GDPR in the US, what does it mean for me?

Approx Reading Time: 18 minutes

GDPR is not just for EU citizens and companies operating within the EU. These data protection regulations are applicable to any website or company that collects the personal information of users of EU citizens. So you might be thinking if GDPR is a law of European Union a website operating in the USA is automatically exempted from GDPR. But even if a website is operating from outside of the USA it can still have visitors or users from the EU which means that the website has to comply with the GDPR to ensure the protection of its European visitors. So what does GDPR means for US citizens and US companies?

GDPR in the US, what does it mean for me? 1

What GDPR means for websites and companies operating in the US:

  • If your website is targeting EU citizens and selling goods or products to them than your website needs to be GDPR compliant.
  • If your website or your website’s third-party partners collects personal information of any EU citizen or monitors their behavior then your website should be GDPR compliant.
  • If your website only targets users from the USA or a specific state in the US and doesn’t collect any personal information of an EU citizen then your website doesn’t have to be GDPR compliant according to EU law.

What does GDPR mean for you as a US citizen?

  • If you are a US citizen on a vacation in a country that is a part of the EU then you are protected by GDPR as long as you are on EU soil.
  • If you are a US citizen living in an EU country then you are protected by GDPR.
  • GDPR empowers customers and internet users and it gives users in the US and around the world by holding websites and businesses accountable for the data they hold about individuals.

While GDPR was put in place to protect the privacy and personal information of EU citizens it affects companies and websites operating in the US as well. It also protects US citizens while they are visiting an EU country not to mention it has forced companies that collect your data to be more open about how they handle and process your data. So if you are a US-based website/company or a US citizen it is worth knowing what GDPR means for you and in this article, we are going to discuss it in detail so keep reading.

 What does GDPR mean to US companies?

If you are a US-based website owner or a US-based company selling goods through a website it is worth knowing how GDPR might affect you. Because not all websites need to be GDPR compliant if they are based outside of the EU. And since there is a lot of confusion around GDPR in the US we are going to try and explain which websites operating from the USA need to be GDPR compliant and which websites are exempted from the law. GDPR is a complicated law and we are going to explain this law with the help of examples to make it easy to understand how this law affects US-based websites and businesses.

A website/company that sells products to EU citizens:

To understand how GDPR affects a company or website that actively targets customers in the EU we are going to use an example of a hypothetical company. Let’s suppose a US-based company is in the business of selling hats and they ship their products globally. And they are using a website or an application to receive orders from customers in different countries including the countries that are part of the EU. Such a company has to collect some amount of personal information such as name, phone number, age and address of the customers they are shipping their hats to. As soon as this company receives an order from a customer that is currently within the EU boundaries the company becomes legally bound to comply with the GDPR law since the company is collecting personal information from an EU citizen to ship the product to their address. This company has the intent to sell their products globally including the EU and they are accepting European currencies as a mode of payment which automatically means that this US-based hat manufacture has to follow the GDPR law to legally collect information from EU citizens and continue offering their products globally including within the EU.

A company/website that collects information from users or uses ad sense or Google analytics:

Even if a website is not directly selling products to customers in the EU it can still be collecting information of European citizens. To explain this situation we are going to consider a blogging website as an example. Let’s assume that there is a blogging website that publishes blog posts related to pet care. Now on the surface, this website is neither selling a product nor it is directly targeting the citizens of the EU. But the website does run Google analytics to get information about the sources of traffic and it runs ad sense or a similar third party advertisement program to display ads on the WebPages. Or the website might have the option for the website users to sign up for newsletters that require the users to enter their information in order to sign up. Both of the Google ad sense and new letters collect personal information of the users if they are enabled for a website. And if an EU citizen stumbles upon your website through a search engine Google analytics is going to register the location of that user and AdSense is also going to collect a certain amount of data on that user. This means that your blogging website is indirectly collecting data of EU citizens even if they don’t directly sign up for the newsletter.

GDPR in the US, what does it mean for me? 3

So, in this case, your website automatically needs to be GDPR compliant as the third-party partners of your blog are collecting information of EU citizens and making profiles of the users visiting your websites to customize what ads should be shown to the visitors.     

A website that only targets Local US citizens and doesn’t collect data from EU citizens:

This scenario applies to US-based websites or businesses that offer their services exclusively to the US citizens and don’t run any third party services on their website that might track the website’s traffic. To explain this scenario we are going to take the example of a website that belongs to a hypothetical bakery. This bakery only offers delivery within the 6-mile radius of its physical location which means the target audience of this website is the local citizens of the US. And although this website also collects data from its users for delivering their orders the users, in this case, are non-EU citizens. But more importantly, the website doesn’t have Google analytics or ad sense enabled which means that it doesn’t track or store information of EU citizens even if an EU citizen might stumble upon this local bakery’s website for some reason. So, in this case, the website is not storing any information about a citizen of the EU and the website also doesn’t have any intent to target or sell anything to EU citizens making which means such locally operating US-based websites don’t require to be GDPR compliant.  

As it is obvious from the examples of different types of websites we have provided above you can’t simply ignore the GDPR law even if your company is operating from the US. While the intent of the website is an important factor when determining whether GDPR applies to it or not if the website is tracking the behavior of EU users directly by collecting data or using third party services such as Google analytics then such websites need to be GDPR compliant even though they aren’t directly audience located within the EU.

What does GDPR mean for you as a US citizen?

At first glance, GDPR seems to be protecting the personal information of only the EU citizens. But GDPR law clearly states that you don’t have to hold EU nationality to enjoy the benefits of this data protection law but instead it applies to individuals that are physically within the geographical boundaries of the EU. This interesting factor makes GDPR law applicable to US citizens in certain situations as well. And to help you better understand how US citizens might benefit from this law we will again use some examples to help you better understand what GDPR means for you as a US citizen.

A US citizen visiting a European country:

As we mentioned above GDPR is not meant to benefit EU citizens but it secures the data of anyone who is currently within the EU boundaries. To explain how this clause of GDPR benefits US national we are going to take the example of a US citizen visiting Spain which is a part of the European Union. During their trip to Spain, the US citizen uses the internet to place an order for a product to be delivered on their address in US In this scenario the US citizen is protected by GDPR because when the order was placed the US citizen provided their personal information to the website while within the EU boundaries. So the website that received the order is bound to comply with GDPR when processing or storing the information of the US citizen.

A US citizen living in the EU:

This is another similar scenario as the previous one we explained with the only difference being that the individual is living in the EU on a long term basis. To explain this scenario let’s consider an example of a student who is a US citizen but is living in Spain for education. And suppose that this US student orders a product online to his EU address. Once again the information is being collected from an individual that Is inside the EU which makes it compulsory for the website to comply with GDPR while handling that individual’s data.  

GDPR gives US citizens and internet users around the globe control over their personal information:

One of the biggest benefits that GDPR has for internet users and consumers around the globe is that when a website has to comply with GDPR to be accessible to EU citizens the website has to update its privacy policy and data handling process for all of its users. This means that website that complies with GDPR law is going to ask consent from all of its users.

The above-mentioned scenarios and example make it clear that it is worth being more aware of the GDPR law even if you are a US citizen. Because this law has revolutionized the way companies handle the data of their users and it holds websites and companies accountable for how they use the data they collect. The benefits of this law eventually trickle down to internet users and consumers outside the EU and GDPR has forced countries around the world including the US to develop new data protection regulations within their own countries.

How can a website comply with GDPR?

Besides the obvious benefit of attaining the freedom of reaching the audience from the EU, your website is going to be a lot more user friendly if you add GDPR compliance to it. Almost 92 percent of US-based companies comply with the GDPR which goes on to show that it has a lot of benefits for your business or website. That is because a GDPR compliant company inspires trust in its customers and they are more likely to refer your company to people in their close circle. Not to mention being GDPR compliant makes sure that the data your hold is safe and prevents any possible data breaches. Let’s say you choose that you don’t want to make your company GDPR compliant because you don’t have to. While this may save you from the hassle of making changes to how you handle and store client information and updating your company’s privacy policies but it also leaves your company at risk of data breaches. A data breach can ruin your company’s reputation if someone gains illegal access to your company’s database. But if you put preventative measures in place to secure the data your company holds by complying with GDPR law you can prevent falling victim to a data breach. You can make your company/website GDPR compliant by following the guidelines explained below:

Review how and why your website is collecting data:

Almost every website collects user information in at least one form. Whether your website is an eCommerce website or a general blog it is going to have a contact us form or a newsletter through which your users can contact you or subscribe to get email notifications. These are the user data collection methods you are probably aware of. But your website can also collect user data to customize user experience when the user is visiting the website. This type of data collection is a part of most content management systems such as WordPress and other similar platforms. But to comply with the GDPR you have to make sure that website visitors are aware of why you collect their information so reviewing which cookies your website uses along with the contact forms your website contains is going to help you know how and why information is being collected on your website.

Next, you are going to want to audit the third-party tools you use on your website. These tools include any tools you use to analyze traffic and trends of users who visit your website or tools that you use to run ads on your website. All such third party services collect personal and non-personal information about your website’s visitors including IP addresses and location. Make a list of all the data collection methods your website uses including the third party tools and it is also important to note down the reason why the data is being collected.

Update your website’s privacy policy:

Ok now that you know all the sources through which your website is collecting user data and the reasons for collecting the said data it is time to inform the website visitors about this information by updating your website’s privacy policy. In case your website didn’t have a privacy policy then now is the time to formulate a new privacy policy to comply with GDPR law. Since GDPR makes it compulsory for websites to ask consent of the users before collecting their information your GDPR compliant privacy policy should make sure it asks permission for gathering data of its users. This includes asking permission for collecting data from direct sources such as contact us forms and new letters as well as through third-party sources such as Google analytics and ad sense. Since third party services are using your website to collect user data it is your responsibility to mention why these third party companies collect data and ask the user’s consent.

Some common data collection methods that you should inform your visitors about are Logs, analytic tools, user accounts, and third-party marketing tools. Keep in mind that simply informing the website visitors is not enough you have to be open about the purpose for which the data is being collected. For example when you are going to mention that your website uses analytic tools to collect users’ information you will also have to explain that the data collected by the analytic tool is going to be used to know the sources of web traffic that your website receives.

Develop a GDPR policy:

So far so good you have identified how and why your website collects user data and you have informed users in your website’s privacy policy it is time to let visitors know what rights they have regarding the data you hold about them by formulating a GDPR policy. GDPR gives EU citizens certain rights that give users more control over their data. Some rights you must inform website visitors about are:

1. What rights users have if the website suffers a data breach?

According to GDPR law, you are bound to inform the person whose data you hold about what rights they have if someone gains illegal access to their data that you hold. You can inform them about what kind of risks they might face in case of a data breach and that the users have a right to be informed about the data breach if such an accident were to occur.

2. Users have a right to get the data you hold on them

This is another right GDPR gives to EU citizens and you have to clearly mention this right in your website’s GDPR policy. According to GDPR, a user can ask for a copy of the data you hold about them such as location data, IP address, and other personal information. So to comply with the GDPR this right of users needs to be clearly mentioned and you should also mention the process through which you will provide the user’s data to them in case the user requests it.

3. Users have a right to ask you to delete the data you hold about them

If a user thinks that the data your website or company holds about them was provided by mistake or they think the information is sensitive they can request you to delete their information from your records according to the GDPR law. So in order to comply with GDPR, your company should be ready to delete any information that the owner of the information doesn’t want you to hold. Let us suppose your customer has purchased some items from your company that he/she doesn’t want you to hold the record of. So if the said customer wants you to delete the information you hold regarding them then according to GDPR the customer has a legal right to do so.

It is compulsory to inform website users about the above-mentioned rights that they have with respect to the data you hold. And your GDPR policy must clearly convey these rights in a clear and easy to read manner.

Make sure you are not collecting the data you don’t need:

You can make sure your website/company is GDPR compliant by simply not collecting unnecessary data about the customers or users. Most of the times a general contact form only needs the customer’s name and the email address. So as the website owner it is your job to make sure that a customer doesn’t have to provide their physical address, their full name, phone number, and other irrelevant information just to fill out a contact us form. This is not only going to limit the amount of data you store about your clients but it is also going to reduce the chances of any data removal notices from users since you are only collecting the information necessary to facilitate the website user. You should also avoid holding the data of the users for longer than it is needed.  

Ensure that the data you hold about your clients/users are well protected:

GDPR is all about protecting your user’s personal information and you can not comply with GDPR unless you put in place the necessary data protection protocols that make sure the data you are holding is secure. A great way to avoid any data breaches is by deleting any user information that you no longer need regularly. You should also make sure that the information you hold about users is only accessible to authorized personnel only and no irrelevant individuals can access sensitive personal information. In case a data breach does happen you are bound to inform the affected customers/users within 72 hours of the breach about the extent of risk that is posed to the user whose data has been compromised during the breach. The purpose of informing the affected users is to allow them to mitigate the consequences of the data breach and reduce the risk caused by the data breach as much as possible.

Once you have made the above-mentioned changes to your website or company you will be able to comply with the GDPR law. The guidelines that we have provided above are the basic criteria of GDPR and you can add more GDPR compliance to your website if you need to depending upon the type of data your process and hold.

Conclusion

GDPR has more to do with the geographic location of the person whose data is being processed which means that this law applies to all US-based companies and websites that process information of customers and users in the EU. Similarly, every US citizen that is sharing his/her information with any business or website directly or indirectly while they are in the EU boundaries is also protected by this law. So even if you are a US-based website or company having GDPR compliance is going to make your business a lot more trustworthy.