Home Resources Articles Comprehensive GDPR compliance checklist for U.S. companies

Comprehensive GDPR compliance checklist for U.S. companies

This GDPR Compliance Checklist for US companies helps American companies navigate GDPR compliance so that they can focus on doing business in the EU and avoid fines

by Usercentrics

Mar 29, 2024

Table of contents

Show more Show less

Book a demo

Learn how our consent management solution can improve privacy and user experience for your users.

Book now

Get your free data privacy audit now!

The General Data Protection Regulation (GDPR) has been in effect in the European Union since May 2018. Any organization that handles the consumer data of EU residents needs to take GDPR compliance seriously.

GDPR compliance is also valuable for those doing business in the United States, among other countries that have since introduced data privacy laws. California, for example, borrowed heavily from the GDPR when drafting its data privacy regulations. This has since influenced data privacy legislation drafted by other states.

Achieving GDPR compliance puts U.S. companies ahead of the game in ensuring state-by-state compliance at home. By adopting its more stringent best practices, you’re set up to avoid future disruptions as more regulations are passed in the U.S. and other countries.

The following information will help clarify your company’s GDPR compliance requirements. Please note that due to differences in implementation and enforcement among EU countries, we strongly recommend that you consult with a lawyer specializing in data protection and privacy.

One of the first questions asked by U.S. companies is, “Does the GDPR apply to us?” If your company does business in the EU that involves collecting and processing user data, then yes, you do need to be GDPR-compliant.

This can mean you sell products or services in the EU, work with partners or customers there, or receive web traffic from visitors located there.

Note that the GDPR is extraterritorial. This means it applies to organizations that process EU residents’ personal data whether or not those entities are actually located in the EU. It only matters that the personal data being used belongs to people in the EU.

In July 2023, the EU-U.S. Data Privacy Framework introduced a new adequacy agreement between the two regions, which had been without one since the Schrems II decision struck down the previous EU–U.S. Privacy Shield framework in 2020.

The EU-U.S. Data Privacy Framework does not apply GDPR requirements to the U.S., though it is a legal agreement and does apply certain standards to data protection and international transfers. The framework also outlines data subjects’ rights, responsibilities and requirements for certified companies, redress mechanisms for complaints, and requirements and restrictions on US intelligence services.

The GDPR’s requirements differ from data privacy regulations in the U.S., so you need to understand the distinctions. These include the following.

Scope of jurisdiction

Data privacy laws passed to date in the U.S. are all at the state level, each one only applies in the state where it was enacted. The U.S. does not yet have a federal data privacy regulation, so companies need to check if there’s a law for each state where they do business, and what its requirements are.

Scope of protection

Privacy laws in the U.S., like the California Consumer Privacy Act (CCPA), are centered around consumer protection, whereas the GDPR regulates data protection more comprehensively. That includes the B2C and B2B sectors.

Dedicated roles

In many instances, the GDPR requires organizations to appoint a data protection officer. This isn’t the case under the majority of U.S. state-level laws passed to date.

Opting in and opting out

Under the GDPR, individuals must provide explicit opt-in consent prior to having their personal data collected and processed. The U.S. uses an opt-out model in all privacy laws passed to date, meaning you can collect and use data in many cases without obtaining consent (with the common exception of children’s data or that categorized as “sensitive”), You do have to provide a way for people to opt out of data collection and/or processing for various purposes (these vary by state law).

Terms and definitions

While the GDPR refers to “personal data,” the term “personally identifiable information” (PII) is more common in the U.S. The specific requirements for data to be “sensitive” also vary. We explain these differences in depth: Personally Identifiable Information (PII) vs. Personal Data — What’s the difference?

Under the GDPR, you need a legal reason that can be proven to collect and process customer data. Valid consent is one of the six legal bases listed in Art. 6 GDPR. The conditions for consent to be valid are outlined in Art. 7 GDPR.

You need to document and clearly communicate to site visitors, customers, app users, etc. what personal data you want to collect, for what purpose(s), who may have access to it, and several other requirements. If the purpose for processing user data changes, you must obtain new consent from users.

Data controllers (e.g. companies collecting data from visitors to its website), can use any of the legal bases for data processing if they can prove the necessity of doing so. You can’t simply choose or change a legal basis because a business need a change or one method (like obtaining valid consent) is more work.

✅ Keep data privacy and protection top of mind in all aspects of your business, especially the customer-facing parts. It’s cheaper, more efficient, and less resource-intensive to build compliance into your system from the beginning using a privacy by design approach, rather than retrofitting it. Especially when considering the risks of violations if efforts are not comprehensive enough.

✅ Create an internal security policy for employees, partners and contractors to ensure security measures are adequate, and keep it updated. Ensure it’s clear and covers all operations and specific roles within the organization where accessing personal data is necessary.

✅ Know what a data protection impact assessment is and have a process to carry it out. These are legally required under some regulations, but a good idea regardless.

✅ Wherever possible, when personal data is collected, anonymize, pseudonymize, and encrypt it.

✅ In the event of a data breach, have a process in place to notify data subjects and the correct authorities within the required time frame. Where possible, act as quickly and thoroughly as possible to provide information, cooperate with authorities, protect affected users, and mitigate and repair damage from the breach.

Data subjects’ privacy rights

It must be clear and easy for customers, users, and visitors to:

✅ object to collection and/or processing of their personal data
✅ request and receive all the data you have about them in a timely manner
✅ request a correction or update to inaccurate or incomplete data
✅ request that their personal data be deleted in a timely manner (with some exceptions)
✅ have you stop collecting and processing their data if they withdraw previous consent
✅ receive a copy of all of their personal data to be transferred to another entity
✅ have processes and policies in place (and user access to them) to protect their rights if you make decisions about them based on automated decision-making processes

Operations

Requirement	Key actions	Details
✅ Know what data you collect, store, and use	Conduct an information audit to learn and document: – what data you collect – why it’s collected – who has access to it (including third parties) – how and where it’s stored/protected – how long it’s kept – how it’s expunged or returned	Organizations with 250+ employees, or that conduct higher-risk data processing, must keep an up to date and detailed list of their processing activities, which can be shown to regulators on request. Companies with fewer than 250 employees should still do these audits and maintain this information.
✅ Have a legal basis for data processing activities	Determine which legal basis you process data under Determine what additional conditions may apply Document the rationale for your organization’s chosen legal basis and be prepared to present it to regulators	Legal basis is determined based on the six conditions under Art. 6. There are additional provisions relating to children and special categories of personal data in Arts. 7–11. Be aware of the extra obligations if consent is your chosen legal basis.
✅ Appoint appropriate officers and representatives to manage data privacy and protection initiatives.	Designate a privacy/compliance officer in your organization Appoint a representative within the EU if your organization is outside (e.g. United States) Determine if your organization needs a data protection officer, and appoint one if required	The internal data protection officer needs to be able to understand the needs of ongoing compliance, work on drafting, reviewing, implementing and enforcing the policies. EU member states require a representative in each country who can communicate on your behalf with data protection authorities. A data protection officer is needed if the organization: – is a public authority – has large-scale data processing as a core activity – has large-scale data processing of special categories of data as a core activity
✅ Create and use a data processing agreement with third parties.	Any third parties that process data on your behalf need to sign a data processing agreement that clearly outlines how data is to be transferred, stored, protected, used, and erased.	This can include email hosting, cloud services, advertising or marketing partnerships, analytics software, etc. Ensure the rights and obligations of both parties are clear. Reputable services should have a data processing agreement for review on their websites.

Users and customers

Requirement	Key actions	Details
✅ Duty to provide information	Provide clear notification that you are using cookies or other tracking technologies on your website. Explain what the tracking technologies are doing and why, and what data they collect. Include this information in a Privacy Policy that’s easy to find, read, and understand. Review and update the Privacy Policy at least every 12 months.	Include the following information in the Privacy Policy: – Name and contact of data controller – Purpose of data processing/tracking technologies – Categories of people and personal data processed – Transfers of personal data to third countries – Time limit for deletion of personal data – General description of security measures
✅ Obtain explicit user consent	Obtain individuals’ informed and explicit consent to use tracking technologies and to store cookies on their device(s).	Consent must be: Explicit: Active acceptance, e.g. ticking a box or clicking a link Informed: Communicate the who, what, why, and for how long of data collection Documented: You have the burden of proof in the case of an audit In advance: No data is to be collected before opt-in, e.g. cookies cannot be set on your website before an individual has consented to them Granular: Individual consent for individual purpose, i.e. consent cannot be bundled with other purposes or activities Freely given: E.g. the “Accept” and “Reject” options are equal size, prominence, and accessibility Easy to withdraw: Opt out is available and is as easily accessible as opt in later if the person changes their mind Exception: These rules don’t apply to strictly necessary cookies (aka essential cookies), but there are restrictions regarding which kinds of cookies can be categorized as essential.
✅ Setting cookies	Collect and process personal data via cookies only with valid consent.	Loading: Ensure cookies are not loaded until the person has given consent User refusal: If someone rejects cookies, no cookies can be set. But the user must still be able to use your website/access your service as much as possible without the cookie use.
✅ Legally compliant documentation	Document and store consents received from users whose data you’re processing.	Data protection authority (DPA) audit: Comply with documentation obligations and store evidence of consent in case of an audit by data protection authorities or a data subject access request in accordance with users’ legal rights.
✅ Opt out	Rejecting the use of cookies or other tracking technologies must be as easy to access and use as consenting.	Easy access: It must be as easy for individuals to withdraw their consent — at any time — as it is for them to give it. External links: Linking to a separate page for opt-out is not sufficient. After opt-out: Ensure no further data is collected, processed, or forwarded from the moment the consent request is rejected or rescinded, i.e. the opt-out must also be technically linked to the cookie and, ideally, documented.

For an individual’s consent to be GDPR-compliant, you need to meet seven criteria. See our article 7 criteria for GDPR-compliant consent for detailed information on those criteria and what that means for consent banners on your website.

Data protection and regulation of children’s data

Under the GDPR, you’re generally only able to process personal data for children aged 16 and older. Parental or guardian consent must be obtained for data processing requests for children under 16.

Some EU member states reduce the age limit to 13, but not all of them do. As confirming an individual’s age can be ambiguous on some websites, we recommend obtaining explicit consent from all users.

As mentioned, the precise implementations and interpretations of GDPR vary among member states. But you’ll need to complete a full data audit before you’ll know exactly how GDPR requirements apply to your organization and customers.

Start with Usercentrics’ free data privacy audit that detects the cookies and trackers in use on your website, and can help you to see where your website might fall short of GDPR compliance.

While this audit will support your compliance efforts, it does not replace legal advice. To ensure your company’s GDPR compliance efforts are robust and compliant, we strongly recommend working with legal counsel that specializes in data protection and privacy, and appointing a Data Protection Officer.

Still have questions about data privacy requirements under the GDPR and how to achieve and maintain compliance? We’re here to help.

Talk to an expert

FAQs

Does GDPR compliance apply to all US companies?

If your company does business in the EU or needs to collect, process and store personal data from users based in the EU, then it needs to achieve GDPR compliance. As the GDPR is extraterritorial, it applies whether or not a business is physically located in the EU. It only matters that the data subjects are.

How do I make sure my company is GDPR compliant?

To help meet GDPR compliance requirements, follow these steps:

Provide a clear opt-in before any personal data is collected, processed or stored.

Outline a valid legal basis for collecting personal data.
Anonymize and encrypt data where possible.
When deploying your consent request, clearly state which data you intend to collect, why it’s needed, who will have access to it, and how it will be stored.
If your reason for obtaining data changes, you must request consent again.
Make it clear and easy for customers to refuse consent, update or withdraw previous consent, request access to all their collected data, ask for a correction, or have their data deleted.
Create a comprehensive security policy for storing data, which outlines who has access to the data and why access is necessary for performing their role or completing processing.
Have a plan to communicate to data subjects and authorities in case of a data security breach.
Depending on the organization and data processing operations, you may need to appoint a data protection officer.

Can U.S. companies be fined for GDPR? How much?

U.S. companies can be fined under the GDPR. There are two penalty tiers. In the first, companies may be fined up to EU 10 million, or up to 2% of their gross revenue for the previous year, whichever is higher.

For more serious violations, organizations may be fined up to EU 20 million, or up to 4% of their gross revenue for the previous year, whichever is higher.

What are the seven principles of GDPR compliance?

The seven principles of GDPR compliance are:

Consent needs to be freely given. This means you cannot use manipulative design or other dark patterns to encourage or trick users to give consent.
Users must be fully informed about how their data will be used, who will access it, why they will access it, and for how long.
Your consent request must be explicit and users must actively accept it — for example, by clicking an “Accept” button.
You must also provide equal access to all options, e.g. if there’s an “Accept” button, the “Deny” button must be equally visible and accessible.
You need to provide granular detail about the consent request, such as all the data processing services in use on the website, the vendors behind them, the data they collect, and what it’s used for.
You need to obtain consent before collecting, processing and storing any personal information, referred to as prior consent or an opt-in consent model.
Consent needs to be carefully documented. In the event of an audit, organizations must be able to provide a comprehensive consent history.
Make it easy to withdraw previously given consent. It has to be as easy to change or withdraw consent as it was to give it.

Is there a GDPR compliance certificate?

Yes, you can obtain a GDPR compliance certificate. You need to apply to an independent body for an audit. Organizations such as Europrivacy are approved by the European Data Protection Board (EDPB) to provide a GDPR audit and certification. To begin your journey, complete a Usercentrics GDPR compliance scan.