The General Data Protection Regulation, also known as GDPR, has changed how businesses worldwide approach their data privacy policies. And here's something that might surprise you—even though this is a European regulation, it doesn't just affect European companies. If your US business processes data from EU residents, GDPR compliance becomes your legal obligation too. Many American companies discover this requirement only after they've already been collecting European customer data for months or years.
This said, it’s essential to understand how to handle GDPR in the USA. When your company collects information from European customers, employees, or website visitors, you need to know this.
Our guide will show you how GDPR affects US companies, and give practical steps to achieve compliance through proper data protection practices. Including, of course, how Zeeg helps businesses maintain GDPR compliance with its European-hosted scheduling platform.
TL;DR
- GDPR also applies to US companies that process EU residents' data through offering goods/services or monitoring behavior.
- Key requirements include lawful processing bases, privacy policies, data subject rights, breach notification (72 hours), and potentially appointing a Data Protection Officer.
- Non-compliance penalties reach €20 million or 4% of global revenue.
- US companies need data audits, consent management, security measures, and EU representatives if no European presence exists.
- There’s no direct GDPR US equivalent, but some US state laws, like CCPA, provide similar protections for American consumers.
When does GDPR apply to US companies?
Up to today, you could be thinking that GDPR compliance requirements were only needed for EU businesses. That’s not true, though - GDPR extends globally, according to Article 3¹, which states GDPR compliance for US companies as a legal requirement under specific circumstances. Therefore, American businesses can't escape these obligations simply by operating outside European borders.
GDPR in the US applies when companies meet either of two criteria established by Article 3:
1) Offering goods or services to EU residents: This includes free services like newsletters, websites, or mobile apps accessible to Europeans. Payment isn't required—simply making content available to EU users triggers compliance obligations. So if you're running an e-commerce site that ships to France, or you have a SaaS platform with German users, GDPR applies to you.
2) Monitoring behavior of EU residents: When tracking website visitors through cookies, analytics, or advertising technologies—that qualifies as monitoring. Companies using Google Analytics, Facebook Pixel, or similar tools for EU visitors must comply with GDPR requirements. Even something as simple as tracking which pages your European visitors view can trigger these obligations.
3) Being established in the EU: This covers US companies with European offices, subsidiaries, or other forms of business presence in the EU. Even if your main operations are in the US, having any kind of establishment in Europe brings you under GDPR's scope regardless of where the actual data processing happens.
Company size doesn't matter for GDPR compliance in the US. Unlike some American privacy laws that exempt small businesses, GDPR applies equally to startups and Fortune 500 companies. The regulation focuses on what you're doing with data, not how big your company is or how much money you make.
Does GDPR protect US citizens abroad?
Here's where things can get a bit confusing. To understand GDPR's scope, you need to know that the rule is location-based, and not citizenship-based. The regulation protects individuals based on where they are when their data gets processed, not what passport they carry. So:
US citizens in Europe receive GDPR protection when they're physically present in EU/EEA countries. So if you're an American tourist using a ride-sharing app in Paris, you enjoy the same data rights as any EU resident during your visit. The app company has to treat your data according to GDPR rules, even though you're not European.
EU citizens in the United States don't receive GDPR protection for data processing that occurs while they're on American soil. Their location at the time of processing determines applicable privacy laws, not their citizenship status. It's really that simple—where you are matters more than where you're from.
Summing it up:
- A US citizen working remotely from Berlin for six months receives GDPR protection for data processed during this period
- A German citizen visiting New York falls under US privacy laws like CCPA if they use services subject to American regulations
- Data collected while traveling applies protection based on the collection location, not where it's ultimately stored or processed
And what’s more interesting — Government entities face similar requirements too. For example, US federal and state agencies must comply with GDPR when processing EU residents' data.
What are the core GDPR requirements for US companies?
GDPR compliance for US companies involves implementing comprehensive data protection measures across several critical areas. These requirements apply with the same rigor as they do to European organizations—there's no "lighter" version for American companies.
1. Data protection principles
Seven fundamental principles govern all data processing activities under GDPR². US companies must demonstrate compliance with each principle through documented policies and technical measures. And here's the thing—you can't just pick and choose which ones to follow.
- Lawfulness, fairness, and transparency require establishing valid legal bases for data processing. You need to clearly communicate processing purposes and methods to data subjects. The legitimate bases include consent, contractual necessity, legal obligations, vital interests, public tasks, or legitimate interests. Each type of processing needs its own legal basis.
- Purpose limitation restricts data use to specified, explicit purposes communicated during collection. You can't collect data for one reason and then use it for something completely different without additional legal justification or obtaining fresh consent for new uses. This is where many companies get into trouble.
- Data minimization mandates collecting only information necessary for stated purposes. This principle challenges traditional data collection practices that gather extensive information "just in case" it becomes useful later. The days of collecting everything you can are over.
- Accuracy obligations require maintaining current, correct information and providing mechanisms for individuals to update their data. You must implement processes for regularly reviewing and correcting stored information when people tell you it's wrong.
- Storage limitation demands deleting data when it's no longer needed for original purposes. Organizations must establish retention schedules and automated deletion procedures to comply with this requirement. You can't keep data forever "just because."
- Integrity and confidentiality encompass security measures protecting data from unauthorized access, loss, or destruction. This includes encryption, access controls, regular security assessments, and incident response procedures.
2. Individual rights
GDPR grants eight specific rights to data subjects that US companies must honor through established procedures and reasonable timeframes³. These aren't suggestions—they're legal requirements that people can enforce.
- Right to be informed requires providing clear, concise privacy notices explaining data processing activities. You must communicate purposes, legal bases, retention periods, and individual rights at the point of data collection. This means your privacy policy actually needs to be readable and helpful.
- Right of access enables individuals to obtain confirmation about data processing and receive copies of their personal information. Companies must respond within one month and provide data in commonly used formats. People can literally ask "what data do you have about me?" and you have to tell them.
- Right to rectification allows correcting inaccurate or incomplete data. Organizations must implement systems enabling individuals to update their information and notify third parties of corrections when feasible.
- Right to erasure (right to be forgotten) permits requesting data deletion under specific circumstances. Valid requests include withdrawn consent, unlawful processing, or data no longer necessary for original purposes. However, you don't have to delete everything—there are exceptions for things like legal compliance.
- Right to restrict processing lets individuals limit data use while disputes about accuracy or lawfulness are resolved. Companies must mark restricted data and avoid further processing except for storage.
- Right to data portability enables individuals to receive their data in structured, machine-readable formats and transfer it to other controllers. This right applies to data processed based on consent or contract performance.
- Right to object allows challenging data processing, particularly for direct marketing or legitimate interest-based processing. Companies must stop processing unless they demonstrate compelling legitimate grounds. For direct marketing, there's no exception—if someone objects, you must stop.
- Rights regarding automated decision-making protect individuals from solely automated decisions with significant effects. Companies must provide human review opportunities and explain the logic behind automated processing.
3. Documentation and record-keeping requirements
Article 30⁴ says that organizations need to maintain detailed records of processing activities. While companies with fewer than 250 employees have limited exemptions, most US businesses processing EU data must document their activities. And this documentation isn't really optional—it's what regulators will ask for first during an investigation.
Processing records must include:
- Controller and processor contact details
- Processing purposes and categories
- Data subject categories and personal data types
- Recipients of data disclosures
- International transfer details and safeguards
- Retention periods where possible
- Security measure descriptions
These records serve as compliance evidence during regulatory investigations and help organizations understand their data processing landscape for privacy impact assessments. Think of them as your "compliance insurance policy."
4. Data breach notification rules
GDPR establishes strict timelines for reporting data breaches to supervisory authorities and affected individuals⁵. US companies must implement detection and response procedures meeting these requirements. The clock starts ticking the moment you become aware of a breach.
72-hour authority notification applies when breaches likely pose risks to individual rights and freedoms. Companies must report to relevant supervisory authorities within 72 hours of becoming aware of incidents. Late notifications require explanations for delays, and "we didn't know about it" usually doesn't fly if you should have known.
Therefore, it’s mandatory to notify individually when breaches pose high risks to rights and freedoms. Notifications must use clear, plain language and include breach nature, likely consequences, and protective measures taken. You can't just say "there was a data breach" and leave it at that.
Breach notifications must contain:
- Nature of the personal data breach
- Contact details for further information
- Likely consequences of the breach
- Measures taken or proposed to address the breach
Strong encryption can reduce notification obligations when encrypted data becomes compromised but remains unreadable to unauthorized parties. This is one reason why encryption is so important.
5. When to appoint officers and representatives
Appointing a Data Protection Officer (DPO) will be needed when organizations conduct large-scale systematic monitoring, process sensitive data extensively, or represent public authorities⁶. DPOs must possess expert knowledge and maintain independence within organizations. So, not every company needs one, especially if we’re talking about small businesses. But if you do need it, they need to be properly qualified.
Also, for non-EU companies without European establishments there’s a need for EU Representatitves⁷. These Representatives act as contact points for supervisory authorities and data subjects, facilitating enforcement actions and compliance communications. If you don't have a European office, you'll likely need one of these.
Note: Companies meeting neither requirement should document their assessment for regulatory transparency. Even if you don't need a DPO or representative, you should be able to explain why.
GDPR compliance checklist for US companies
So far we’ve covered lots of things, but you might get confused with so much information. The truth is that achieving GDPR compliance indeed asks for a systematic implementation across different business areas. But we’ve made a checklist to give you actionable steps for US companies handling EU personal data for GDPR.
The reality is that most US companies feel overwhelmed when they first look at GDPR requirements. You're dealing with a complex European regulation that uses unfamiliar terminology and concepts that don't always translate neatly to American business practices. However, breaking down compliance into manageable steps makes the process much more approachable.
That’s why we’ve created this checklist. Hopefully this should help you with your GDPR efforts:
What are the penalties for US companies?
GDPR enforcement in the US is taken by European Data Protection Authorities (DPAs), which have imposed quite significant fines on American companies in the past. Try to look at these penalties as the extraterritorial reach and serious consequences for non-compliance. The fines are real, and they're substantial.
Fine structure and calculation
There are two penalty tiers based on serious is the violation⁸. The regulators don't just pick numbers randomly—there's a structure to how fines get calculated.
Lower tier violations (up to €10 million or 2% of annual worldwide turnover):
- Inadequate technical and organizational measures
- Failure to conduct Data Protection Impact Assessments
- Non-compliance with processor obligations
- Deficient data protection by design and default
- Missing or inadequate Data Protection Officer
Higher tier violations (up to €20 million or 4% of annual worldwide turnover):
- Processing without lawful basis
- Violating data subject rights
- Unlawful international data transfers
- Non-compliance with marketing and profiling rules
- Failure to obtain adequate consent
Regulators consider multiple factors when calculating penalties, and they look at your specific situation:
- Nature, gravity, and duration of violations
- Intentional or negligent character
- Categories and number of affected data subjects
- Damage level suffered by individuals
- Cooperation with supervisory authorities
- Previous violations and compliance history
- Financial benefits gained or losses avoided
- Other aggravating or mitigating circumstances
So if you cooperate and show good faith efforts to fix problems, that can help reduce penalties. But if you ignore warnings or actively try to hide violations, expect the full force of the law.
Major previous penalties against US companies
Meta (Facebook/Instagram): €1.2 billion fine in 2023 for unlawful data transfers to the US without adequate safeguards⁹. This represents the largest GDPR penalty to date. Yes, that's billion with a "b."
Google: Multiple fines including €60 million from France's CNIL for inadequate cookie consent mechanisms on YouTube and other services. Even Google, with all their legal resources, couldn't avoid these penalties.
Amazon: €746 million fine from Luxembourg's data protection authority for processing personal data without adequate legal basis. Amazon appealed, but the fine shows that even the biggest companies aren't immune.
Twitter: €450,000 penalty for failing to notify regulators of a data breach within required timeframes and inadequate breach documentation. Sometimes it's not the breach itself—it's how you handle it afterward.
These penalties underscore that US companies cannot ignore GDPR obligations simply because they operate outside Europe. DPAs actively investigate and penalize non-compliant American businesses.
How enforcement works across borders
European regulators employ various tools to ensure US GDPR compliance. You might wonder how European authorities can actually make American companies pay fines, but they have several methods:
- Asset seizure can affect US companies with European bank accounts, real estate, or other assets. DPAs can freeze or seize these assets to enforce penalty payments. If you have any European presence, they can target those assets.
- Business restrictions may include orders to cease specific data processing activities or suspend services for EU customers until compliance is achieved. They can essentially force you to stop serving European customers.
- Cooperation agreements between US and EU authorities facilitate enforcement actions. While formal treaties don't exist specifically for GDPR, mutual legal assistance agreements enable information sharing and enforcement support.
Some US companies have chosen to geo-block European users rather than achieve compliance, though this approach risks losing customers permanently and may not provide complete legal protection. It's like cutting off your nose to spite your face.
Is there a GDPR US equivalent?
While there’s no direct GDPR US equivalent at the federal level, several states have enacted comprehensive privacy laws inspired by European regulations¹⁰. Understanding these laws helps US companies develop unified privacy strategies, but the landscape is quite fragmented compared to GDPR's unified approach.
State privacy legislation landscape
California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), provide the most GDPR-like protections in the United States. These laws grant Californians rights to access, delete, and opt-out of personal data sales. California basically decided to create their own version of data protection rights.
Virginia Consumer Data Protection Act (VCDPA) establishes comprehensive privacy rights for Virginia residents, including access, correction, deletion, and portability rights similar to GDPR. Virginia followed California's lead but with some differences.
Colorado Privacy Act (CPA) creates privacy rights and obligations comparable to other state laws, with enforcement beginning in July 2024. Colorado jumped on the privacy bandwagon too.
Additional states continue proposing privacy legislation, creating a complex patchwork of requirements that companies must navigate. Connecticut, Utah, and other states are all working on their own versions.
Federal privacy framework gaps
The United States lacks a comprehensive federal privacy law equivalent to GDPR. Instead, there are a bunch of sector-specific regulations that govern particular industries:
- Health Insurance Portability and Accountability Act (HIPAA) protects health information in healthcare settings but doesn't extend to general commercial data processing. It only covers healthcare providers and related entities.
- Children's Online Privacy Protection Act (COPPA) regulates children's data collection but only applies to users under 13 years old. Once kids turn 13, different rules apply.
- Gramm-Leach-Bliley Act governs financial institution privacy practices but doesn't create comprehensive individual rights. It's focused on financial services.
- Fair Credit Reporting Act (FCRA) regulates credit reporting activities but has limited scope compared to comprehensive privacy laws.
GDPR compliance for small businesses in the US
GDPR compliance for small business operations often seems overwhelming due to resource constraints and limited legal expertise. However, small companies can achieve compliance through focused, practical approaches. You don't need a massive compliance team to get this right.
Prioritize the most important
Small businesses must prioritize GDPR compliance activities based on their specific data processing risks and available resources. In fact, not every requirement demands immediate, extensive implementation—you should focus on what matters most for your situation.
- Focus on high-risk areas like marketing consent, customer data security, and individual rights procedures. These areas generate the most regulatory attention and potential penalties. Start with the stuff that's most likely to get you in trouble.
- Leverage existing tools rather than building custom solutions. Many affordable platforms offer GDPR-compliant features for website cookies, email marketing, and customer data management. Don't reinvent the wheel when good solutions already exist.
- Implement gradually by addressing the most critical requirements first, then expanding compliance efforts as resources allow. Perfect compliance from day one isn't required if companies show good faith progress. Rome wasn't built in a day.
- Document decisions about compliance priorities and implementation timelines. This documentation demonstrates accountability and helps during regulatory interactions. Write down your plan and stick to it.
Use cost-effective compliance solutions
- Cloud service providers often offer GDPR-compliant services at reasonable costs. Platforms like Microsoft 365, Google Workspace, and Amazon Web Services provide built-in privacy controls and data processing agreements. Many cloud providers have done the heavy lifting for you.
- Privacy policy generators can create basic compliant policies for small businesses. While not replacing legal review, these tools provide starting points for companies with limited budgets. They're not perfect, but they're better than nothing.
- Training resources are available through free webinars, online courses, and regulatory guidance. Staff education doesn't require expensive consultants if companies use available educational materials. There's a lot of free information out there.
- Industry associations often provide GDPR guidance and resources tailored to specific business types. These organizations help small companies understand sector-specific requirements and best practices.
Consider the implications of outsourcing
- Legal consultation for initial compliance assessment may provide better value than ongoing legal fees. Short-term expert advice can help small businesses understand their obligations and create implementation plans.
- Privacy specialists can conduct data audits and create compliance documentation more efficiently than internal staff learning these skills from scratch. Sometimes it's worth paying an expert to do it right.
- Technology vendors specializing in privacy compliance offer turnkey solutions for small businesses. These services often cost less than building internal capabilities.
- Industry consultants familiar with specific business types provide targeted advice that generic privacy consultants might miss.
Technology solutions for GDPR compliance
Another good way to go about GDPR, is by getting tools that will help you with it. There’s really tons of GDPR compliant software, reason why we’ll mention a few:
Consent management platforms
- Cookie consent tools automate website compliance by detecting tracking technologies, categorizing cookies, and managing user preferences. Leading solutions include CookieYes, OneTrust, and Cookiebot. These tools handle the technical complexity of cookie consent for you.
- Email marketing platforms like Mailchimp, Constant Contact, and Campaign Monitor offer GDPR-compliant features including double opt-in, consent records, and easy unsubscribe mechanisms. The good news is that many email platforms have built GDPR compliance into their standard features.
- Customer preference centers allow individuals to control their communication preferences and exercise privacy rights through self-service portals. Let people manage their own preferences instead of making them email you.
Privacy management software
- Data mapping tools automatically discover and categorize personal data across organizational systems. Solutions like BigID, Privacera, and OneTrust Privacy Management provide comprehensive data discovery capabilities. These tools can find personal data in places you didn't even know you had it.
- Request management systems handle individual rights requests through structured workflows, identity verification, and response tracking. These tools ensure timely responses and compliance documentation.
- Risk assessment platforms evaluate privacy risks for new projects and data processing activities. Automated privacy impact assessments reduce compliance burden while maintaining thorough risk analysis.
Security and encryption solutions
- End-to-end encryption protects data throughout processing and storage lifecycles. Solutions like Vera, Microsoft Purview, and Google Cloud Security provide enterprise-grade encryption with key management.
- Access control systems limit data access to authorized personnel based on roles and responsibilities. Identity management platforms ensure proper access governance and audit trails.
- Data loss prevention tools monitor and control data movement to prevent unauthorized transfers or breaches. Cloud-native solutions integrate with existing business applications.
Zeeg: GDPR-compliant scheduling solution
For US companies needing appointment scheduling while maintaining GDPR compliance, Zeeg offers a European-hosted solution that addresses data protection requirements from the ground up. Instead of trying to make a US-based tool GDPR-compliant, Zeeg was built with GDPR in mind from day one.
European data hosting ensures personal data remains within GDPR jurisdiction, eliminating concerns about international transfers and adequacy decisions. Your data never leaves Europe, which makes compliance much simpler.
End-to-end encryption protects appointment data throughout collection, processing, and storage. All communications between users and servers receive cryptographic protection. Your scheduling data gets the same security as banking information.
Data minimization principles guide Zeeg's data collection practices. The platform collects only information necessary for scheduling functionality and provides clear retention controls. Zeeg doesn't collect data it doesn't need.
Individual rights support includes easy data access, correction, and deletion capabilities. Users can exercise privacy rights through simple interface controls without complex request procedures. People can manage their own data without jumping through hoops.
Transparent privacy practices communicate clearly about data collection, processing purposes, and individual rights through accessible privacy notices and consent mechanisms.
Zeeg's approach demonstrates how modern software can achieve business objectives while maintaining full GDPR compliance. The platform's focus on privacy by design makes it an ideal solution for US companies serving European customers.
FAQ
Does GDPR apply to US citizens?
GDPR protects US citizens only when they're physically located in the EU or EEA at the time of data processing. The regulation uses location-based rather than citizenship-based criteria for determining coverage.
Is GDPR applicable in US operations?
Yes, GDPR applies to US companies that offer goods or services to EU residents or monitor their online behavior. Company location doesn't determine applicability—data subject location and business activities do.
What is the GDPR US equivalent?
No comprehensive federal GDPR equivalent exists in the US. State laws like the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA) provide similar but more limited protections.
How does GDPR affect US companies practically?
US companies must implement privacy policies, consent management, data subject request procedures, security measures, and potentially appoint Data Protection Officers or EU representatives. Marketing and data collection practices require significant updates.
What are GDPR penalties for US companies?
Fines reach €20 million or 4% of global annual revenue, whichever is higher. European regulators have successfully fined major US companies including Meta (€1.2 billion), Google (€60 million), and Amazon (€746 million).
Do small businesses need GDPR compliance?
Yes, GDPR applies to businesses of any size that process EU personal data. However, small companies can prioritize high-risk compliance areas and implement solutions gradually based on available resources.
Does GDPR apply to EU citizens in the US?
No, EU citizens located in the US don't receive GDPR protection for data processing that occurs while they're on American soil. Protection depends on location during processing, not citizenship.
What constitutes a US Data Protection Act?
Currently, no comprehensive federal Data Protection Act exists in the US. Various sector-specific laws like HIPAA, COPPA, and FCRA provide limited protections, while state laws create a patchwork of requirements.
How do US companies handle GDPR enforcement?
European Data Protection Authorities can investigate, fine, and restrict US companies processing EU data. Enforcement occurs through asset seizure, business restrictions, and international cooperation agreements.
What does GDPR mean for US companies' technology choices?
Companies must choose GDPR-compliant cloud providers, implement consent management systems, use privacy-focused analytics tools, and ensure software development incorporates privacy by design principles.
Sources
- GDPR Article 3 - Territorial scope
- GDPR Article 5 - Data protection principles
- GDPR Chapter III - Individual rights
- GDPR Article 30 - Processing records
- GDPR Articles 33-34 - Data breach notification
- GDPR Article 37 - Data Protection Officer requirements
- GDPR Article 27 - EU representative requirements
- GDPR Article 83 - Administrative fines
- Irish Data Protection Commission - Meta Ireland inquiry conclusion
- California Consumer Privacy Act of 2018
From sources 1-8, you can find the laws here.
