{"id":405,"date":"2023-11-02T07:41:18","date_gmt":"2023-11-02T06:41:18","guid":{"rendered":"https:\/\/stage.usercentrics.com\/?post_type=knowledge&#038;p=12900"},"modified":"2025-06-26T12:11:07","modified_gmt":"2025-06-26T10:11:07","slug":"us-privacy-law-compliance-for-eu-companies","status":"publish","type":"knowledge","link":"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-privacy-law-compliance-for-eu-companies\/","title":{"rendered":"US privacy law compliance for EU companies"},"content":{"rendered":"<p>The United States does not yet have a federal data privacy law, though multiple federal bills have been introduced. This means that European companies looking to do business in the US will need to be familiar with all relevant state-level laws where they are doing business to ensure they are compliant with US privacy laws.<\/p>\n<p><span style=\"font-weight: 400\">For example, if a company has customers, prospects, or website visitors from California, the <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/california-consumer-privacy-act\/\">California Consumer Protection Act (CCPA)<\/a> and <a href=\"\/knowledge-hub\/california-privacy-rights-act-cpra-enforcement-begins\/\">California Privacy Rights Act (CPRA)<\/a> apply to them. In this guide we will also reference <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/virginia-consumer-data-protection-act-vcdpa\/\">Virginia\u2019s Consumer Data Protection Act<\/a> and <a href=\"https:\/\/legiscan.com\/CO\/drafts\/SB190\/2021\" target=\"_blank\" rel=\"noopener\">Colorado\u2019s Privacy Act<\/a> (CPA). However, 2023 has seen an unprecedented number of additional states pass privacy laws, which will come into force over the next couple of years. More states are likely to follow.<br \/>\n<\/span><\/p>\n\n<div id=\"uc-cta_69e21b5f0d9ea\" class=\"uc-cta uc-cta--illustration uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                            <div class=\"uc-cta__label like-label-m\">Website Audit<\/div>\n                                        <div class=\"uc-cta__heading no-default-margin\">Is your website privacy-compliant? Find out now!<\/div>\n                                        <div class=\"uc-cta__description\">\n                    <p>Find out your website\u2019s cookie compliance risk level in moments for the GDPR, CCPA, LGPD, and more. <\/p>\n                <\/div>\n                                                    <div class=\"uc-cta__buttons\">\n                    <a id=\"12d7cdc7-458b-4c1a-a003-00911ea48334\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"https:\/\/usercentrics.com\/data-privacy-audit\/\" target=\"\"><span>Start now<\/span><\/a>                <\/div>\n                                            <\/div>\n                            <div class=\"uc-cta__section\">\n                                                                    <div class=\"uc-cta__section__img-wrapper\">\n                                <img loading=\"lazy\" decoding=\"async\" width=\"1\" height=\"1\" src=\"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2021\/06\/badge.png\" class=\"attachment-large size-large\" alt=\"Icon_badge\" \/>                            <\/div>\n                                                            <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69e21b5f0d9ea\"));\n    <\/script>\n\n\n<p>Like the <a href=\"https:\/\/usercentrics.com\/gdpr\/\">General Data Protection Regulation (GDPR)<\/a>, the US laws apply to where consumers reside, not where the company is headquartered. It doesn&#8217;t matter if a company doesn\u2019t have an office in California if it has customers, website visitors, etc. that reside there and their personal information is being processed by the company.<\/p>\n<p>Companies need to be familiar with the laws of each state law relevant to their business. More states continue to draft and pass privacy laws, so this may become an increasing challenge for companies doing business across the country. It is recommended to consult legal counsel experienced in privacy law and adjust operations accordingly. A good consent management solution also requires minimal updates once implemented, as new laws are passed.<\/p>\n<p>How a future federal law will affect state laws already in place is unknown. It would certainly add a layer of complexity to data privacy compliance in the US. However, the good news is, any company that is already GDPR-compliant is likely in good shape in terms of being compliant with any US privacy law. There are some key differences between US and EU law, but the GDPR has already been influential in drafting US legislation.<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-companies-need-to-be-compliant-with-the-us-privacy-laws\">What companies need to be compliant with the US privacy laws?<\/h2>\n\n\n<p>An obvious first question for European companies is, \u201c<em>Do US privacy laws apply to us?<\/em>\u201d Followed by, \u201c<em>Which ones?<\/em>\u201d We are broadly defining \u201cdoing business\u201d here as having any of these in the state, and collecting\/processing their personal data:<\/p>\n<ul>\n<li>customers<\/li>\n<li>users<\/li>\n<li>website or app visitors\/users<\/li>\n<li>employees or contractors<\/li>\n<li>third-party partners<\/li>\n<\/ul>\n<p>The specifics of each state law vary. Companies will need qualified legal advice on a state by state basis to ensure they comply with legal requirements regarding children\u2019s data, for example, or whether users can opt out of profiling and targeted advertising, or just sale.<\/p>\n\n<div id=\"uc-cta_69e21b5f0e847\" class=\"uc-cta uc-cta--illustration uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                            <div class=\"uc-cta__label like-label-m\">Webinar<\/div>\n                                        <div class=\"uc-cta__heading no-default-margin\">\u201cDo Not Sell My Personal Information\u201d &#8211; Why you shouldn\u2019t ignore CCPA<\/div>\n                                        <div class=\"uc-cta__description\">\n                    <p>The California Consumer Privacy Act was the first state-level privacy law in the US, and highly influential on other states\u2019 legislative efforts. Get key information on compliance, data protection, IT security and occupational safety.<\/p>\n                <\/div>\n                                                    <div class=\"uc-cta__buttons\">\n                    <a id=\"66d2070d-5cea-4e87-8f4d-78d05ca4efa9\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"https:\/\/usercentrics.com\/webinar\/do-not-sell-my-personal-information-why-you-shouldnt-ignore-ccpa\/\" target=\"\"><span>Watch now<\/span><\/a>                <\/div>\n                                            <\/div>\n                            <div class=\"uc-cta__section\">\n                                                                    <div class=\"uc-cta__section__img-wrapper\">\n                                <img loading=\"lazy\" decoding=\"async\" width=\"1\" height=\"1\" src=\"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2020\/05\/Webinar.png\" class=\"attachment-large size-large\" alt=\"Icon_Webinar\" \/>                            <\/div>\n                                                            <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69e21b5f0e847\"));\n    <\/script>\n\n\n<p>In California, to be subject to the CCPA, a business must meet the following criteria. In a number of state-level privacy laws passed since the CCPA and CPRA, the gross annual revenue provision is no longer included.<\/p>\n<ul>\n<li>annual gross revenues of the preceding calendar year exceeding $25 million USD (<em>CPRA: now specifies the revenue is from the \u201cpreceding calendar year\u201d<\/em>), or<\/li>\n<li>receive, buy, or sell personal information of 100,000 or more consumers or households (<em>CPRA: no longer includes \u201cdevices\u201d, also doubled from 50,000<\/em>), or<\/li>\n<li>earn more than 50 percent of their annual revenue from the sharing or sale of consumers\u2019 personal information (<em>CPRA: now specifies selling or sharing<\/em>)<\/li>\n<\/ul>\n<p><a href=\"https:\/\/usercentrics.com\/wp-content\/uploads\/sites\/7\/2021\/08\/What-companies-need-to-be-compliant-with-the-US-privacy-laws.svg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-32288 size-full\" src=\"https:\/\/usercentrics.com\/wp-content\/uploads\/sites\/7\/2021\/08\/What-companies-need-to-be-compliant-with-the-US-privacy-laws.svg\" alt=\"What companies need to be compliant with the US privacy laws?\" width=\"770\" height=\"380\" \/><\/a><\/p>\n<p>There are some differences under Virginia\u2019s CDPA, but generally under US privacy law the criteria for inclusion relate to revenue, the number of consumers whose information is sold, or both. Texas and Florida have some unique provisions targeting specific kinds of companies, for example, but those have not been widely adopted in other states. The country where the company collecting data is located doesn&#8217;t matter, and EU companies must comply with US privacy laws if they meet the relevant criteria.<\/p>\n<h4>Existing EU-US compliance privacy agreements<\/h4>\n<p>As of July 10, 2023, the <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/eu-us-data-privacy-framework\/\">EU-U.S. Data Privacy Framework<\/a> enables adequacy for data transfers between the EU and US (if US companies are certified). This replaces the former <a href=\"https:\/\/www.dataprivacyframework.gov\/s\/\" target=\"_blank\" rel=\"noopener\">EU-US Privacy Shield Framework<\/a> struck down in 2020 by the <a href=\"https:\/\/iapp.org\/news\/a\/the-schrems-ii-decision-eu-us-data-transfers-in-question\/\" target=\"_blank\" rel=\"noopener\">Schrems II<\/a> decision.<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-us-privacy-compliance-law-models-and-data-definitions\">US privacy compliance law models and data definitions<\/h2>\n\n\n<h4>Opt-in consent model<\/h4>\n<p>In regions outside of the United States, e.g. European Union, Brazil, South Africa, privacy laws passed to date use an opt-in or prior consent model. That means that users\u2019 consent must be obtained before their data is collected or used. Users must also be informed about the data collection and use. As the <a href=\"https:\/\/gdpr-info.eu\/issues\/consent\/\" target=\"_blank\" rel=\"noopener\">GDPR defines it<\/a>, <em>\u201cConsent must be freely given, specific, informed, and unambiguous.\u201d<\/em><\/p>\n<p>Several privacy bills introduced in the US in 2021 included strict opt-in requirements for users\u2019 consent to both the collection and sale of personal information. However, no privacy legislation actually passed in the US to date has included opt-in consent. All users must be notified about data collection and use, but getting their consent before data collection is not required.<\/p>\n<h4>Opt-out consent model<\/h4>\n<p>To date, all United States that have passed data privacy laws have favored an opt-out model. This means that, with some restrictions and requirements, controllers can collect information without first obtaining consumers\u2019 consent. Users do have to be notified about data collection, use, and their rights, and user consent is sometimes required to be allowed to sell or share data, or or use it for personalized advertising or profiling.<\/p>\n<p>This applies to adults, and there are often specific provisions regarding collection or sale of minors\u2019 personal information. More commonly in US law, however, prior consent may only be required for access to sensitive data or the personal data of children, which requires consent by a parent or guardian for children under a certain age.<\/p>\n<p>Consumers in the US are to date most familiar with what\u2019s known as a strict opt-out model. With this version, data controllers have to provide consumers with reasonable mechanisms via which they can opt out of usage (usually sale) of their data. For example, the CCPA requires websites to include a link on their websites with a clear version of the language: &#8220;Do Not Sell Or Share My Personal Information&#8221;. Some laws, but not all, require users to be able to change or withdraw previously given consent at any time as well.<\/p>\n<p>This model places the burden of action for privacy protection and exercising of their rights on adult consumers. If the consumer does nothing, a company can collect and sell their data. No state laws passed to date have included provision to enable consumers to opt out of the collection of their personal information, just the sale of it. Additionally, no states have passed laws requiring prior consent for data collection.<\/p>\n<h4>Hybrid consent model<\/h4>\n<p>This consent model is newer in the US, but is quickly gaining popularity for its flexibility and is the model used in a number of state bills that have been introduced. This is also the model adopted in the <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/virginia-consumer-data-protection-act-vcdpa\/\">Virginia Consumer Data Privacy Act (VCDPA)<\/a>. It combines aspects of both the opt-in and opt-out models, mainly depending on the type and sensitivity of the information in question.<\/p>\n<p>Under this model, consumers would have a right to opt out of collection and sale of their information, but if they haven\u2019t exercised that right, a controller would be able to collect and sell it. This would apply to something like an email address, for example. But the controller would not be allowed to collect or sell sensitive personal information, like racial or health information, unless they obtained explicit consumer consent first.<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-consumer-privacy-rights\">Consumer privacy rights<\/h2>\n\n\n<p>Under the various states\u2019 privacy laws, consumers have fairly consistent rights. However, as they are not identical, companies do need to be clear on consumers\u2019 rights in each relevant state. Under the CCPA, consumers have the following rights:<\/p>\n<ul>\n<li>to know what personal information a business has collected about them<\/li>\n<li>to request and receive the personal information that a business has collected about them<\/li>\n<li>to request that their personal information collected by a business be deleted<\/li>\n<li>to know if their personal information is\/has been sold or disclosed, and to whom<\/li>\n<li>to refuse the sale, disclosure, or use of their personal information by the business that collected it<\/li>\n<li>to not be discriminated against for exercising their privacy rights<\/li>\n<\/ul>\n<p>When the CPRA is enacted in 2023, consumers will have these additional rights:<\/p>\n<ul>\n<li>to request and have inaccurate data collected about them be corrected<\/li>\n<li>to limit use of data categorized as sensitive personal information<\/li>\n<li>to request information about automated decision-making and the likely outcomes of using such processes<\/li>\n<li>to opt out of the use of automated decision-making technology with regards to personal information<\/li>\n<\/ul>\n<p>Consumers rights under Virginia\u2019s CDPA are mostly a combination of those under both California laws. It is also likely that in the future laws will evolve, or new laws will include more detail on issues of technology and automation where use of consumers\u2019 data is concerned.<\/p>\n<p>Interestingly, only under California\u2019s laws do consumers have private right of action, or the ability to sue companies for alleged privacy rights violations. This provision has been a point of contention for bills in other states, and significantly contributed to the first bill in Florida not passing. Private right of action was not included in <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/florida-digital-bill-of-rights-fdbr\/\">Florida\u2019s Digital Bill of Rights (FDBR)<\/a> that passed in 2023. In most states, complaints must be submitted to the Attorney General, who will have responsibility for investigating allegations of violations and enforcing the law.<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-personally-identifiable-information-pii-and-sensitive-personally-identifiable-information\">Personally Identifiable Information (PII) and Sensitive Personally Identifiable Information<\/h2>\n\n\n<p>Each privacy law defines what constitutes user data or personal information, and typically splits it up into categories based on how easy it would be to use it to identify an individual. Information classified as \u201csensitive\u201d is subject to stricter controls for access, security and use, since it can present a greater risk to individuals if it is misused.<\/p>\n<p>If you can identify a person with a point of data, either on its own or in combination with a limited amount of other data, it\u2019s personally identifiable information (PII). \u201cPersonally identifiable information\u201d is the commonly used term in the United States, though under the GDPR it\u2019s called \u201cpersonal data\u201d. Sensitive PII is also sometimes referred to as \u201clinked data\u201d because it is directly or almost directly linked to, and can reveal, an individual\u2019s identity.<\/p>\n<p>While many organizations and government agencies use the term PII, the meaning can vary, and it\u2019s not a standardized legal term or definition. Companies need to confirm PII and sensitive PII definitions under the state laws to which they are subject.<\/p>\n<p>For a deep dive on definitions of personally identifiable information and data sensitivity, check out our article: <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/personally-identifiable-information-vs-personal-data\/\"><span style=\"font-weight: 400\">Personally Identifiable Information (PII) vs. Personal Data \u2013 What\u2019s the difference?<\/span><\/a><\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-definition-of-selling-personal-information\">Definition of selling personal information<\/h2>\n\n\n<p>In some US laws, like California\u2019s CCPA, the opt-out model is used, so companies do not have to obtain consumers\u2019 consent before collecting personal information. They only have to obtain explicit consent before selling the information. This has become fairly standard as other states have passed their own privacy laws. The <a href=\"https:\/\/leginfo.legislature.ca.gov\/faces\/selectFromMultiples.xhtml?lawCode=CIV&amp;sectionNum=1798.140.\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400\">Definitions section of the CCPA<\/span><\/a> includes:<\/p>\n<blockquote><p><em>\u201cSell,\u201d \u201cselling,\u201d \u201csale,\u201d or \u201csold,\u201d means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer\u2019s personal information by the business to another business or a third party for monetary or other valuable consideration.<\/em><\/p><\/blockquote>\n<p>However, the definition of \u201csale\u201d under the CCPA is actually broader than the average consumer might think, and includes a variety of consumer-led disclosure examples, interactions with third parties, and other scenarios. The CPA\u2019s definition of \u201csale\u201d is nearly identical to the CCPA\u2019s. Companies are advised to carefully research what actions constitute sale of personal information under any state laws to which they are subject. There are some differences in the definition of sale across state-level privacy laws.<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-ensuring-consent-is-compliant-with-us-privacy-law-for-various-groups\">Ensuring consent is compliant with US privacy law for various groups<\/h2>\n\n\n<h4>Employees and contractor data<\/h4>\n<p>For companies looking to do business in the US, it is also important to be clear on specific definitions of \u201cconsumer\u201d. For example, under the CCPA, employees of companies doing business in California are also defined as consumers. Companies must notify employees, contractors, and job applicants when their personal information is collected. The data collected can only be used for specific reasons provided in notices to employees. Under the CDPA in Virginia, and the Colorado Privacy Act, however, employees, for the purposes of their data, are explicitly excluded from definitions of \u201cconsumer\u201d. This designation varies among other states\u2019 privacy laws as well.<\/p>\n<h4>Children\u2019s data<\/h4>\n<p>As mentioned, the provisions of various states\u2019 privacy laws apply explicitly to legal adults. There have already been a number of lawsuits under the CCPA regarding unauthorized collection and sale of the personal data of minors \u2014 including biometric data \u2014 so companies are advised to be extra careful if there is a possibility of minors\u2019 data being accessed or sold. Additionally, different provisions for different age ranges apply under different laws. Under other state-level privacy laws passed to date, \u201cchild\u201d can refer to people from 13 to 18 years of age, and some laws have additional provisions for children between 13 and 16.<\/p>\n<p>Under the CCPA, businesses cannot knowingly sell the personal information of people under 16 years of age without explicit consent. If the individual is between 13 and 16 years old, they can provide their own consent. But if under the age of 13, consent would have to be obtained from a parent or guardian. Note that this does not apply to collection of minors\u2019 personal information, just the potential sale.<\/p>\n<p>Under Colorado\u2019s Privacy Act, controllers can\u2019t process \u201csensitive data\u201d without first obtaining consent from the parent or lawful guardian of any \u201cknown child\u201d, wherein child is defined as someone under 13 years of age.<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-re-requesting-consent-for-personal-information\">Re-requesting consent for personal information<\/h2>\n\n\n<p>It\u2019s clear that companies have to obtain consumers\u2019 consent for the sale (and sometimes collection) of personal information. However, if a consumer refuses consent, is that forever? Is there a term limit on consent or refusal of consent?<\/p>\n<p>Under the CCPA, if an individual opts out of the sale of their information (like clicking a \u201cDo Not Sell Or Share My Personal Information\u201d link) the company cannot solicit their consent again for \u201cat least 12 months\u201d. How often consumers can submit requests to companies for copies of their data is also limited under the laws. The length of time for which consent is valid varies under different laws around the world, and can vary from 6 months to 2 years.<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-summary-of-us-privacy-law-compliance-for-eu-companies\">Summary of US privacy law compliance for EU companies<\/h2>\n\n\n<p>More state-level privacy laws were passed in the first part of 2023 than those combined in previous years, and more are sure to follow. The state-level laws also show rapid evolution of thought and adaptation for technology and other considerations.<\/p>\n<p>While the GDPR was influential on California\u2019s laws, and California\u2019s laws were influential on Virginia and Colorado\u2019s laws, each state\u2019s implementation of privacy law differs in moderate ways. Companies need a full understanding of what states\u2019 laws are relevant to them, their operations, and consumers with whom they do business. If and when the US passes a federal law, there will be a great deal more to learn and comply with.<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-find-out-if-your-company-is-us-privacy-law-compliant\">Find out if your company is US privacy law-compliant<\/h2>\n\n\n<p>If your company processes US residents\u2019 data, you need to be aware of and comply with one or more different data privacy laws in the states where you operate or have customers. There are multiple provisions to keep track of, including whether the law applies to you, what constitutes personal data, privacy notice requirements, and consent conditions. Noncompliance can lead to costly fines, legal action, and damage to your brand reputation and customer trust.<\/p>\n<p>We\u2019ve created a series of handy checklists to guide you in ensuring you\u2019re protecting customers\u2019 personal data and are compliant with the different US privacy laws.<\/p>\n<p>Checklists for US privacy law compliance for EU companies:<\/p>\n<ul>\n<li><a href=\"https:\/\/usercentrics.com\/resources\/vcdpa-checklist\/\">VCDPA Compliance Checklist for Virginia<\/a><\/li>\n<li><a href=\"https:\/\/usercentrics.com\/resources\/cpa-checklist\/\">CPA Compliance Checklist for Colorado<\/a><\/li>\n<li><a href=\"https:\/\/usercentrics.com\/resources\/ctdpa-checklist\/\">CTDPA Compliance Checklist for Connecticut<\/a><\/li>\n<li><a href=\"https:\/\/usercentrics.com\/resources\/ucpa-checklist\/\">UCPA Compliance Checklist for Utah<\/a><\/li>\n<li><a href=\"https:\/\/usercentrics.com\/resources\/npicica-nevada-checklist\/\">NPICICA and SB-260 Amendment Compliance Checklist for Nevada<\/a><\/li>\n<li><a href=\"https:\/\/usercentrics.com\/lgpd\/\">LGPD<\/a><\/li>\n<\/ul>\n<p>For more compliance checklists, visit:<\/p>\n<ul>\n<li><a href=\"https:\/\/usercentrics.com\/checklists\/\">Checklists<\/a><\/li>\n<\/ul>\n\n<div id=\"uc-cta_69e21b5f0f853\" class=\"uc-cta uc-cta--illustration uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                                        <div class=\"uc-cta__heading no-default-margin\">Let us make this easier for you!<\/div>\n                                        <div class=\"uc-cta__description\">\n                    <p>Talk to us today to help ensure your company&#8217;s data privacy compliance.<\/p>\n                <\/div>\n                                                    <div class=\"uc-cta__buttons\">\n                    <a id=\"74d0b7f9-4293-4530-8d7c-f074e59da20c\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"https:\/\/usercentrics.com\/book-a-consultation\/\" target=\"\"><span>Contact us<\/span><\/a>                <\/div>\n                                            <\/div>\n                            <div class=\"uc-cta__section\">\n                                                                    <div class=\"uc-cta__section__img-wrapper\">\n                                <img loading=\"lazy\" decoding=\"async\" width=\"1\" height=\"1\" src=\"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2021\/03\/Icon-support.png\" class=\"attachment-large size-large\" alt=\"Icon support\" \/>                            <\/div>\n                                                            <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69e21b5f0f853\"));\n    <\/script>\n\n\n<p><em>Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.<\/em><\/p>","protected":false},"excerpt":{"rendered":"<p>If you are an EU company looking to do business in the US, this article provides you with some of the answers you will need to know about the US Privacy Law. <\/p>\n","protected":false},"featured_media":7473,"template":"","meta":{"_acf_changed":false,"editor_notices":[],"footnotes":""},"tags":[],"magazine_issue":[],"magazine_tag":[],"resource_tag":[14,13],"class_list":["post-405","knowledge","type-knowledge","status-publish","has-post-thumbnail","hentry","resource_tag-privacy","resource_tag-regulations"],"acf":[],"yoast_head":"<title>US Privacy Law Compliance for EU Companies - Usercentrics<\/title>\n<meta name=\"description\" content=\"What do EU companies need to know about compliance with US data privacy laws, and does GDPR apply? Learn about US Privacy Law Compliance for EU companies.\" \/>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"US Privacy Law Compliance for EU Companies - Usercentrics\" \/>\n<meta property=\"og:description\" content=\"What do EU companies need to know about compliance with US data privacy laws, and does GDPR apply? Learn about US Privacy Law Compliance for EU companies.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-privacy-law-compliance-for-eu-companies\/\" \/>\n<meta property=\"og:site_name\" content=\"Usercentrics - US\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/usercentrics\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-26T10:11:07+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/usercentrics.com\/wp-content\/uploads\/2021\/08\/Us-privacy-law-compliance.png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"US Privacy Law Compliance for EU Companies\" \/>\n<meta name=\"twitter:description\" content=\"If you are an EU company looking to do business in the US, this article provides you with some of the answers you will need to know about the US Privacy Law. Category: Privacy, California Consumer Privacy Act (CCPA)\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/usercentrics.com\/wp-content\/uploads\/2021\/08\/law-compliance.jpg\" \/>\n<meta name=\"twitter:site\" content=\"@usercentrics\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/us-privacy-law-compliance-for-eu-companies\\\/\",\"url\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/us-privacy-law-compliance-for-eu-companies\\\/\",\"name\":\"US Privacy Law Compliance for EU Companies - Usercentrics\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/us-privacy-law-compliance-for-eu-companies\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/us-privacy-law-compliance-for-eu-companies\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/wp-content\\\/uploads\\\/sites\\\/7\\\/2023\\\/11\\\/US-privacy-law-compliance-for-EU-companies.jpg\",\"datePublished\":\"2023-11-02T06:41:18+00:00\",\"dateModified\":\"2025-06-26T10:11:07+00:00\",\"description\":\"What do EU companies need to know about compliance with US data privacy laws, and does GDPR apply? Learn about US Privacy Law Compliance for EU companies.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/us-privacy-law-compliance-for-eu-companies\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/us-privacy-law-compliance-for-eu-companies\\\/\"}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/us-privacy-law-compliance-for-eu-companies\\\/#primaryimage\",\"url\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/wp-content\\\/uploads\\\/sites\\\/7\\\/2023\\\/11\\\/US-privacy-law-compliance-for-EU-companies.jpg\",\"contentUrl\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/wp-content\\\/uploads\\\/sites\\\/7\\\/2023\\\/11\\\/US-privacy-law-compliance-for-EU-companies.jpg\",\"width\":1000,\"height\":1000,\"caption\":\"Women shaking hands with USA and EU flags\",\"copyrightNotice\":\"\u00a9 Copyright 2026 Usercentrics GmbH\",\"creator\":{\"@type\":\"Organization\",\"name\":\"Usercentrics GmbH\"},\"creditText\":\"Image: Usercentrics GmbH\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/us-privacy-law-compliance-for-eu-companies\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Resources\",\"item\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/resources\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blog\",\"item\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"US privacy law compliance for EU companies\",\"item\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/us-privacy-law-compliance-for-eu-companies\\\/\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/#website\",\"url\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/\",\"name\":\"Usercentrics - US\",\"description\":\"Consent Management Platform (CMP) Usercentrics\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/?s={search_term_string}\"}}],\"inLanguage\":\"en-US\"}]}<\/script>","yoast_head_json":{"title":"US Privacy Law Compliance for EU Companies - Usercentrics","description":"What do EU companies need to know about compliance with US data privacy laws, and does GDPR apply? Learn about US Privacy Law Compliance for EU companies.","robots":{"index":"noindex","follow":"follow"},"og_locale":"en_US","og_type":"article","og_title":"US Privacy Law Compliance for EU Companies - Usercentrics","og_description":"What do EU companies need to know about compliance with US data privacy laws, and does GDPR apply? Learn about US Privacy Law Compliance for EU companies.","og_url":"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-privacy-law-compliance-for-eu-companies\/","og_site_name":"Usercentrics - US","article_publisher":"https:\/\/www.facebook.com\/usercentrics","article_modified_time":"2025-06-26T10:11:07+00:00","og_image":[{"url":"https:\/\/usercentrics.com\/wp-content\/uploads\/2021\/08\/Us-privacy-law-compliance.png","type":"","width":"","height":""}],"twitter_card":"summary_large_image","twitter_title":"US Privacy Law Compliance for EU Companies","twitter_description":"If you are an EU company looking to do business in the US, this article provides you with some of the answers you will need to know about the US Privacy Law. Category: Privacy, California Consumer Privacy Act (CCPA)","twitter_image":"https:\/\/usercentrics.com\/wp-content\/uploads\/2021\/08\/law-compliance.jpg","twitter_site":"@usercentrics","twitter_misc":{"Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-privacy-law-compliance-for-eu-companies\/","url":"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-privacy-law-compliance-for-eu-companies\/","name":"US Privacy Law Compliance for EU Companies - Usercentrics","isPartOf":{"@id":"https:\/\/usercentrics.com\/us\/#website"},"primaryImageOfPage":{"@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-privacy-law-compliance-for-eu-companies\/#primaryimage"},"image":{"@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-privacy-law-compliance-for-eu-companies\/#primaryimage"},"thumbnailUrl":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2023\/11\/US-privacy-law-compliance-for-EU-companies.jpg","datePublished":"2023-11-02T06:41:18+00:00","dateModified":"2025-06-26T10:11:07+00:00","description":"What do EU companies need to know about compliance with US data privacy laws, and does GDPR apply? Learn about US Privacy Law Compliance for EU companies.","breadcrumb":{"@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-privacy-law-compliance-for-eu-companies\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-privacy-law-compliance-for-eu-companies\/"}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-privacy-law-compliance-for-eu-companies\/#primaryimage","url":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2023\/11\/US-privacy-law-compliance-for-EU-companies.jpg","contentUrl":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2023\/11\/US-privacy-law-compliance-for-EU-companies.jpg","width":1000,"height":1000,"caption":"Women shaking hands with USA and EU flags","copyrightNotice":"\u00a9 Copyright 2026 Usercentrics GmbH","creator":{"@type":"Organization","name":"Usercentrics GmbH"},"creditText":"Image: Usercentrics GmbH"},{"@type":"BreadcrumbList","@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-privacy-law-compliance-for-eu-companies\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Resources","item":"https:\/\/usercentrics.com\/us\/resources\/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https:\/\/usercentrics.com\/us\/knowledge-hub\/"},{"@type":"ListItem","position":3,"name":"US privacy law compliance for EU companies","item":"https:\/\/usercentrics.com\/us\/knowledge-hub\/us-privacy-law-compliance-for-eu-companies\/"}]},{"@type":"WebSite","@id":"https:\/\/usercentrics.com\/us\/#website","url":"https:\/\/usercentrics.com\/us\/","name":"Usercentrics - US","description":"Consent Management Platform (CMP) Usercentrics","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/usercentrics.com\/us\/?s={search_term_string}"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/knowledge\/405","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/knowledge"}],"about":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/types\/knowledge"}],"version-history":[{"count":0,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/knowledge\/405\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/media\/7473"}],"wp:attachment":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/media?parent=405"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/tags?post=405"},{"taxonomy":"magazine_issue","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/magazine_issue?post=405"},{"taxonomy":"magazine_tag","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/magazine_tag?post=405"},{"taxonomy":"resource_tag","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/resource_tag?post=405"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}