You may have heard about GDPR – the General Data Protection Regulation – but does GDPR actually apply to US companies and US individuals? It’s very important for US businesses to understand exactly what GDPR is, why it is in place and how it impacts your operating procedures.

What is GDPR?

In 2018, the EU rolled out the General Data Protection Regulation to keep a track of how companies handle the personal information of Europeans. As this law was created in the EU, you would think it only applies to individuals and companies operating within the EU. However, you would be mistaken for thinking this – its impact is far reaching to the point where if you are a US business, selling your products or services to EU residents, it is something that you may need to comply with.

The core principles and objectives of GDPR are designed to protect the privacy and rights of individuals in relation to their personal data. Some of these principles include lawfulness, fairness, and transparency of personal data. Personal data should be collected for specified, explicit, and legitimate purposes. GDPR also introduces significant fines for non-compliance, providing a strong incentive for companies to take data protection seriously.

GDPR equivalent in the USA

Currently, the United States doesn’t have a complete federal law to protect data like the GDPR in Europe. In the European Union, the GDPR makes one set of rules for data protection across all member countries. But in the US, there are different rules at the national and state levels, creating a confusing mix of laws. Because there isn’t one overall federal law, it makes data protection regulations in the US complicated and scattered.

The only closest law similar to GDPR is the CCPA (California Consumer Privacy Act) but this is limited to California residents.

A key thing to note that makes the GDPR law so different from any US privacy law is that GDPR does not impose a size or revenue threshold meaning your business could consist of just 1 individual and your revenue may be very low but if you are selling to an EU resident, you would still need to comply with the GDPR law.

Does GDPR apply to US websites?

If a US website deals with the personal information of individuals in Europe, it has to comply with the GDPR law. This can include selling products or services to those based in Europe. US websites will need to get their EU customer’s permission to use the data, keep it safe, and permission to let people control their information.

To meet all of the GDPR’s business requirements, US websites might have to change how they handle data, including making sure it’s secure and telling their customers what they are doing with their information. If US websites do not follow these rules, they could potentially face serious fines. It is important for US websites to know and follow the GDPR law when dealing with the personal data of EU residents.

Does GDPR apply to EU citizens in the US?

If a company in the United States deals with the personal information of individuals from the EU, including offering services or products to those EU citizens whilst they are in the US, then they do not need to follow GDPR rules.

In this instance, whether GDPR applies or not is determined by an individual’s location rather than their citizenship/residency, meaning the regulation does not extend its protection to EU residents when they are travelling or residing in the US.

Does GDPR apply to US citizens in the EU?

If you are a US based company and selling to EU residents including any EU residents that may be US citizens, you would need to comply with GDPR. This is because they are located in the EU where GDPR takes precedence.

The conversations around GDPR rules shows how the laws about keeping information safe are changing as the world becomes more connected through digital technology. As companies grow and work worldwide, it’s very important for them to know about GDPR amongst other global rules for keeping data safe.

Whilst this is mainly about following the rules and ensuring you are compliant, privacy is a big concern for many individuals nowadays, so understanding and following these rules helps build trust between your company and your customers.

Additionally, laws will keep evolving in the future, and new laws may even be created in the US therefore if you are a US based company, keeping up to date with the latest information on GDPR will be extremely beneficial.