Iubenda logo
Start generating

Documentation

Table of Contents

GDPR in the US: a GDPR Checklist for US Companies

Since its enforcement in 2018, one of the most asked question about GDPR has been: does it apply outside the European
Union? And, more specifically: does it apply to US companies? If yes, what are the requirements for GDPR in the US?

In this post, we’ll give you all the background information needed to answer the questions above and get a clear understanding of GDPR applied to the US. We also provide an actionable checklist for US companies, including detailed steps that they may need to take in order to comply (and avoid fines!). Let’s get started!

Is the GDPR Enforceable in the US?

Yes, the GDPR is enforceable in the US, or in any country in the world. It does not have jurisdiction in the United States, but its provisions have an extraterritorial scope, meaning that GDPR requirements can apply outside the European Union.

The regulation is meant to protect European individuals and their data. As a result, the GDPR also extends to foreign companies that, though they may be based outside the EU, engage in specific activities involving European residents. These activities are regulated by the GDPR.

Specifically, for the GDPR to apply, at least one of the following requirements should be met:

  • Your business is based in the EU (please note that this applies even in the case of an EU-branch office); or
  • You’re not based in the EU, but you offer goods or services (even for free) to EU-based users; or
  • You’re not based in the EU, but you monitor the behavior of EU-based users.

As a US-based company, this leaves cases 2 and/or 3. In short, if you’re a US-based company, and you’re collecting, processing or storing data from individuals in the EU, you’re expected to comply with the GDPR.

Here’s a practical example, taken from the European Data Protection Board guidelines:

A start-up established in the USA, without any business presence or establishment in the EU, provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app, in order to offer targeted advertisement for places to visit, restaurant, bars and hotels. The application is available for tourists while they visit New York, San Francisco, Toronto, Paris and Rome. The US start-up is specifically targeting individuals in the Union (namely in Paris and Rome) through offering its services to them when they are in the Union. The processing of the EU-based data subjects’ personal data together with the offering of the service falls within the scope of the GDPR. Furthermore, by processing data subject’s location data in order to offer targeted advertisement, the processing activities also relate to the monitoring of behavior of individuals in the Union. The US start-up processing therefore also falls within the scope of the GDPR

Who enforces GDPR in the US?

The GDPR in the US is typically enforced by Data Protection Authorities (or DPAs), which are independent public authorities established in each EU member state. It is not enforced by any US agency or authority because it is a European Union regulation, even though its reach extends to US-based companies that handle the personal data of EU residents.

DPAs supervise the application of data protection laws like the GDPR, within their respective territories. They also conduct investigations, issue hefty fines and sanctions, and provide guidance on best practices for complying with the GDPR and relevant national laws. There is one in each EU Member State, for instance in France it is called the “CNIL” or in Italy the “Garante”.

If a US-based company is in violation of GDPR, the lead on enforcement action is generally taken by the DPA of the EU member state where the violation occurred, or where the affected EU residents reside.

In case the US company has some headquarters within an EU Member State, the DPA of that specific state becomes the primary or lead regulator for that business. This DPA would be responsible for coordinating any enforcement actions with its counterparts in other EU states where violations may have occurred.

How is GDPR different in the US?

The main difference with GDPR in the US is that it is a regulation implemented by the European Union, and as such, it is not a law in the United States. However, as its objective is to protect personal data of EU residents, any US-based business that handles personal data of EU individuals (i.e. clients), will have to follow GDPR’s legal requirements.

As a result, GDPR compliance is not mandatory in the United States by default. It only applies when certain conditions are met, in that case when a company offers goods or services (even for free) to EU-based users, or monitors their behavior.

It’s crucial to remember that the GDPR, although a regulation originating in Europe, has a global influence. It may be affecting many US companies operating in today’s digitally interconnected market.

Does the US have a GDPR?

No, the US does not have a single federal law that is equivalent to the GDPR. However, some states have privacy laws, such as the California Privacy Rights Act (CPRA, CCPA amendment), that usually apply only to residents of that particular state.

None of the US state privacy laws are as comprehensive as the GDPR yet, but they help protect, grant consumer rights and introduce legal requirements, some quite similar to the GDPR ones, for companies that process personal data of residents of this state. For example, businesses are required to include specific disclosures in a privacy policy or display a notice to inform consumers of data collection practices.

The country also has some sector-specific laws governing different types of data and industries, like HIPAA that regulates healthcare data or the Gramm-Leach-Bliley Act for financial data, enforced by the Federal Trade Commission (FTC).

In the last years, a number of US states have implemented new privacy laws like Virginia and the VCDPA, Colorado and the CPA, Utah and the UCPA or Connecticut and the CTDPA, in a common effort to have a framework in place for data privacy.

🇺🇸 More on US State Privacy Laws

The CPRA (California) and the VCDPA (Virginia) became effective on January 1, 2023.
The CPA (Colorado) and CTDPA (Connecticut) on July 1, 2023.
The UCPA (Utah) on December 31, 2023.

These US laws require, among others, that you:

  1. Provide your users with a privacy policy including specific details. For example, you now need to disclose some additional information, such as new users’ rights and describe your data processing practices.
  2. Enable your users to opt out of the processing for certain purposes (sale, targeted advertising and sharing, among others).
  3. VCDPA, CTDPA, and CPA only: Enable your users to opt in to the processing of their sensitive data, for example, geolocation data.
  4. CPRA only: Show users the required notice at collection to inform them about the categories of personal information that are collected, the purposes of collection, and whether this information is sold or shared.

👋 Find out how to comply here →

For a recap overview, take a look at this video:

How can the GDPR affect US companies?

Overall, it is strongly recommended for US companies to assess their data processing activities and consult legal experts to determine if compliance to the GDPR in the US is required in their specific situation.

💡 Take this 1-min quiz to find out which laws are relevant to you!

As we’ve demonstrated above, it’s a mistake to think that, since the GDPR is a European regulation, it doesn’t affect US businesses at all.

Penalties for non-compliance to GDPR in the US can be significant. They can be monetary, or not:

  • Fines can go up to EUR 20 million (€20m) or 4% of the annual worldwide turnover (whichever is greater).
  • But perhaps equally concerning are the other potential sanctions: official reprimands (for first-time violations), periodic data protection audits and liability damages.
👋
Did you know you can comply with both US Privacy Laws and the GDPR at the same time?

With iubenda, simply select which region you are based in, then where your users are based, and our solution does the rest! It suggests a configuration that will allow you to comply with all applicable regulations.

👉 Scan your site now and try it for free

GDPR in the US: Main Requirements

As a US-based business, here are the main GDPR requirements you must follow.

Have a lawful basis

Before you can collect or process any personal data, the GDPR mandates that you have at least one lawful basis for doing so. These lawful bases are:

  • The user has given consent for one or more specific purposes (often the safest bet and the legal basis that many businesses choose);
  • The data processing is necessary for the performance of a contract or in order to take steps prior to entering the contract;
  • Other legal bases include: the processing is necessary for fulfilling a legal obligation OR protecting the vital interests of a person OR for performing a task carried out in the interest of the public OR for the legitimate interests of the data controller or third party.

💡 You must identify and document the lawful basis for each specific data processing activity you undertake.

Acquire verifiable consent

While US legislations typically allow the collection and processing of personal data without obtaining the user’s consent, the GDPR requires that you collect “freely given, specific, informed and explicit” consent through a clear “opt-in”, or positive action.

This essentially means that before collecting any of the individual’s personal data on your site via cookies or via a form for example, you must ask for their consent. This mechanism must be unambiguous; “opt-out” mechanisms like pre-ticked boxes are forbidden.

You should also grant users the right to withdraw consent. It must be as easy to withdraw consent as it is to give it. To learn more about the rights of European residents under the GDPR, read this guide.

💡 Your consent forms must be straightforward, easy to understand and conspicuous. Individuals should actively opt in.

Keep clear records related to the consent

Consent, under the GDPR, is paramount. The regulation requires meticulous record-keeping related to what information was disclosed, how the consent was obtained (e.g. via a website form), and when it was obtained.

Companies need to maintain clear consent records that can prove that individuals provided informed consent. This adds a complex administrative layer but is essential for compliance.

💡 As you can imagine, this is not an easy task! That’s why we recommend using a Consent Management Platform.

Assess cross-border data transfers between the EU and the US

GDPR in the US allows data transfers of EU residents’ data outside of the European Economic Area (EEA) only when certain set conditions are met.

Under GDPR requirements, the country or region the data is being transferred to must have an “adequate” level of personal data protection by EU standards, or where not considered adequate, transfers may still be allowed under the use of standard contractual clauses (SCCs) or binding corporate rules (BCRs).

A decision was taken on the EU-US Data Privacy Framework on July 10, 2023 and declared that the United States is recognized as providing an adequate level of protection to its European Union (EU) counterpart. Consequently, personal data can now flow freely from the EU to US self-certified companies without the need for additional safeguards.

EU-US data transfers are allowed for US organizations that have been certified. If you wish to do so, you need to meet the privacy principles outlined in the Data Privacy Framework and only then your company will be added to the DPF list.
👉 Here’s how to self-certify

Appoint a Data Protection Officer (DPO)

If you’re based outside the EU, you may still need a European representative to ensure your company is complying with the GDPR. This person is called a Data Protection Officer, or DPO, and is in charge of ensuring that personal data is processed following the applicable data protection rules.

However, the appointment of a DPO is not always mandatory, it depends on the scale and nature of data processing activities.

💡Are you selecting a DPO? Here’s what to look for.

Carry out a Data Protection Impact Assessment (DPIA)

For data processing activities that are likely to result in high risks to individuals, the GDPR requires a Data Protection Impact Assessment (DPIA) to be carried out. This is an assessment that evaluates how personal data is processed and how to mitigate risks to data subjects.

This involves identifying the nature, scope, context, and purpose of the data processing, assessing the risks to individuals, and identifying measures to mitigate those risks.

gdpr in the us

GDPR Compliance Checklist for US Companies

Here’s a practical checklist to help you navigate GDPR compliance as a US-based business.

Identify, assess and review your data collection and storage practices, and where they take place.

Establish a valid legal basis for processing personal data.

Have an up-to-date, easily accessible privacy and cookie policy on your website/app.

Make the following legally-required disclosures in your privacy policy: types of personal data collected, why, and if applicable the third parties with whom the data is shared; as well as individuals’ GDPR rights over their own data.

Use Europe-based data centers or adhere to the EU-US Data Privacy Framework for data transfers.

Collect user consent to the use of their data in an unambiguous way, via a clear affirmative action (opt-in).

Make it as easy to withdraw consent (opt-out) or object to specific activities, as it is to give consent.

Obtain consent to your activities through contact/newsletter/registration forms in a transparent way, providing a link to your privacy policy.

Maintain clear records of consent, with details like timestamp, preferences expressed and the specific form used.

Implement straightforward procedures to fulfill individuals’ requests to exercise their rights, e.g. access, correct, update or delete the data you hold on them.

[When your data activities are at large scale or pose a high risk] Appoint a DPO and carry out a DPIA.

Put in place and be able to demonstrate robust security measures (e.g. against data breaches), records of data activities and transfers.

⬇️ So, how can you get started right away and check most of the boxes above in just a few minutes?

How iubenda can help with GDPR in the US

Reading all this can be quite overwhelming. We get it. It’s technically and legally complex.
But, fear not, we know exactly what you need.

iubenda provides comprehensive attorney-level compliance software solutions that can help you comply with GDPR in the US.

🚀 Full GDPR compliance, but not only! Make your websites and apps compliant with the law across multiple countries and legislations.

🚀 Be safe and lower the risk of fines: we built our solutions with the strictest regulations in mind.

🚀 100% customizable: generate your own privacy policy and customized consent banner!

🇺🇸🇪🇺 Comply with US and European laws simultaneously

Global compliance is just one click away.
With iubenda’s Privacy Controls and Cookie Solution, generate a customizable location-based consent banner.
The right consent parameters, text, privacy policy link and language will apply to the right users automatically. Yes, it’s that easy!

gdpr checklist

Get started with GDPR Compliance

✅ Easily tick items off your GDPR checklist!

Start generating

About us

iubenda

GDPR compliance for your site, app and organization

www.iubenda.com