Does GDPR Apply to US Companies? A Practical Guide to GDPR Compliance
Does GDPR apply to US companies? I’m telling you whether the GDPR applies to your US company and give you free access to a simple step-by-step guide on GDPR compliance for your company’s website.
Navigating all the privacy laws and regulations that apply to your company can be quite complex, and if you’re anything like me, you want to ensure your business complies with all the laws that apply to your business, especially if it’s the strictest one of all; the GDPR. As a lawyer myself who drafts privacy and cookie policies for large and small businesses like yours, I am giving you the answer to your burning question: Does GDPR apply to US companies?
I will give you all the answers you need to the question ‘Does GDPR apply to US companies?’, including what is GDPR compliance, and I’ll give you free access to a GDPR compliance checklist for your company’s website.
After learning the answer to ‘Does GDPR apply to US companies?’, you will know whether the GDPR applies to your US company and what you need to do.
This post is all about the answer to the burning question: ‘Does GDPR apply to US companies?’
Does GDPR Apply to US Companies? The Ultimate Guide
Who does GDPR apply to?
Give me the short answer: Does GDPR apply to US Companies?
In short, yes, the GDPR applies to most US companies and likely to yours, too.
While the General Data Protection Regulation (GDPR) is a regulation of the European Union (EU), its applicability extends beyond EU borders. So, it affects companies worldwide, including US companies.
In what cases does the GDPR apply?
The GDPR applies in any case in which personal data from an individual within the EU is processed regardless of where that individual is a resident of an EU country. The GDPR makes no distinctions based on individuals’ permanent places of residence or nationality. Thus, the GDPR has a very broad scope compared to other data protection and privacy laws, like the CCPA (often said to be the “GDPR US equivalent”), other US State laws and the PIPEDA, which only protect residents.
What does processing personal data mean?
‘Processing’ personal data means any of the following:
Collecting. If people fill out a form on your website and they have to include personal data like their name or email address, that is considered collecting personal data. The same goes for a simple newsletter signup.
Storing. When you keep the personal data you receive from individuals. For example, for future newsletters, invoices or order updates.
Recording. When you record an individual on video, photo or audio.
Distributing or sharing the personal data with someone else (against payment or for free).
Using. You actually use the personal data to send newsletters, invoices or order updates.
You are also using someone’s personal data when you are ‘profiling’ people. You are profiling someone when you are tracking someone’s activities online. That’s the case when you are using cookies on your website. Also, when you use social media ads, you are monitoring people’s behaviour. It’s the automatic processing of personal data.
What is personal data?
Personal data is any data that can be used to identify a person. Here are some examples:
Name
Phone number
Email address
Date of birth or age
Photo, video footage of a personal or their property that can be used to identify them, like their house or car
Voice recording
Physical location
Internet Protocol (IP) address (which is considered personal data only when it can identify a person in conjunction with other personal data)
Home, mailing, billing or business address
Credit or debit card information
So, does GDPR apply to US companies?
Yes, in two cases:
If the US company offers goods (products) or services to people within the EU, regardless of whether such goods or services are paid or offered for free, then the GDPR applies.
If the US company is monitoring the behaviour of people within the EU, then the GDPR applies.
The first one is pretty straightforward. Basically, if a US company sells products or (online) services to people in the EU, the GDPR applies. But here’s another example. Let’s say a US company offers English courses in a building in Florida to people whose native language is Spanish. No online courses are offered. But that US company also allows Spanish people in Spain to apply for a course online or over the phone before they actually move to the US. In that case, the US company is collecting personal data from individuals in the EU, and the GDPR applies.
The second one sounds a bit abstract; “monitoring the behaviour of people within the EU”. What does that even mean? We already touched upon this when we answered the question of what processing personal data is. If your website is accessible to people within the EU, you likely are monitoring their behaviour. So, let’s say the US company is a blog that only has content about Jacksonville, Florida. It includes blog posts about where to eat, what activities to do, and where to stay in Jacksonville. People in the EU who want to vacation in Jacksonville will likely visit that blog. So, in that case, the GDPR would apply to the US blogging business as well.
Even if your blog or other US business does not target an audience located in or from the EU, people in the EU will likely land on your website, so you will need to comply with the GDPR.
My (US company’s) website does not process any personal data. Do I need to comply with the GDPR?
Firstly, you should know that many types of data qualify as “personal data.” It’s actually pretty rare for a business or website not to collect at least some personal information. Examples are:
taking customer inquiries via email, contact forms, or social media;
maintaining a mailing list, or
using functional, analytical, or advertising cookies.
Even when your website only uses analytics to measure the performance or functionality of your website, that also counts as collecting personal information.
If your website collects users’ IP addresses, advertising IDs, location, and referral data or tracks their usage, and people in the EU are not blocked from accessing your website, the GDPR will also apply.
So, if you have a website that anyone from the EU is able to access, then the GDPR applies to your US company, too.
But what if I have a US-based coaching business, but clients can still keep using my coaching services when they travel to other countries, like the EU? Does the GDPR apply in that case, too?
Provided your US-based coaching business only targets its coaching services to US citizens, and you do not specifically target people in the EU, your US company will not be subject to the GDPR.
However, as stated above, if your coaching business has a website that people in the EU can also visit, the GDPR will most likely apply to your company. So, if (1) your US-based coaching business does not have a website or the website can not be accessed by people within the EU and (2) your coaching business only targets US citizens, then your company is not subject to the GDPR.
Does GDPR apply to US companies that also target people in the EU but have 100% of their clients not in the EU?
Those US companies also have to comply with the GDPR. As previously stated, if a US company offers goods or services to people in the EU, then the GDPR applies. That does not mean that anyone in the EU has actually purchased those goods or services.
Whether a US company offers goods or services to people within the EU is determined based on the facts. Let’s say the US company offers its products/services in euros; then it obviously targets people in the EU. Or if the US company offers shipping options to countries within the EU, then it’s also targeting people in the EU. Or, let’s say the US company runs ads on Google or social media that also target people in the EU; then that US company is also offering its products/services to people in the EU.
Again, if people in the EU can access the US company’s website, then the GDPR will also apply in most cases.
So, does GDPR apply to US companies with no clients in the EU? In most cases, yes.
I have a small US company, and I now know that the GDPR applies to my company. What if I do not comply with the GDPR?
If you choose not to comply with the GDPR, this could result in significant fines, up to EUR 20 million or 4% of your company’s global turnover, to be exact.
The data protection authorities have the power to impose these fines on companies established outside of the EU.
They can also impose additional corrective measures on you, such as ordering you to stop processing personal data.
Non-compliance with the GDPR is not a realistic option for any website if you weigh up the small cost of compliance with the GDPR against the potentially HUGE cost of being investigated.
The ultimate FREE GDPR compliance checklist for your website
In this blog post, we have answered the question, “Does GDPR apply to US companies?”.
So, you have probably figured out that the GDPR applies to your US business. But what do you need to do to comply with the GDPR?
I am telling you exactly what you need to do to have your US company’s website comply with the GDPR, including:
the legal pages you need to comply with the GDPR,
where and how to display your privacy policy on your website to comply with the GDPR, and
how to get consent for newsletters in a way that complies with the GDPR (which requires a different strategy than in the case of the CCPA).
Where can you find all these answers? In my ultimate guide on the 11 Essential Legal Elements for Your Website.
And in this guide, I go beyond just GDPR compliance. I’m telling you EVERYTHING you need to protect your business from internet trolls, copycats, and so much more!
Subscribe to my newsletter below to get FREE access now!
This post was all about answering the burning question of ‘Does the GDPR apply to US Companies?’
You can get your complete Legal Website Bundle (to comply with the GDPR) on this page of my contract shop!
Want to learn more about which legal pages you need for your website? Read this blog post on What Legal Pages Should a Website Have | 7 Must-Haves.
