A Major Milestone for Osano...and the Industry
When we founded Osano, our goals were ambitious. We wanted to...Read Now
May 23, 2023
In 1992, Singapore banned the sale of all chewing gum. But if you owned a cornerstore in the U.S. and a Singaporean tourist came to visit your business, there would be nothing to stop you from selling them a pack of gum—in the U.S. selling gum is perfectly legal. You’d think the same dynamics would apply when it comes to processing personal data.
Well, not exactly.
The EU’s General Data Protection Regulation (GDPR), which protects EU residents’ data privacy rights, has an extraterritorial reach. That means even U.S. businesses need to comply with it under certain circumstances.
Because you can collect and process an individual’s data from anywhere in the world, data privacy laws like the GDPR need to apply extraterritorially. Organizations based in the U.S. that process EU citizens’ data aren’t off the hook for GDPR compliance by a long shot. The GDPR applies to any controller or processor that offers goods or services to or monitors the behavior of EU data subjects, even if the data is stored elsewhere. If it's the data of an EU resident, then it's covered by the GDPR.
In this blog, we’ll explore GDPR compliance in the U.S., who is protected by GDPR, and what GDPR compliance means for US companies.
The General Data Protection Regulation was the first of its kind and remains the most substantial and strictest data privacy law in the world.
The GDPR protects EU residents' personal data and grants them certain rights, including the rights to:
There are seven GDPR principles that cover protection and accountability. These principles state that businesses must:
We dive more into the nuts and bolts of the GDPR, its background, and how to comply with the law in our GDPR guide.
The GDPR defines a data subject as a natural person who can be identified or identifiable by their personal data. So, does the GDPR apply to U.S. data subjects? In some circumstances, yes.
The GDPR applies to all EU residents and EU-established businesses. So, a U.S. citizen residing in the EU would still be protected by the GDPR. Similarly, a U.S. citizen residing in the U.S. who accesses the services of a primarily EU-based business would be protected by the GDPR.
By the same token, an EU citizen visiting the U.S. and patronizing a primarily U.S. based is not protected by the GDPR. The exception is if that EU citizen accesses the services of a primarily EU-based business; in that case, any personal data collected or processed in the transaction would be covered by the GDPR.
This can be a little unintuitive, but the important thing to remember is the geographic region involved. If the data subject is in the EU, the GDPR applies (regardless of EU citizenship). If the organization processes personal data in the EU, then the GDPR applies. So, a purely U.S.-based business serving only customers in the U.S.—regardless of whether they’re an EU or U.S. citizen—does not need to comply with the GDPR.
Furthermore, if you are targeting U.S. customers only and have incidental business coming from the EU, that probably isn't going to require GDPR compliance. That's why it's crucial to know who your data subjects are and where your data is flowing.
When it comes to U.S. businesses, the specific part of the GDPR that matters is Article 3(2), which reads:
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
Given the nuance and complexity, if you suspect you are subject to the GDPR, it’s best to assume you are subject to the GDPR.
As of this writing, there is no federal law like the GDPR that covers U.S. citizens. However, there are a number of state data protection laws that apply to US citizens. Several states have implemented such laws, including California, the California Privacy Rights Act (CPRA); Virginia, the Consumer Data Protection Act (CDPA); Colorado, the Colorado Privacy Act (CPA); Utah, the Utah Consumer Privacy Act (UCPA); and more. Several other states are considering or have proposed legislation.
What does that mean for U.S. businesses? For those who process the personal data of EU residents, it means they’ll need to comply with the GDPR. Those that do not may not have to comply with a data privacy law, but given the accelerating rate at which states are adopting data privacy laws, that’s only a temporary circumstance. Compliance with the GDPR doesn’t necessarily translate into compliance with every data privacy law, but it will make compliance easier down the road.
Below, we’ll walk through some of the basic concepts you’ll need to be familiar with in order to begin becoming compliant with the GDPR, like what personal data is, what a controller or processor is, and more. This is by no means exhaustive; a full breakdown of GDPR requirements can be accessed in our GDPR guide. But it should serve as a good primer for U.S. businesses unfamiliar with their GDPR obligations.
Afterward, we’ll walk through a brief GDPR compliance checklist for U.S. companies to guide your initial steps toward compliance.
Public or private U.S. companies that collect or process the personal data of EU residents are subject to the GDPR. So, what exactly is covered by the term “personal data”?
Personal data includes “any information relating to an identified or identifiable natural person (‘data subject’).” According to the regulation, an identifiable natural person “is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The GDPR defines two different entities that manage personal data and lays out specific requirements for each. They are controllers, (i.e., the organization that determines the purpose for and means of processing data) and processors (i.e., the organization or organizations that process data on behalf of the controller). Both can be held liable for violations.
Conceivably, a U.S. company could serve as either a processor or controller under the GDPR—as stated previously, the only important factor is whether or not the company controls or processes the data of data subjects who reside within the EU. In determining your responsibilities under the GDPR, identifying whether you serve as a control or processor is essential.
Both controllers and processors must keep records of processing activities. Controller records must include:
Processor records must include many of the same details above, including name and contact details, categories, transfers of data, and where possible, a general description of the technical and organizational security measures that the processor has employed to protect personal data.
If you have to comply with the GDPR (and specifically if Article 3(2) applies to your organization), then GDPR Article 27 requires you to maintain a physical presence in the EU. This is so EU data protection authorities can access a liaison for any compliance concerns.
Clearly, this can be a challenge for companies who are just discovering the need for GDPR compliance. Fortunately, Osano maintains a Dublin-based GDPR representative that our customers can use to meet this requirement.
Before an organization subject to the GDPR (including U.S. companies) can process EU residents’ personal data, there must be a legal basis for that processing to occur. There are a handful of legal bases in which it’s okay for companies to process personal data, which are outlined in Article 6 of the GDPR. These instances include when:
It’s important to note that the GDPR does not apply to U.S. businesses that have occasional instances of doing business in the EU. However, if you regularly do business there, serve ads to EU citizens, or track cookies or IP addresses in the EU, then your business should strive to be compliant.
Additionally, companies with fewer than 250 employees are exempt from some GDPR regulations, such as keeping a record of processing activities “unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional,” or if the processing includes special categories of data.
As is the case for businesses, if a government agency processes the data of EU citizens regularly, then the GDPR applies. Examples could include a tourism site advertising in the Union, providing the option to book a service or buy goods in an EU member state’s currency or language, or collecting email addresses of EU citizens for commercial use.
Naturally, the question of GDPR compliance is far trickier when it comes to U.S. law enforcement and intelligence. Whether or not GDPR compliance is a concern for such entities, however, is outside the scope of this article.
Fines for GDPR noncompliance are serious. Companies that violate the law can be fined 4% of annual global revenue, or 20 million euros, whichever is greater.
Fines and penalties are not just a threat, either. From January 2022 to January 2023, more than $1.7 billion in fines were issued, according to a report by DLA Piper.
Recently, the EU’s Data Protection Commission fined Meta (Facebook and Instagram’s parent company) more than $410 million for its behavioral advertising practices in Europe. Other significant fines include:
These are major companies and major fines, and that’s why they make headlines. Plenty of smaller businesses receive fines that are potentially existential or crippling—they just don’t get as much news coverage as the Amazons and Metas of the world.
If your company regularly collects personal data from EU citizens or residents for commercial reasons, it must be compliant with the GDPR. Even if it doesn’t regularly process such data, it’s a good idea to review your data privacy practices.
There are a few basic steps a U.S. company should complete to comply with GDPR:
GDPR may have started as an EU initiative, but there’s no doubt that it has had worldwide implications. Many U.S. business owners have been left feeling confused about the law’s requirements, whether the law applies to their company, and what effective GDPR compliance looks like for U.S. companies.
You don’t have to try to navigate the law’s complexities on your own. Osano provides a number of free resources to help you get up to speed on compliance.
When you’re ready to take the next steps in your compliance journey, we offer a range of solutions that help U.S. companies meet GDPR requirements—such as serving as your required EU representative, securing data subject consent, responding to data subject rights requests, and more. Schedule your demo today.
GDPR compliance can seem pretty intimidating—especially if you’re trying to figure out where to start. Download this checklist to discover 8 steps to build your foundation.Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.