GDPR in the US: What You Need To Know

The EU’s General Data Protection Regulation (GDPR) has far-reaching effects for many countries outside the European Union. And with companies like Google, Amazon, Meta, and Twitter being fined for violating GDPR, it begs the question, does the GDPR even apply to the US? If it does apply, how is it enforced, and how can US businesses comply with the European privacy law? We will be answering these questions and more in this article.

Does GDPR Apply to the US?

Yes, GDPR can apply to US-based businesses or any other business outside of the EU. A business outside the EU could be subject to GDPR for two possible reasons. The first is if it has an establishment in the EU. An establishment could be a branch, an agent, or an employee. The other reason is if a company targets EU residents for offering their goods or services. It does not matter if any payment is involved. If a business monitors user behaviours or tracks them through cookies, it is under the scope of GDPR. 

For example, if a New York-based clothing store ships its products to European customers, its websites and apps must comply with GDPR. Similarly, if a freelance web developer based in California offers their services worldwide, including clients in the EU, their portfolio site would have to follow the GDPR as well. 

How is GDPR enforced in the US?

Each European Union member state has a Supervisory Authority (SA) that is responsible for monitoring and enforcing GDPR in that state. They are also known as the Data Protection Authority (DPA). The Commission Nationale de l’informatique et des Libertés (CNIL) is the French DPA, the Data Protection Commission (DPC) is the authority in Ireland, and in Germany, Bundesbeauftragter für den Datenschutz und die Informationsfreiheit” (BfDI) enforces the GDPR. 

So, if a US-based company has a branch in Ireland, DPC will monitor that company and ensure they comply with the GDPR. Moreover, DPC will also receive and process any complaints of data privacy violations about that company. Similarly, if another US-based company serves customers in France, CNIL will receive all complaints regarding GDPR violations. 

How Do US Companies Comply with GDPR?

GDPR compliance requirements are essentially the same for all companies, including businesses from non-EU countries. You can read our article on cookie consent requirements to learn more about GDPR compliance requirements. However, to summarise the points, GDPR cookie compliance requires websites to obtain explicit consent from users before storing non-essential cookies. Websites must block cookies until consent is given and allow users to customise or withdraw their consent at any time. Regular consent renewal and easy access to cookie and privacy policies are also recommended by GDPR.

However, there are some extra measures that non-EU businesses must take. Most US laws like CCPA and VCDPA don’t require businesses to obtain prior consent. However, under GDPR, a US organisation must obtain consent before storing cookies. This means the visitor must explicitly opt-in. 

US companies must appoint a Data Protection Officer to facilitate their GDPR compliance. Even if a company has no physical presence in the EU, a GDPR representative must be appointed to set up in an EU state where some of the users are located. 

US companies must carefully assess their data transfer and storage practices. The GDPR enforces strict regulations for transferring personal data outside the EU, requiring that any third-party organisation receiving such data is legally obligated to meet GDPR standards.

How to Comply With both GDPR and CCPA?

While data privacy laws like GDPR and CCPA have the same goal, they have some fundamental differences. GDPR requires an opt-in approach where non-essential cookies can’t be stored without explicit user consent. CCPA follows an opt-out mechanism where data can be collected until users explicitly ask to opt out, often via a “Do Not Sell My Data” option. So, to comply with both GDPR and CCPA, the best solution is to use a Cookie Management Platform (CMP) with a geo-targeting cookie banner. You can check our list of Top 5 Best Consent Management Platforms in 2024 to find out more about CMPs. We recommend CookieYes, CookieFirst, and Cookiebot for your compliance needs. 

Wrapping Up

Complying with international data privacy laws is no longer optional for many businesses worldwide. If you have a website that caters to visitors in the EU, you must adhere to GDPR. No matter where your business is located. And with big US-based companies being fined all the time, it is time to take GDPR seriously.