Does GDPR Compliance Apply to US Companies?

Transatlantic trade is vital for the global economy, but the developing framework of international data privacy legislation is having a real impact on how companies can operate on both sides of the pond.

This article provides information for US companies that want to adapt their policies and procedures to respect GDPR’s strict data privacy laws, and illustrates why this process is so important. 

It also looks at the territorial scope of GDPR, discusses which US companies are implicated, and outlines how they can meet GDPR requirements.

Let’s jump right in.

Why does GDPR Affect US Companies?

GDPR is the European Union’s data privacy act that protects the personal data of EU residents from being misused commercially. 

So, if it’s an EU law, why should US companies care?

In short, because the law has “extraterritorial” scope, meaning that it affects companies all around the world.
 
Crucially, the US does not have a data privacy agreement with the EU, which would prevent its companies from having to address GDPR compliance directly. 
 
The US-EU Privacy Shield was struck down by the European Commission, after the Schrems II ruling determined that US privacy laws did not adequately protect the personal data of EU citizens from governmental intrusion. 
 
However, compliance with GDPR is no bad thing - not least because it can build trust with customers, who are increasingly concerned by what happens to their personal information online.
 
New data privacy laws modeled on GDPR are being introduced all around the world, and compliance with the European framework basically means compliance with all of them – enabling your company to operate internationally without falling foul of the data privacy police.
 
In the US itself, the California Consumer Privacy Act (CCPA) is widely known as “America’s GDPR”, and its replacement – the California Privacy Rights Act (CPRA) – will bring data privacy laws in the federation’s most populous state even closer to the EU standard.
 
And, with more than 30 other states in the process of drafting bills, data privacy compliance will soon become the new normal for US companies.   

When does GDPR Affect US Companies?

According to Article 3, GDPR affects any US business that meets one or more of the following:
 

• They are based or have an office in the EU
• They are not based in the EU, but have EU-based users
• They are not based in the EU, but monitor the behavior of EU-based users

In practice, what this means is that it affects any US business – even if they do not operate within the EU – that holds the personal data of even one person that lives in Europe.
 
What’s more, it affects every type of company – public and private alike.
 
It’s also important to remember that the definition of personal data under GDPR is broader than under many of the data compliance laws in the US, which generally only protect data that can be used to commit fraud.
 
Under GDPR, personal data is anything that can be used to identify someone – we’ve written about this subject before, and understanding what information is and isn’t covered is a great starting point for meeting the law’s requirements.

What are the Consequences for Non-Compliance?

GDPR has a bite as well as a bark, and companies deemed to have misused EU personal data can be fined up to €20 million, or 4% of their annual global revenue from the last year – whichever is higher.
 
US companies have not been spared and stories about the huge fines handed out to them make for regular news. Indeed, most of the largest fines handed out so far have been to US tech giants like Amazon, Meta (Facebook), and Alphabet (Google).
 
And beyond financial penalties, sanctioned companies will also worry about regular data protection audits in the future and even the risk of being blocked from collecting any EU personal data in the future – with huge implications on a company’s revenue and reputation. 

How can US Companies Comply with Data Privacy Laws?

US companies need to meet a wide range of standards regarding how they handle EU personal data. These include:
 

• Establish your legal basis for processing personal data
• If consent is your legal basis, ensure this is “freely given, specific, informed, and explicit” opt-in consent
• Ensure that users can withdraw consent easily at any time
• Document everything to be ready for a data audit
• Fully disclose what data is collected, how it is stored, and what will happen to it – the best place for this is your company’s privacy notice
• Establish processes so that users can easily update or delete any personal data being held, and transfer it to other organizations on request
• Consider whether your company needs to appoint a data protection officer
• If transferring personal data outside the EU, sign Standard Contractual Clauses that set rules on the protection of data in line with GDPR requirements

What Else Can US Companies Do?

Obviously, full GDPR compliance goes much deeper than the points mentioned above.
 
For, while it has been great for EU citizens and their sensitive personal information, meeting GDPR requirements has been a nightmare for companies – with most of the work falling onto the lap of marketers.
 
If you’re looking for more detailed information about compliance, why not look at our in-depth GDPR hub – where you can find everything you need to know.
 
Alternatively, we’ve created a GDPR compliance checklist that provides information on all the practical steps a company needs to follow to ensure they stick to the letter of the law.