The General Data Protection Regulation (GDPR) has been in effect in the European Union since May 2018. Any organization that handles the consumer data of EU residents needs to take GDPR compliance seriously.
GDPR compliance is also valuable for those doing business in the United States, among other countries that have since introduced data privacy laws. California, for example, borrowed heavily from the GDPR when drafting its data privacy regulations. This has since influenced data privacy legislation drafted by other states.
Achieving GDPR compliance puts U.S. companies ahead of the game in ensuring state-by-state compliance at home. By adopting its more stringent best practices, you’re set up to avoid future disruptions as more regulations are passed in the U.S. and other countries.
The following information will help clarify your company’s GDPR compliance requirements. Please note that due to differences in implementation and enforcement among EU countries, we strongly recommend that you consult with a lawyer specializing in data protection and privacy.
GDPR in the U.S.: Does your company need to be compliant?
One of the first questions asked by U.S. companies is, “Does the GDPR apply to us?” If your company does business in the EU that involves collecting and processing user data, then yes, you do need to be GDPR-compliant.
This can mean you sell products or services in the EU, work with partners or customers there, or receive web traffic from visitors located there.
Note that the GDPR is extraterritorial. This means it applies to organizations that process EU residents’ personal data whether or not those entities are actually located in the EU. It only matters that the personal data being used belongs to people in the EU.
In July 2023, the EU-U.S. Data Privacy Framework introduced a new adequacy agreement between the two regions, which had been without one since the Schrems II decision struck down the previous EU–U.S. Privacy Shield framework in 2020.
The EU-U.S. Data Privacy Framework does not apply GDPR requirements to the U.S., though it is a legal agreement and does apply certain standards to data protection and international transfers. The framework also outlines data subjects’ rights, responsibilities and requirements for certified companies, redress mechanisms for complaints, and requirements and restrictions on US intelligence services.
GDPR requirements for U.S. companies
The GDPR’s requirements differ from data privacy regulations in the U.S., so you need to understand the distinctions. These include the following.
Scope of jurisdiction
Data privacy laws passed to date in the U.S. are all at the state level, each one only applies in the state where it was enacted. The U.S. does not yet have a federal data privacy regulation, so companies need to check if there’s a law for each state where they do business, and what its requirements are.
Scope of protection
Privacy laws in the U.S., like the California Consumer Privacy Act (CCPA), are centered around consumer protection, whereas the GDPR regulates data protection more comprehensively. That includes the B2C and B2B sectors.
Dedicated roles
In many instances, the GDPR requires organizations to appoint a data protection officer. This isn’t the case under the majority of U.S. state-level laws passed to date.
Opting in and opting out
Under the GDPR, individuals must provide explicit opt-in consent prior to having their personal data collected and processed. The U.S. uses an opt-out model in all privacy laws passed to date, meaning you can collect and use data in many cases without obtaining consent (with the common exception of children’s data or that categorized as “sensitive”), You do have to provide a way for people to opt out of data collection and/or processing for various purposes (these vary by state law).
Terms and definitions
While the GDPR refers to “personal data,” the term “personally identifiable information” (PII) is more common in the U.S. The specific requirements for data to be “sensitive” also vary. We explain these differences in depth: Personally Identifiable Information (PII) vs. Personal Data — What’s the difference?
Under the GDPR, you need a legal reason that can be proven to collect and process customer data. Valid consent is one of the six legal bases listed in Art. 6 GDPR. The conditions for consent to be valid are outlined in Art. 7 GDPR.
You need to document and clearly communicate to site visitors, customers, app users, etc. what personal data you want to collect, for what purpose(s), who may have access to it, and several other requirements. If the purpose for processing user data changes, you must obtain new consent from users.
Data controllers (e.g. companies collecting data from visitors to its website), can use any of the legal bases for data processing if they can prove the necessity of doing so. You can’t simply choose or change a legal basis because a business need a change or one method (like obtaining valid consent) is more work.
U.S. GDPR compliance checklist
✅ Keep data privacy and protection top of mind in all aspects of your business, especially the customer-facing parts. It’s cheaper, more efficient, and less resource-intensive to build compliance into your system from the beginning using a privacy by design approach, rather than retrofitting it. Especially when considering the risks of violations if efforts are not comprehensive enough.
✅ Create an internal security policy for employees, partners and contractors to ensure security measures are adequate, and keep it updated. Ensure it’s clear and covers all operations and specific roles within the organization where accessing personal data is necessary.
✅ Know what a data protection impact assessment is and have a process to carry it out. These are legally required under some regulations, but a good idea regardless.
✅ Wherever possible, when personal data is collected, anonymize, pseudonymize, and encrypt it.
✅ In the event of a data breach, have a process in place to notify data subjects and the correct authorities within the required time frame. Where possible, act as quickly and thoroughly as possible to provide information, cooperate with authorities, protect affected users, and mitigate and repair damage from the breach.
Data subjects’ privacy rights
It must be clear and easy for customers, users, and visitors to:
- ✅ object to collection and/or processing of their personal data
- ✅ request and receive all the data you have about them in a timely manner
- ✅ request a correction or update to inaccurate or incomplete data
- ✅ request that their personal data be deleted in a timely manner (with some exceptions)
- ✅ have you stop collecting and processing their data if they withdraw previous consent
- ✅ receive a copy of all of their personal data to be transferred to another entity
- ✅ have processes and policies in place (and user access to them) to protect their rights if you make decisions about them based on automated decision-making processes
Operations
Requirement | Key actions | Details |
✅ Know what data you collect, store, and use |
|
|
✅ Have a legal basis for data processing activities |
|
|
✅ Appoint appropriate officers and representatives to manage data privacy and protection initiatives. |
|
|
✅ Create and use a data processing agreement with third parties. |
|
|
Users and customers
Requirement | Key actions | Details |
✅ Duty to provide information |
|
|
✅ Obtain explicit user consent |
| Consent must be:
|
✅ Setting cookies |
|
|
✅ Legally compliant documentation |
|
|
✅ Opt out |
|
|
Ensuring consent is GDPR-compliant
For an individual’s consent to be GDPR-compliant, you need to meet seven criteria. See our article 7 criteria for GDPR-compliant consent for detailed information on those criteria and what that means for consent banners on your website.
Data protection and regulation of children’s data
Under the GDPR, you’re generally only able to process personal data for children aged 16 and older. Parental or guardian consent must be obtained for data processing requests for children under 16.
Some EU member states reduce the age limit to 13, but not all of them do. As confirming an individual’s age can be ambiguous on some websites, we recommend obtaining explicit consent from all users.
Kickstart GDPR compliance with a data privacy audit
As mentioned, the precise implementations and interpretations of GDPR vary among member states. But you’ll need to complete a full data audit before you’ll know exactly how GDPR requirements apply to your organization and customers.
Start with Usercentrics’ free data privacy audit that detects the cookies and trackers in use on your website, and can help you to see where your website might fall short of GDPR compliance.
While this audit will support your compliance efforts, it does not replace legal advice. To ensure your company’s GDPR compliance efforts are robust and compliant, we strongly recommend working with legal counsel that specializes in data protection and privacy, and appointing a Data Protection Officer.
Still have questions about data privacy requirements under the GDPR and how to achieve and maintain compliance? We’re here to help.
Contact sales