcement in the US
Each member of the GDPR has an independent data protection authority (DPA) that has to examine GDPR applications and handle complaints.
There are a few GDPR fines and penalties that any company that handles EU citizen data could face:
- Warning – when some violations are minor and don’t cause website users harm, a DPA may just give an initial warning.
- Fine for less serious violations – companies that don’t have a DPO, keep data processing records, or conduct any other non-serious violations, can face a fine of up to €10 million, or 2% of the firm’s global annual revenue from the previous financial year (whichever is higher).
- Fine for severe violations – if violations harm individuals or their privacy rights, such as data leaks or failure to acquire consent, companies may get a fine of up to €20 million, or 4% of the firm’s global annual revenue from the previous financial year (whichever is higher).
- Ban on data processing – unlawful data processing practices can even result in a temporary or permanent ban for processing.
Biggest GDPR fines in US so far
US companies of any size have received hefty fines in the past. In fact, some of the biggest GDPR fines belong to US businesses, like Meta and Amazon. Many of them have even been charged repeatedly.
So, let’s take a look at the top GDPR fines for US companies:
|
Company |
Date |
Fine size |
Enforcer |
Reason |
|
Meta |
May 2023 |
€1.2 billion ($1.254 billion) |
Irish Data Protection Commission (DPC) |
Transfer of personal user data to the US |
|
Amazon |
July 2021 |
€746 million ($779 million) |
Luxembourg National Commission for Data Protection (CNPD) |
Lack of consent to use data for targeted advertising |
|
Meta |
2022 |
€405 million ($423 million) |
Irish Data Protection Commission (DPC) |
Unlawful processing of the personal data of minors |
|
|
September 2021 |
€225 million ($251 million) |
Irish Data Protection Commission (DPC) |
Didn’t ensure a lawful basis for data processing |
|
|
December 2021 |
€90 million ($94 million) |
French Data Protection Agency (CNIL) |
Didn’t provide an easy option to withdraw consent on YouTube |
To ensure large fines don’t reach your US-based company, you have to follow the GDPR compliance checklist and data transfer requirements.
The importance of GDPR compliance for US companies
GDPR applies to US companies when they offer goods or services to EU residents or monitor their behavior. Such companies have to ensure GDPR compliance or they may end up facing large fines, reaching up to €20 million, or 4% of their annual revenue from the previous fiscal year.
The best way to comply with the GDPR is to monitor data flows, ensure a legal basis, create a compliant privacy policy, obtain user consent, follow data transferring requirements, and use a cookie banner. If you’re a Shopify user, you can ensure GDPR compliance in just one click using TinyCookie.
Frequently asked questions
The US doesn’t have a country-wide data protection regulation but some of the states have comparable laws. For example, the California Consumer Privacy Act (CCPA) protects the privacy rights of California residents. The most noticeable difference with the GDPR is that companies don’t require acquiring user consent for data collection, only informing them.
No, unless a US citizen is physically located in the EU or EEA countries, they don’t have rights under the GDPR. US residents are protected by state-wide regulations, such as the CCPA, Texas Data Privacy And Security Act (TDPSA), or the Colorado Privacy Act (CPA)
While some US data privacy laws, like California’s CCPA, were inspired by the GDPR, they have quite a few differences. One of the most notable ones is that consent is not required (except for minors) – informing users about data collection is enough.
If a US company doesn’t comply with the GDPR, it can face large penalties. For non-serious violations, the fine can go up to €10 million ($12 million), or 2% of your gross annual revenue from the previous year (whichever is higher). If the violation is more serious, the fines can reach €20 million or 4% of the company’s gross annual revenue. Repeated or very harmful violations can result in a ban for processing.
