Does the GDPR apply to US companies?

Since its enforcement in 2018, one of the most asked question about GDPR has been: does it apply outside the European Union? And, more specifically: does it apply to US companies?

In this post, we’ll answer this question and explain what US companies may need to do to comply (and avoid fines!).

Does GDPR apply to US?

In most cases, yes, it does.

The GDPR has an extraterritorial scope, meaning that it can also apply outside the European Union. The regulation is meant to protect European users, and therefore it can extend to foreign businesses too.

To be more precise, for the GDPR to apply to your US companies, you should meet at least one of the following requirements:

1. Your business is based in the EU (please note that this applies even in the case of an EU-branch office);
2. you’re not based in the EU, but you offer goods or services (even for free) to EU-based users;
3. you’re not based in the EU, but you monitor the behavior of EU-based users.

Here’s a practical example, taken from the European Data Protection Board guidelines:

A start-up established in the USA, without any business presence or establishment in the EU, provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app, in order to offer targeted advertisement for places to visit, restaurant, bars and hotels. The application is available for tourists while they visit New York, San Francisco, Toronto, Paris and Rome. The US start-up is specifically targeting individuals in the Union (namely in Paris and Rome) through offering its services to them when they are in the Union. The processing of the EU-based data subjects’ personal data together with the offering of the service falls within the scope of the GDPR. Furthermore, by processing data subject’s location data in order to offer targeted advertisement, the processing activities also relate to the monitoring of behavior of individuals in the Union. The US start-up processing therefore also falls within the scope of the GDPR

For a more comprehensive explanation, take a look at this video.

How can the GDPR affect US companies?

Therefore, it’s a mistake to think that, being the GDPR a European regulation, it doesn’t affect US businesses at all.

As we said above, the extraterritorial scope may allow European Data Protection Authorities to enforce the GDPR outside the European Union.

The enforcement can be implemented in different ways.

The “scariest” one is definitely the fines: they can reach up to EUR 20 million (€20m) or 4% of the annual worldwide turnover (whichever is greater). But perhaps equally concerning are the other potential sanctions: official reprimands (for first-time violations), periodic data protection audits and liability damages.

GDPR requirements for US companies: how to comply

In order for your US business to comply with the GDPR, here are some of the steps to follow:

1. Have a lawful basis: the GDPR requires that you have at least one lawful basis for processing user data.
2. Acquire verifiable consent: while US legislations usually allow the collection and processing of personal data without the user’s consent, the GDPR requires that you collect “freely given, specific, informed and explicit” consent through a clear “opt-in” action.
3. Keep clear records related to the consent: the GDPR also gives users a specific right to withdraw consent and, therefore, it must be as easy to withdraw consent as it is to give it. Because consent under the GDPR is such an important issue, it’s vital that you document and keep clear records related to the consent.
4. Appoint a Data Protection Officer (DPO): if you’re based outside the EU, you may still need a European representative to ensure your company is complying with the GDPR. However, the appointment of a DPO is not always mandatory, and you should meet specific requirements (you can read them here).
5. Carry out a Data Protection Impact Assessment (DPIA): where certain conditions are met, and in cases where the data processing activity is likely to result in a high risk to users, the GDPR requires that a Data Protection Impact Assessment (DPIA) be carried out.

How iubenda can help with GDPR compliance

At iubenda, we take a comprehensive approach to data law compliance. We build solutions with the strictest regulations in mind, giving you full options to customize as needed. This way, we’ll assist you with meeting your legal obligations, reduce your risk of litigation and protect your customers —building trust and credibility.

You can take a look at our set of solutions for GDPR compliance here.

About us

GDPR compliance for your site, app and organization

www.iubenda.com