Articles

GDPR Compliance in the U.S.: What to Know

Written by Matt Davis, CIPM (IAPP) | May 23, 2023

In 1992, Singapore banned the sale of all chewing gum. But if you owned a cornerstore in the U.S. and a Singaporean tourist came to visit your business, there would be nothing to stop you from selling them a pack of gum—in the U.S. selling gum is perfectly legal. You’d think the same dynamics would apply when it comes to processing personal data.  

Well, not exactly.  

The EU’s General Data Protection Regulation (GDPR), which protects EU residents’ data privacy rights, has an extraterritorial reach. That means even U.S. businesses need to comply with it under certain circumstances. 

Because you can collect and process an individual’s data from anywhere in the world, data privacy laws like the GDPR need to apply extraterritorially. Organizations based in the U.S. that process EU citizens’ data aren’t off the hook for GDPR compliance by a long shot. The GDPR applies to any controller or processor that offers goods or services to or monitors the behavior of EU data subjects, even if the data is stored elsewhere. If it's the data of an EU resident, then it's covered by the GDPR. 

In this blog, we’ll explore GDPR compliance in the U.S., who is protected by GDPR, and what GDPR compliance means for US companies. 

A Brief Introduction to GDPR 

The General Data Protection Regulation was the first of its kind and remains the most substantial and strictest data privacy law in the world.  

The GDPR protects EU residents' personal data and grants them certain rights, including the rights to:  

  • Be informed about data collection and processing. 
  • Access their personal data. 
  • Correct and update their data. 
  • Request the erasure of their data. 
  • Restrict processing data. 
  • Object to how their information is used. 
  • Opt out of certain automated practices.   

There are seven GDPR principles that cover protection and accountability. These principles state that businesses must: 

  1. Process personal data lawfully, fairly, and in a transparent manner. 
  2. Collect personal data only for specified, explicit, and legitimate purposes. 
  3. Minimize data collection to that which is adequate, relevant, and limited to what is necessary to achieve the purpose behind the processing. 
  4. Keep accurate and up-to-date information, and take every reasonable step to ensure inaccurate data  is erased or rectified without delay; 
  5. Store data in a form that permits identification of data subjects no longer than necessary (except those for public interest, scientific or historical research purposes or statistical purposes); and  
  6. Process personal data in a manner that ensures its security, integrity, and privacy, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage. 
  7. Be able to demonstrate and be accountable for GDPR compliance. 

We dive more into the nuts and bolts of the GDPR, its background, and how to comply with the law in our GDPR guide. 

Does the GDPR Apply to U.S. Data Subjects? 

The GDPR defines a data subject as a natural person who can be identified or identifiable by their personal data. So, does the GDPR apply to U.S. data subjects? In some circumstances, yes.  

The GDPR applies to all EU residents and EU-established businesses. So, a U.S. citizen residing in the EU would still be protected by the GDPR. Similarly, a U.S. citizen residing in the U.S. who accesses the services of a primarily EU-based business would be protected by the GDPR. 

By the same token, an EU citizen visiting the U.S. and patronizing a primarily U.S. based is not protected by the GDPR. The exception is if that EU citizen accesses the services of a primarily EU-based business; in that case, any personal data collected or processed in the transaction would be covered by the GDPR. 

This can be a little unintuitive, but the important thing to remember is the geographic region involved. If the data subject is in the EU, the GDPR applies (regardless of EU citizenship). If the organization processes personal data in the EU, then the GDPR applies. So, a purely U.S.-based business serving only customers in the U.S.—regardless of whether they’re an EU or U.S. citizen—does not need to comply with the GDPR.  

Furthermore, if you are targeting U.S. customers only and have incidental business coming from the EU, that probably isn't going to require GDPR compliance. That's why it's crucial to know who your data subjects are and where your data is flowing.

When it comes to U.S. businesses, the specific part of the GDPR that matters is Article 3(2), which reads: 

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: 

  • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or 
  • the monitoring of their behavior as far as their behavior takes place within the Union. 

Given the nuance and complexity, if you suspect you are subject to the GDPR, it’s best to assume you are subject to the GDPR. 

As of this writing, there is no federal law like the GDPR that covers U.S. citizens. However, there are a number of state data protection laws that apply to US citizens. Several states have implemented such laws, including California, the California Privacy Rights Act (CPRA); Virginia, the Consumer Data Protection Act (CDPA); Colorado, the Colorado Privacy Act (CPA); Utah, the Utah Consumer Privacy Act (UCPA); and more. Several other states are considering or have proposed legislation.  

What does that mean for U.S. businesses? For those who process the personal data of EU residents, it means they’ll need to comply with the GDPR. Those that do not may not have to comply with a data privacy law, but given the accelerating rate at which states are adopting data privacy laws, that’s only a temporary circumstance. Compliance with the GDPR doesn’t necessarily translate into compliance with every data privacy law, but it will make compliance easier down the road. 

GDPR Requirements for U.S. Companies 

Below, we’ll walk through some of the basic concepts you’ll need to be familiar with in order to begin becoming compliant with the GDPR, like what personal data is, what a controller or processor is, and more. This is by no means exhaustive; a full breakdown of GDPR requirements can be accessed in our GDPR guide. But it should serve as a good primer for U.S. businesses unfamiliar with their GDPR obligations.  

Afterward, we’ll walk through a brief GDPR compliance checklist for U.S. companies to guide your initial steps toward compliance.  

What Exactly Is Personal Data? 

Public or private U.S. companies that collect or process the personal data of EU residents are subject to the GDPR. So, what exactly is covered by the term “personal data”? 

Personal data includes “any information relating to an identified or identifiable natural person (‘data subject’).” According to the regulation, an identifiable natural person “is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” 

Controllers versus Processors  

The GDPR defines two different entities that manage personal data and lays out specific requirements for each. They are controllers, (i.e., the organization that determines the purpose for and means of processing data) and processors (i.e., the organization or organizations that process data on behalf of the controller). Both can be held liable for violations.  

Conceivably, a U.S. company could serve as either a processor or controller under the GDPR—as stated previously, the only important factor is whether or not the company controls or processes the data of data subjects who reside within the EU. In determining your responsibilities under the GDPR, identifying whether you serve as a control or processor is essential. 

Records of Processing Activities 

Both controllers and processors must keep records of processing activities. Controller records must include:  

  • The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer. 
  • The purposes of the processing. 
  • A description of the categories of data subjects and of the categories of personal data. 
  • The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations. 
  • Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49, the documentation of suitable safeguards. 
  • Where possible, the envisaged time limits for erasure of the different categories of data. 
  • Where possible, a general description of the technical and organizational security measures referred to in Article 32. 

Processor records must include many of the same details above, including name and contact details, categories, transfers of data, and where possible, a general description of the technical and organizational security measures that the processor has employed to protect personal data. 

Maintaining a Physical Presence 

If you have to comply with the GDPR (and specifically if Article 3(2) applies to your organization), then GDPR Article 27 requires you to maintain a physical presence in the EU. This is so EU data protection authorities can access a liaison for any compliance concerns.  

Clearly, this can be a challenge for companies who are just discovering the need for GDPR compliance. Fortunately, Osano maintains a Dublin-based GDPR representative that our customers can use to meet this requirement. 

GDPR Personal Data Processing Legal Basis 

Before an organization subject to the GDPR (including U.S. companies) can process EU residents’ personal data, there must be a legal basis for that processing to occur. There are a handful of legal bases in which it’s okay for companies to process personal data, which are outlined in Article 6 of the GDPR. These instances include when:  

  • The data subject has provided consent to process the data (and it must be freely given, specific, informed, and unambiguous). 
  • Processing is necessary to enter into a contract with the subject as a party. 
  • A business must comply with a legal obligation (such as a court order). 
  • Processing is necessary to protect the vital interests of a data subject or natural person. 
  • A task carried out in the public interest or by a vested controller in their authority. 
  • The company has a legitimate interest, except when those interests are overridden by the fundamental rights and freedoms of the data subject.  

Exceptions to the GDPR for U.S. Businesses 

It’s important to note that the GDPR does not apply to U.S. businesses that have occasional instances of doing business in the EU. However, if you regularly do business there, serve ads to EU citizens, or track cookies or IP addresses in the EU, then your business should strive to be compliant. 

Additionally, companies with fewer than 250 employees are exempt from some GDPR regulations, such as keeping a record of processing activities “unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional,” or if the processing includes special categories of data. 

Does the GDPR Apply to U.S. Government Agencies? 

As is the case for businesses, if a government agency processes the data of EU citizens regularly, then the GDPR applies. Examples could include a tourism site advertising in the Union, providing the option to book a service or buy goods in an EU member state’s currency or language, or collecting email addresses of EU citizens for commercial use.  

Naturally, the question of GDPR compliance is far trickier when it comes to U.S. law enforcement and intelligence. Whether or not GDPR compliance is a concern for such entities, however, is outside the scope of this article. 

What are the GDPR penalties for U.S. companies? 

Fines for GDPR noncompliance are serious. Companies that violate the law can be fined 4% of annual global revenue, or 20 million euros, whichever is greater.  

Fines and penalties are not just a threat, either. From January 2022 to January 2023, more than $1.7 billion in fines were issued, according to a report by DLA Piper 

Recently, the EU’s Data Protection Commission fined Meta (Facebook and Instagram’s parent company) more than $410 million for its behavioral advertising practices in Europe. Other significant fines include:  

  • Amazon: $888 million. 
  • WhatsApp: $267 million. 
  • Google: $90 million. 
  • H&M: $41.5 million. 
  • British Airways: $24 million. 
  • Marriott International: $22 million. 

These are major companies and major fines, and that’s why they make headlines. Plenty of smaller businesses receive fines that are potentially existential or crippling—they just don’t get as much news coverage as the Amazons and Metas of the world. 

A GDPR Compliance Checklist for U.S. Companies 

If your company regularly collects personal data from EU citizens or residents for commercial reasons, it must be compliant with the GDPR. Even if it doesn’t regularly process such data, it’s a good idea to review your data privacy practices. 

There are a few basic steps a U.S. company should complete to comply with GDPR:  

  • Ensure you understand your company’s data sources and what is stored across your entire digital footprint as well as who has access to the data.  
  • Create policies and procedures that ensure personal data is handled appropriately based on what is collected and how it is used.  
  • Make sure you inform your customers why their data is being processed and obtain consent.  
  • Implement data protection agreements with your vendors to ensure they’re applying the appropriate level of protection over your consumers’ data.  
  • Determine if your company needs a data protection officer (DPO) and designate one, if needed. 
  • Review data breach protocols. The GDPR outlines responsibilities in the event of a data breach. Not complying with the data breach protocols could increase fines and penalties.  
  • Consider implementing solutions that will help you become and stay compliant, such as consent management, data subject rights request management, a vendor risk tool, privacy law monitoring, and similar compliance solutions.   

Osano Can Serve as Your GDPR Compliance Partner 

GDPR may have started as an EU initiative, but there’s no doubt that it has had worldwide implications. Many U.S. business owners have been left feeling confused about the law’s requirements, whether the law applies to their company, and what effective GDPR compliance looks like for U.S. companies.  

You don’t have to try to navigate the law’s complexities on your own. Osano provides a number of free resources to help you get up to speed on compliance.  

When you’re ready to take the next steps in your compliance journey, we offer a range of solutions that help U.S. companies meet GDPR requirements—such as serving as your required EU representative, securing data subject consent, responding to data subject rights requests, and more. Schedule your demo today.