The General Data Protection Regulation (GDPR) has a towering impact on data privacy across the world. But, what are the implications for GDPR in the US? Do American companies have to abide by the GDPR? This article will look at the effects of GDPR in the US and how US businesses can comply with the European privacy law.
In December 2020, Twitter was fined €450,000, ($546,000) for failing to document and notify GDPR regulators within 72 hours of a data breach that exposed some users’ private tweets. This was the first cross-border GDPR penalty imposed on a US-based business. Does this mean all US companies can face penalties under GDPR? Let’s try to understand GDPR’s impact in the US.
Are US companies subject to GDPR?
Yes, the GDPR can apply to businesses in the US or any business outside the European Union. As per Article 3 of the GDPR, the territorial scope of the GDPR applies to businesses regardless of whether the processing takes place in the European Economic Area (EEA). The EDPB’s guidelines consider two criteria for the applicability of GDPR — the ‘establishment’ criteria and ‘targeting’ criteria.
Article 3(1) notes that any business outside the EU has to comply with the GDPR if it has an establishment (employee, agent, branch etc.) in the EU. For instance, if a US-based retailer has a branch in the EU for marketing and advertising purposes, this branch can be considered as a stable establishment under GDPR and subject to regulation.
According to Article 3(2), a business that targets individuals in the EU for offering goods or services (even if it’s free) or monitoring their behaviour falls under the scope of GDPR. Monitoring activities such as tracking through cookies or other technologies, behavioural advertising, geolocation, market surveys etc performed by a non-EU business can be subject to GDPR. A US business that has no establishment in the EU, but sells goods or services to consumers in the EU, will fall under the scope of GDPR in the US. Note that the law extends to any resident of the EU, irrespective of citizenship.
Who enforces GDPR in the US?
Each of the EU member states has designated a Supervisory Authority (SA) also referred to as Data Protection Authority (DPA), responsible for monitoring the application of GDPR within its territory. A regulator that receives a GDPR complaint from individuals that reside in their territory can be the concerned DPA. If the US company has a headquarter or main establishment in the EU, the DPA of that member state will be the primary or lead regulator for the business, as per GDPR’s one-stop-shop mechanism.
The Google Spain Decision decision on the territorial scope of GDPR is important in this regard. The Court of Justice of the European Union (CJEU) held the complaint filed against Google with the Spanish DPA. The court confirmed that since Google Inc. carried out personal data processing in the EU via Google Spain, it will be subject to EU laws. Similarly, tech firms that have EU headquarters in Dublin such as Google, Twitter, Facebook, eBay, PayPal, LinkedIn, Airbnb among a host of other firms, are subject to GDPR. Irish Data Protection Commission (DPC) is the lead regulatory authority in their case. (Read Big Tech vs GDPR)
GDPR in the US: What Businesses Need to Do
If a US company falls under the scope of GDPR, it is subject to same the requirements under GDPR, as its EU counterparts. Let’s take a look at the steps that can help businesses adequately prepare for GDPR in the US.
Audit the data you process
The first step is to identify the kind of personal data you are collecting, storing and processing. The categories could be names, emails, phone numbers, IP addresses, device IDs, credit card or bank details, geolocation data etc. Note that if your business employs EU residents, current or previous employee data that you have access to will also be subject to GDPR.
Identify the categories of data you collect, whether you collect ‘sensitive’ personal data such as race, ethnicity, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric data. If you collect sensitive categories of personal data, you are required to have additional provisions in place such as Data Protection Impact Assessment (DPIA) or appointing a Data Protection Officer (DPO).
Establish legal bases for processing
Identify the legal basis for processing each personal data that you collect. GDPR provides for six legal bases for processing: consent, the performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest.
It is important to note that there must be only one legal basis for processing at a time and that it must be established before the processing begins. The legal basis should also be demonstrable at all times i.e. a business must be able to show internally, to data subjects, and to regulatory entities what legal basis it uses for each user.
Assess data transfer from EU to the US
The GDPR imposes strict restrictions on the transfer of personal data outside the European Union, to third-party countries or international organisations. This is to ensure that GDPR-level protection is accorded to data transferred outside the EU. But, what does data transfer mean? A transfer not only means moving the data outside the EU, but it also includes the storage, processing, and access from outside the EEA. For instance, a developer working from Texas may have access to customer logs of the companies’ EU establishment, and this can be considered as a data transfer.
GDPR hence requires that any other organization that you pass the data to outside the EU (including your parent company in the US) must be under a legally binding obligation to follow GDPR’s data protection requirements. The recent Schrems II ruling invalidated the EU-US Privacy Shield which is used by 5,000 US organizations for data transfer. As Standard Contractual Clauses (SCCs) remains valid for data transfer mechanism, businesses should audit of the use of SCCs.
Businesses need to assess, on a case-by-case basis, that the US company you import the data to, will be able to adhere to the contractual obligations of SCCs and provide adequate protections for the privacy rights of individuals whose personal data is transferred. Businesses should also consider whether government authorities can access the data and the availability of judicial redressal for the data subjects in the country before transferring that data.
Review data storage practices
As the Privacy Shield is invalidated, the storage of EU data in the US is called into question. Therefore, US companies should ensure that the personal data of EU residents are stored in the EU. Businesses that use cloud-based services for storage, should switch to service providers in the EU or to a country that can provide GDPR-level adequate protections. Businesses should also ensure that data is stored on secure servers that have technical and organisational security measures to safeguard it and to reduce the risk of loss, misuse, and unauthorised access, disclosure and alteration.
Storage limitation is one of the key principles for data protection in the GDPR. Essentially it means that personal data must be stored for the shortest time possible. Businesses must delete or anonymise personal data once it is no longer needed. Also, keep in mind that GDPR gives users the right to access, edit and delete their personal data collected by a business. So, you must have a secure system in place to store data.
Obtain prior user consent
Consent is identified as one of the lawful bases for data processing. This means businesses have to obtain consent before processing personal data.
GDPR consent must be freely given, specific and unambiguous. For consent to be free, it should be affirmative i.e. the user must give consent using a positive action. Data collected on websites via contact forms, subscriptions forms, sign up forms, email lists etc. should respect GDPR consent requirements. Read more about GDPR consent and how to comply.
Clear affirmative action means users must take deliberate and specific action to opt-in or agree to the processing, such as — ticking an opt-in box, clicking an opt-in button or link, double opt-in emails etc. You should also use jargon-free, plain language for transparency. You cannot rely on lack of response, inactivity, pre-ticked boxes, default settings or blanket acceptance as signs of consent. You must also provide easy ways for the individual to opt-out or withdraw consent in the future.
Obtain cookie consent
Simplify GDPR Compliance with CookieYes
CookieYes is a cookie consent solution trusted by 1 Million+ websites worldwide. Create a fully customizable cookie banner to comply with the GDPR, CCPA, LGPD, CNIL and more. Geo-target and auto-translate your banner to 30+ languages, block over 93 third-party scripts, and record all user consents.Try it for free
Cookie consent should be specific, and granular, meaning users should be able to opt-in to activate some cookies and not be forced to accept all. GDPR also requires that websites cannot assume consent if users ignore cookie banners and continue browsing nor use pre-checked boxes. Similarly, cookie walls that prevent the user from accessing the website or mobile app are unlawful.
Want to find out if your website is GDPR cookie compliant? Simply enter the URL of your website, get a detailed report on all the cookies used by your site.
Review agreements with third-parties
Any business that third-parties or data processors that you conduct business with should occur with a written agreement in place business. Under GDPR, data controllers are responsible for the actions of data processors. You should identify and list vendors who process data on your behalf. Ensure that you have Data Protection Agreements (DPAs) with third parties so that they fulfil the necessary GDPR requirements. Also, ensure that the third-party business has adequate technical and organizational safeguards.
Include the terms about the security of processing and data breach notification in your agreement. Third-parties must be contractually obligated to report any data breach to supervisory authorities and users, and Data Protection Impact Assessments. It is important to ensure that data processors implement GDPR measures with equal force to mitigate potential fines and penalties that may flow from vendors to your business.
Data breach notification
GDPR requires businesses to implement “appropriate technical and organisational measures” to address any security risks that they may face when dealing with personal data. Pseudonymisation, encryption, regular systems testing are all measures that are cited as risk reduction measures against data breaches.
In case a data breach occurs, your company must report the event to the appropriate data protection authority (e.g. the ICO in the UK or CNIL in France) within 72 hours of becoming aware of the event. If the data breach poses a high risk to the rights and freedoms of consumers, then they must also be notified by your company.
Appoint a DPO or GDPR representative
Do US companies need a DPO or Data Protection Officer? GDPR specifies two main criteria for businesses that need to appoint a DPO. One being large scale processing where the core activity of the company involves regular and systematic monitoring of users. The second criteria depend on whether you process sensitive categories of data. If you do not fit the criteria, appointing a DPO can facilitate your GDPR compliance, especially if you are looking to grow in EU markets.
Here’s an easy quiz that can help you determine if you need a DPO.
If you don’t have a physical presence in the EU ie. offices, branches or other establishments, you’ll need to appoint a GDPR representative in an EU country. Your GDPR representative needs to be set up in an EU state where some of the users whose personal data you process are located. The representative can be an individual or company that will act on your behalf regarding your EU GDPR compliance.
GDPR Checklist for US Companies
- Identify if you have a physical presence, employees in the EU or you process personal data of EU residents.
- Audit the categories of personal data you process, including sensitive categories of data.
- Establish a legal basis for processing each category of data.
- Ensure adequate SCCs for any data transfer outside the EU.
- Review your data storage and cloud services and their location.
- Update agreements with third parties that you may share data with.
- Appoint a DPO or GDPR representative for your company.
- Obtain prior consent before collecting personal data on your website.
- Obtain consent for using cookies and other tracking technologies.
GDPR has led the way for state-level privacy legislations in the US like California Consumer Privacy Act (CCPA), its amendment California Privacy Rights Act (CPRA). Fret not! CookieYes is a cookie compliance solution that can help you comply with GDPR in the US.
CookieYes can automatically scan your website for cookies, create a customizable cookie consent banner, auto-translate the banner according to the user’s location, and geo-target banner for EU visitors alone.
CookieYes also can help you get GDPR and CCPA compliant at the same time.
With CookieYes you can,
- Add custom CSS and branding to cookie banner
- Scan website for cookies and get audit report
- Block third-party cookies automatically
- Support user’s DNT preference
- Record user consents for proof
Trusted by over 1 million websites, CookieYes can simplify all your cookie consent management. Start complying right now!