Does GDPR apply to US companies and customers?

The General Data Protection Regulation (GDPR), implemented by the European Union (EU) in May 2018, has significantly influenced data protection practices worldwide, including those of U.S. companies. Despite being an EU regulation, GDPR's extraterritorial scope means that it can apply to organizations outside the EU, including those based in the United States, if they process personal data of individuals within the EU.

So what does GDPR mean for US companies? Let's take a closer look:

Understanding GDPR's applicability in the US

Companies and individuals on either side of the Atlantic may feel that since the General Data Protection Regulation (GDPR) is a European Union mandate, it is only applicable to EU countries. However, this is not the case. Some of its laws also apply to US customers who purchase with EU based companies.

Who does GDPR apply to?

GDPR applies to any organization, regardless of location, that processes personal data of individuals in the EU, offers them goods or services, or monitors their behavior within the EU.

The reality is that the GDPR's application is more about who you are targeting than where your business is headquartered. This means that if you are a US national seeking to buy goods from an EU based company, you will need to familiarize yourself with GDPR and how it applies to you. If you are an EU business, then you may wonder if GDPR applies to your US based customers.

Does GDPR apply to US companies?

Yes, GDPR applies to U.S. companies if they process personal data of individuals in the EU, offer goods or services to them, or monitor their behavior within the EU. Compliance is required regardless of the company's physical location.

As stated in Article 3(2), GDPR applies to U.S. companies under specific conditions:

1. Offering goods or services to EU residents: If a U.S. company markets products or services to individuals in the EU, regardless of whether a payment is required, GDPR obligations may apply. This includes activities such as offering a website in an EU language or accepting payments in euros.
2. Monitoring behavior of EU residents: U.S. companies that track or analyze the behavior of individuals within the EU, such as through website analytics or targeted advertising, may fall under GDPR's jurisdiction.

The size of the company does not exempt it from GDPR compliance. GDPR applies to any organization, regardless of size, if it meets the criteria for applicability, such as processing personal data of individuals in the EU, offering goods or services to them, or monitoring their behavior within the EU.

This means that even small businesses and startups in the U.S. must comply with GDPR if they engage in these activities.

When does GDPR apply to US companies?

The General Data Protection Regulation (GDPR) applies to U.S. companies under specific circumstances, but it does not cover every scenario.

To clarify, this table provides examples of situations where GDPR applies and where it does not, helping businesses understand their obligations based on their interactions with individuals in the European Union (EU).

‍

Does GDPR apply to US citizens?

GDPR can apply to U.S. citizens if they are in the EU and their personal data is processed, offered goods or services, or monitored by organizations subject to GDPR.

The GDPR applies to practically every individual or business that handles personal data within the EU or is responsible for transferring personal data of people within the region. This means that if you intend to do business with an EU based company, you will be protected by some of GDPRs regulations.

Furthermore, when dealing with EU based companies, it is essential that you remember the United States has no particular data privacy laws with such a broad application like the GDPR. Various federal and state regulations overlap to form some piecemeal data protection package, with specific sectors like healthcare being the main focus.

At times, this type of setting can make compliance difficult since data protection laws can vary from state to state. It should also be mentioned that the level of data protection needed by GDPR is usually high enough to satisfy those required by the relevant US laws.

‍

Key GDPR requirements for US companies

For U.S. businesses subject to GDPR, compliance involves several critical steps:

1. Data protection principles:
   Adherence to principles such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality is essential.
2. Lawful basis for processing:
   Establishing a legitimate basis for processing personal data, such as obtaining explicit consent from data subjects, is required.
3. Data subject rights:
   Implementing mechanisms to facilitate rights granted to individuals, including access, rectification, erasure, restriction of processing, data portability, and objection to processing, is necessary.
4. Data breach notification:
   Establishing procedures to detect, report, and investigate personal data breaches is crucial. In the event of a breach, notifying the relevant supervisory authority within 72 hours is mandatory.
5. Data protection officer (DPO):
   Appointing a DPO is required if the core activities involve regular and systematic monitoring of data subjects on a large scale or processing special categories of data.
6. Data processing agreements:
   Ensuring that contracts with data processors comply with GDPR requirements is vital. This includes stipulations on data security measures and the processor's obligations.
7. International data transfers:
   Implementing appropriate safeguards for transferring personal data outside the EU, such as Standard Contractual Clauses (SCCs) or binding corporate rules, is necessary to ensure compliance.

Read more: GDPR compliance requirements

‍

Recent GDPR enforcement in the US

Let's highlight a few key cases, the penalties imposed, and the implications for businesses navigating cross-border privacy compliance

Can US companies be fined for GDPR?

Yes, U.S. companies can be fined for GDPR non-compliance if they process personal data of individuals in the EU and fail to meet GDPR requirements, regardless of their location.

Several U.S. companies have faced significant fines for GDPR violations, underscoring the regulation's global reach:

• Meta platforms (formerly Facebook): In September 2024, Meta was fined for infringements of multiple GDPR articles, demonstrating the risks associated with non-compliance.
• Uber: In August 2024, Uber faced penalties for improper data transfers from the EU to the U.S., emphasizing the importance of adhering to data transfer regulations.

“Uber did not meet the requirements of the GDPR to ensure the level of protection to the data with regard to transfers to the US”

- Dutch Data Protection Authority (DPA)

Read more: The top 5 GDPR compliance mistakes and how to avoid them

Steps for US companies to achieve GDPR compliance

To navigate GDPR requirements effectively, U.S. companies should consider the following steps:

1. Conduct a data audit:
   Assess the personal data collected, processed, and stored, particularly data pertaining to EU residents. This audit helps in understanding data flows and identifying compliance gaps.
2. Implement data protection measures:
   Adopt technical and organizational measures to safeguard personal data, including encryption, access controls, and regular security assessments.
3. Develop clear privacy policies:
   Ensure that privacy policies are transparent, easily accessible, and clearly outline data processing activities, purposes, and data subject rights.
4. Establish consent mechanisms:
   Implement processes to obtain explicit consent from data subjects where required, ensuring that consent is freely given, specific, informed, and unambiguous.
5. Facilitate Data Subject Rights:
   Set up procedures to respond to data subject requests, such as access, rectification, or deletion of their data, within the stipulated timeframes.
6. Appoint a data protection officer (if necessary):
   Determine if appointing a DPO is required based on the scale and nature of data processing activities, and ensure the DPO is adequately resourced.
7. Establish data breach response plans:
   Develop and test incident response plans to handle potential data breaches, including notification procedures to supervisory authorities and affected individuals.
8. Review international data transfer mechanisms:
   Ensure that data transfers to countries outside the EU are conducted in compliance with GDPR, utilizing approved mechanisms such as SCCs or the EU-U.S. Data Privacy Framework.

Read more: GDPR compliance checklist

When SeatGeek increased their European customer base, it needed an improved GDPR compliance solution that would keep pace with its growing business. They turned to Ketch for a solution.

“We needed a fast, easy-to-deploy privacy solution and Ketch delivered on that promise. Onboarding was straightforward thanks to their qualified, hands-on customer experience team.”

‍Tim Janas, Senior Corporate Counsel, SeatGeek

Understanding how GDPR applies to US customers

Transferring of personal data between the EU and the US

The GDPR uses the term Personal Data whereas the equivalent term in the United States is Personally Identifiable Information (PII), which is viewed differently from state to state.

Still, there are some general differences between the definitions of Personal Data and PII. For instance, in the EU, financial data and national insurance digits are not viewed as sensitive in the strict legal definition. On the other hand, the same elements are often considered highly sensitive when it comes to US privacy legislation. This means that US citizens are in some way covered by the GDPR privacy laws, but not in all aspects.

In addition, US based individuals who are in possession of EU residents’ personal data have to abide by the GDPR rules if they wish to conduct business in the region.

Individuals' rights

The GDPR was formulated on the premise that the relevant authorities should protect personal data and that people needed to have control over how other parties used their information. Some of these rights include the right to data portability, erasure, rectifying inaccurate data, withdrawal of consent, objection, restriction, and access.

US based customers, or website visitors' rights tend to be more limited even though US laws stipulate that detailed information ought to be provided to them at the time that personal data is being collected, even if the company is based in the EU. There are usually no other access rights offered to data subjects. The right to erase data collected may also not be not possible.

In the US, the laws extending the most data rights concern children. This means that parents are allowed to view the personal information gathered by a website about their child and to delete or correct it. All this is provided for under the Children's Online Privacy Protection Act. However, the GDPR does not have such considerations.

Cross-continent transfers

GDPR states that the transfer of personal data outside the European Economic Area (EEA) is restricted. The reason for this is to ensure that the data rights available to area residents are not undermined because an international provider has the data. As a result, the international transfer of personal information is subject to the EU-US Corporate Rules and the Model Contractual Clauses.

On the other hand, US law imposes few limits when it comes to transferring personal information outside the country. And even though US regulations continue to apply to data even after it has left the country, they usually focus on making sure that US entities remain liable for it.

This is to say that when dealing with companies in the EU, both GDPR and local privacy rules apply since you will be engaging in business with EU based customers.

How Ketch can simplify GDPR compliance

Ketch simplifies GDPR compliance by automating consent management, handling data subject rights requests, updating privacy policies, and ensuring real-time compliance.

It integrates with existing systems, providing audit trails and reducing manual effort to maintain GDPR alignment.

‍

‍

GDPR's extraterritorial reach means that U.S. companies engaging with EU residents must carefully assess their data processing activities and implement robust data protection measures to ensure compliance.

Failure to do so can result in substantial fines and reputational damage. By understanding the regulation's requirements and taking proactive steps, U.S. businesses can navigate GDPR effectively while fostering trust with their customers.

Next Step: Achieve GDPR compliance with Ketch

FAQs about GDPR compliance in the US

Are US citizens covered by GDPR?

Yes, U.S. citizens are covered by GDPR if they are in the EU and their personal data is processed by organizations subject to GDPR.

Read more: Does GDPR apply to Non-EU Citizens?

Does the GDPR apply to EU citizens in the US?

No, GDPR generally does not apply to EU citizens in the U.S. unless their data is processed by an EU-based organization or one targeting the EU market.

What constitutes “offering goods or services” to EU residents?

Examples include:

• Accepting payments in euros.
• Providing a website in an EU language.
• Offering international shipping to EU countries.

What personal data is protected under GDPR?

Personal data includes any information related to an identified or identifiable individual, such as:

• Name
• Email address
• IP address
• Location data
• Payment details
• Health and biometric data

What are the penalties for non-compliance?

GDPR violations can result in fines of up to:

• €20 million, or
• 4% of the company’s global annual revenue, whichever is higher.

Do U.S. companies need a Data Protection Officer (DPO)?

A DPO is required if:

• Your company conducts large-scale monitoring of individuals.
• Your company processes special categories of data (e.g., health data).

How can U.S. companies transfer data to the EU?

To transfer personal data from the EU to the U.S., companies must implement safeguards such as:

• Standard Contractual Clauses (SCCs).
• Binding corporate rules.
• Adhering to the EU-U.S. Data Privacy Framework.

What rights do EU residents have under GDPR?

GDPR grants individuals several rights, including:

• The right to access their personal data.
• The right to have their data corrected or deleted.
• The right to object to processing or request data portability.

What should U.S. companies do in case of a data breach?

U.S. companies must:

• Notify the relevant EU supervisory authority within 72 hours.
• Inform affected individuals if the breach poses a high risk to their rights and freedoms.

How does GDPR differ from US data privacy laws?

Unlike GDPR, U.S. data privacy laws (such as the California Consumer Privacy Act, or CCPA) vary by state and often focus on specific sectors or types of data. GDPR is broader in scope and grants more extensive rights to individuals.

Read more: CCPA vs GDPR

Do small U.S. businesses need to comply with GDPR?

Yes, if your small business meets the criteria for GDPR applicability, such as offering goods or services to EU residents or monitoring their behavior. However, the regulation does take into account the scale of data processing when determining certain obligations. For instance:

• Data Protection Officer (DPO): Small businesses may not be required to appoint a DPO unless they process special categories of data (e.g., health or biometric data) or conduct large-scale monitoring of individuals.
• Record-keeping exemption: Organizations with fewer than 250 employees may be exempt from some record-keeping requirements unless their processing:
  • Is likely to result in a risk to the rights and freedoms of individuals.
  • Is not occasional.
  • Includes special categories of data or data relating to criminal convictions and offenses.

In summary, while small companies may face fewer administrative requirements, they are not exempt from GDPR compliance if they process personal data of EU residents.

Read more: Small business GDPR privacy policy

Can a US company be fined for non-compliance if it doesn’t have a presence in the EU?

Yes. The extraterritorial scope of GDPR means fines can be imposed on companies outside the EU if they process EU residents’ personal data in violation of the regulation.

Reead more: How do you know if you are GDPR compliant?

How can US companies demonstrate compliance?

Companies should:

• Maintain documentation of data processing activities.
• Conduct regular privacy impact assessments.
• Train employees on GDPR requirements.

How can companies prepare for GDPR audits?

• Ensure privacy policies and consent mechanisms are up to date.
• Maintain records of data processing activities.
• Demonstrate technical and organizational measures for data protection.

‍