Since its enforcement in 2018, one of the most asked question about GDPR has been: does it apply outside the European
Union? And, more specifically: does it apply to US companies? If yes, what are the requirements for GDPR in the US?
In this post, we’ll give you all the background information needed to answer the questions above and get a clear understanding of GDPR applied to the US. We also provide an actionable checklist for US companies, including detailed steps that they may need to take in order to comply (and avoid fines!). Let’s get started!
Short on time? Jump to… ⬇️
Yes, the GDPR is enforceable in the US, or in any country in the world. It does not have jurisdiction in the United States, but its provisions have an extraterritorial scope, meaning that GDPR requirements can apply outside the European Union.
The regulation is meant to protect European individuals and their data. As a result, the GDPR also extends to foreign companies that, though they may be based outside the EU, engage in specific activities involving European residents. These activities are regulated by the GDPR.
Specifically, for the GDPR to apply, at least one of the following requirements should be met:
As a US-based company, this leaves cases 2 and/or 3. In short, if you’re a US-based company, and you’re collecting, processing or storing data from individuals in the EU, you’re expected to comply with the GDPR.
Here’s a practical example, taken from the European Data Protection Board guidelines:
A start-up established in the USA, without any business presence or establishment in the EU, provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app, in order to offer targeted advertisement for places to visit, restaurant, bars and hotels. The application is available for tourists while they visit New York, San Francisco, Toronto, Paris and Rome. The US start-up is specifically targeting individuals in the Union (namely in Paris and Rome) through offering its services to them when they are in the Union. The processing of the EU-based data subjects’ personal data together with the offering of the service falls within the scope of the GDPR. Furthermore, by processing data subject’s location data in order to offer targeted advertisement, the processing activities also relate to the monitoring of behavior of individuals in the Union. The US start-up processing therefore also falls within the scope of the GDPR
The GDPR in the US is typically enforced by Data Protection Authorities (or DPAs), which are independent public authorities established in each EU member state. It is not enforced by any US agency or authority because it is a European Union regulation, even though its reach extends to US-based companies that handle the personal data of EU residents.
DPAs supervise the application of data protection laws like the GDPR, within their respective territories. They also conduct investigations, issue hefty fines and sanctions, and provide guidance on best practices for complying with the GDPR and relevant national laws. There is one in each EU Member State, for instance in France it is called the “CNIL” or in Italy the “Garante”.
If a US-based company is in violation of GDPR, the lead on enforcement action is generally taken by the DPA of the EU member state where the violation occurred, or where the affected EU residents reside.
In case the US company has some headquarters within an EU Member State, the DPA of that specific state becomes the primary or lead regulator for that business. This DPA would be responsible for coordinating any enforcement actions with its counterparts in other EU states where violations may have occurred.
The main difference with GDPR in the US is that it is a regulation implemented by the European Union, and as such, it is not a law in the United States. However, as its objective is to protect personal data of EU residents, any US-based business that handles personal data of EU individuals (i.e. clients), will have to follow GDPR’s legal requirements.
As a result, GDPR compliance is not mandatory in the United States by default. It only applies when certain conditions are met, in that case when a company offers goods or services (even for free) to EU-based users, or monitors their behavior.
It’s crucial to remember that the GDPR, although a regulation originating in Europe, has a global influence. It may be affecting many US companies operating in today’s digitally interconnected market.
No, the US does not have a single federal law that is equivalent to the GDPR. However, some states have privacy laws, such as the California Privacy Rights Act (CPRA, CCPA amendment), that usually apply only to residents of that particular state.
The country also has some sector-specific laws governing different types of data and industries, like HIPAA that regulates healthcare data or the Gramm-Leach-Bliley Act for financial data, enforced by the Federal Trade Commission (FTC).
In the last years, a number of US states have implemented new privacy laws like Virginia and the VCDPA, Colorado and the CPA, Utah and the UCPA or Connecticut and the CTDPA, in a common effort to have a framework in place for data privacy.
The CPRA (California) and the VCDPA (Virginia) became effective on January 1, 2023.
The CPA (Colorado) and CTDPA (Connecticut) on July 1, 2023.
The UCPA (Utah) on December 31, 2023.
These US laws require, among others, that you:
For a recap overview, take a look at this video:
Overall, it is strongly recommended for US companies to assess their data processing activities and consult legal experts to determine if compliance to the GDPR in the US is required in their specific situation.
💡 Take this 1-min quiz to find out which laws are relevant to you!
As we’ve demonstrated above, it’s a mistake to think that, since the GDPR is a European regulation, it doesn’t affect US businesses at all.
Penalties for non-compliance to GDPR in the US can be significant. They can be monetary, or not:
With iubenda, simply select which region you are based in, then where your users are based, and our solution does the rest! It suggests a configuration that will allow you to comply with all applicable regulations.
As a US-based business, here are the main GDPR requirements you must follow.
Before you can collect or process any personal data, the GDPR mandates that you have at least one lawful basis for doing so. These lawful bases are:
💡 You must identify and document the lawful basis for each specific data processing activity you undertake.
While US legislations typically allow the collection and processing of personal data without obtaining the user’s consent, the GDPR requires that you collect “freely given, specific, informed and explicit” consent through a clear “opt-in”, or positive action.
This essentially means that before collecting any of the individual’s personal data on your site via cookies or via a form for example, you must ask for their consent. This mechanism must be unambiguous; “opt-out” mechanisms like pre-ticked boxes are forbidden.
You should also grant users the right to withdraw consent. It must be as easy to withdraw consent as it is to give it. To learn more about the rights of European residents under the GDPR, read this guide.
💡 Your consent forms must be straightforward, easy to understand and conspicuous. Individuals should actively opt in.
Consent, under the GDPR, is paramount. The regulation requires meticulous record-keeping related to what information was disclosed, how the consent was obtained (e.g. via a website form), and when it was obtained.
Companies need to maintain clear consent records that can prove that individuals provided informed consent. This adds a complex administrative layer but is essential for compliance.
💡 As you can imagine, this is not an easy task! That’s why we recommend using a Consent Management Platform.
GDPR in the US allows data transfers of EU residents’ data outside of the European Economic Area (EEA) only when certain set conditions are met.
Under GDPR requirements, the country or region the data is being transferred to must have an “adequate” level of personal data protection by EU standards, or where not considered adequate, transfers may still be allowed under the use of standard contractual clauses (SCCs) or binding corporate rules (BCRs).
A decision was taken on the EU-US Data Privacy Framework on July 10, 2023 and declared that the United States is recognized as providing an adequate level of protection to its European Union (EU) counterpart. Consequently, personal data can now flow freely from the EU to US self-certified companies without the need for additional safeguards.
EU-US data transfers are allowed for US organizations that have been certified. If you wish to do so, you need to meet the privacy principles outlined in the Data Privacy Framework and only then your company will be added to the DPF list.
👉 Here’s how to self-certify
If you’re based outside the EU, you may still need a European representative to ensure your company is complying with the GDPR. This person is called a Data Protection Officer, or DPO, and is in charge of ensuring that personal data is processed following the applicable data protection rules.
However, the appointment of a DPO is not always mandatory, it depends on the scale and nature of data processing activities.
💡Are you selecting a DPO? Here’s what to look for.
For data processing activities that are likely to result in high risks to individuals, the GDPR requires a Data Protection Impact Assessment (DPIA) to be carried out. This is an assessment that evaluates how personal data is processed and how to mitigate risks to data subjects.
This involves identifying the nature, scope, context, and purpose of the data processing, assessing the risks to individuals, and identifying measures to mitigate those risks.
Here’s a practical checklist to help you navigate GDPR compliance as a US-based business.