The European Union's General Data Protection Regulation (GDPR) has global reach—affecting US companies that offer goods or services to EU residents or monitor their behavior. Understanding when GDPR applies and what it requires helps US businesses avoid substantial penalties.
When GDPR Applies to US Companies
The GDPR applies to US companies that offer goods or services to people in the EU (even if free), monitor the behavior of people in the EU (like tracking website visitors), or have an establishment in the EU.
Simply having a website accessible in Europe isn't enough—there must be evidence of targeting EU residents, like offering EU currencies, shipping to EU countries, or marketing in EU languages.
Key GDPR Principles
GDPR is built on fundamental principles. Lawfulness, fairness, and transparency require processing data only with a legal basis. Purpose limitation restricts using data beyond stated purposes. Data minimization means collecting only necessary data. Accuracy requires keeping data up to date. Storage limitation restricts how long data is kept. Security mandates appropriate protection.
Legal Bases for Processing
GDPR requires a legal basis for each processing activity. Common bases include consent (freely given, specific, informed, and unambiguous), contractual necessity (processing needed to fulfill a contract), legal obligation (required by law), legitimate interests (your interests balanced against individual rights), and vital interests (protecting life).
US companies often rely on consent or legitimate interests, but consent under GDPR is stricter than under US law.
Individual Rights
GDPR grants strong individual rights. Right of access: Individuals can request copies of their data. Right to rectification: Individuals can correct inaccurate data. Right to erasure: The "right to be forgotten" requires deletion in certain circumstances. Right to data portability: Individuals can receive their data in portable format. Right to object: Individuals can object to certain processing.
You must respond to rights requests within one month.
Consent Requirements
GDPR consent must be freely given (not forced), specific (for particular purposes), informed (after clear disclosure), and unambiguous (requiring affirmative action). Pre-ticked boxes, silence, or inactivity don't constitute consent.
Consent for different purposes must be separately requested. Withdrawal must be as easy as giving consent.
Privacy Policy Requirements
GDPR requires detailed privacy notices including your identity and contact information, purposes and legal basis for processing, recipients of data, transfers to third countries, retention periods, individual rights, right to complain to supervisory authorities, and source of data if not collected directly.
Data Transfers Outside the EU
Transferring data to the US requires additional safeguards. Options include standard contractual clauses (SCCs), binding corporate rules for intra-group transfers, or certification under the EU-US Data Privacy Framework. Without proper mechanisms, transfers are prohibited.
Data Protection Officers
Some organizations must appoint a Data Protection Officer (DPO)—particularly those processing large amounts of sensitive data. Even when not required, having someone responsible for privacy compliance is advisable.
Data Breach Notification
GDPR requires notifying supervisory authorities within 72 hours of discovering a breach likely to result in risk to individuals. Individuals must be notified when there's high risk to their rights.
Penalties
GDPR penalties are severe. Maximum fines are 4% of global annual revenue or €20 million, whichever is higher. Lesser violations carry fines up to 2% of global revenue. Enforcement has increased significantly since GDPR's implementation.
Getting Legal Help
GDPR compliance is complex and the penalties are substantial. Privacy attorneys experienced in international data protection can assess your EU exposure, implement compliant processes, and help with cross-border transfer mechanisms.