Does the GDPR apply in the USA?
The short answer is…yes, but you didn’t come here for the short answer. The General Data Protection Regulation (GDPR) is a European Union (EU) data privacy law that was adopted April 2016 (effective date of May 25, 2018), and has been called “the toughest privacy and security law in the world.”
Although the GDPR is intended to protect the personal information and data security of EU citizens and residents, it can apply to organizations that do not have locations or employees in the EU, including U.S. businesses, nonprofits, and universities. And the penalties for violating the GDPR are significant. The most serious types of violations can result in fines of up to €20 million or 4% of an organization’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
How can U.S. organizations be subject to EU law?
The GDPR is designed to protect the personal data of people in the EU, regardless of where their data is collected, used, or stored. Article 3.2 of the GDPR states that the law applies to organizations outside the EU if they:
- offer goods or services to people in the EU or
- monitor the online behavior of people in the EU
This means that if U.S. businesses, non-profits, or universities choose to offer goods or services to people in the EU or track the online activity of people in the EU, they may be required to comply with the GDPR.
Goods or services to people in the EU
In determining whether a U.S. organization offers goods and services to data subjects in the EU for purposes of the GDPR, EU regulators are likely to look at whether the organization caters to EU customers.
In today’s internet economy, a person in France could place an order with a Kansas City bakery and have a cake delivered to a friend in Kansas City. Would that make the bakery subject to the requirements of the GDPR? It likely depends on whether the bakery has taken steps to cater to EU customers. EU regulators may look at factors such as whether the bakery advertises in the EU, has online menus in European languages, or includes pricing in euros.
- If the bakery has taken steps to cater to European customers, EU regulators may find that the bakery is subject to the requirements in the GDPR.
- If the bakery does not regularly do business with people in the EU and has not taken steps to cater to EU customers, EU regulators are likely to determine that the bakery is not offering goods or services to people in the EU.
Monitoring online behavior of people in the EU
In determining whether U.S. organizations monitor the online behavior of people in the EU, EU regulators are likely to look at whether the organization uses web tools that allow them to track cookies or the IP addresses of Europeans who visit their website(s).
This provision could potentially sweep in organizations that have minimal contacts with people in the EU; it remains to be seen how strictly it will be interpreted and how aggressively it will be enforced.
Are there GDPR Exemptions?
The GDPR does contain some limited exceptions. For example, it does not apply to “purely personal or household activity” and, in most cases, organizations that employ less than 250 people are exempt from record-keeping requirements. These organizations, however, are still subject to the other requirements of the data protection law.
US companies still may be subject to the GDPR…
Although the GDPR is a European law, its requirements apply to many companies, nonprofits, and universities in the United States. Organizations outside of the EU that offer goods or services to Europeans or that monitor Europeans’ online activities are subject to the GDPR. This means that US organizations that do not have locations or employees in the EU may still be subject to the GDPR and could face significant financial penalties if they fail to comply.
Written by Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income. Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as...
Full Bio and other articles by Marie Kulbeth
About The Author: Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income.
Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as General Counsel allows her to field-test SixFifty’s products to ensure they’ll work for customers.
Education and Experience
Marie attended Brigham Young University, and spent most of her undergrad studying International Politics and Development. It was during a field study in South Africa that she first decided to become a lawyer. As she researched the new South African constitution and worked with community organizers, Marie became fascinated with the development of the rule of law and how it in turn fosters economic development.
After undergrad, she attended BYU Law, where she continued focusing on improving equity, specifically through access to justice. She spent time interning with a nonprofit at the Human Rights Council in Geneva and with the United Nations International Tribunal for the Rwandan Genocide. At home, she interned with Catholic Charities, focusing on supporting asylum cases. Marie’s work with communities and governments across the globe broadened her understanding of how the law can either uplift or further harm underserved populations.
After law school, Marie worked as a judicial law clerk for the US Fifth Circuit Court of Appeals. She then practiced commercial litigation in Salt Lake City before returning to BYU Law, where she became an Assistant Dean. During her time at BYU Law, Marie built a diversity recruiting program and a storytelling program. Although she has left academia, she continues to keep a hand in by teaching a legal design class at BYU Law School and an undergraduate international politics class that focuses on development and diplomacy at BYU’s Kennedy Center. Both courses help students increase their community engagement and use their skills to create change.
Achievements with SixFifty
Marie’s work with both SixFifty and LawX focuses on making the law less complicated and
more equitable for both companies and individuals.
Marie’s legal specialty is privacy. She has additional focus areas in legal technology; diversity, equity and inclusion; employment; and compliance. She enjoys the opportunity to build products with the legal product team, including pro bono products. This allows her to work with communities she cares about – and complements the work she continues to do at BYU.
With Marie’s guidance and experience, SixFifty is able to offer privacy products that allow even small companies to easily comply with global privacy restrictions. Her passion for making the law accessible to everyone is evident in our pro bono products, which help individuals access free legal help for common issues.
Get to Know Marie
When she’s not helping to advance SixFifty’s mission, Marie travels whenever she can. Keep your eyes open and you may find her anywhere in the world – one of her favorite trips was a seven-day motorbike tour of northern Thailand. She especially loves to canyoneer in southern Utah and explore wilderness areas.
Marie also continues her community development and education work. She is on the board of several nonprofits, including one that runs primary schools in South Sudan and the Utah Tribal Relief Foundation. She recently joined the board of the Mountainland Association of Governments, which focuses on making loans to entrepreneurs from underserved communities who lack access to traditional funding. She’s also a Model UN legend! She is the Executive Director of BYUMUN, Utah’s premier high school Model United Nations learning conference.
Marie loves podcasts and will nerd out on anything related to the law, the history of the English language, and anything done by the people at Radiolab.
Bar Licensed
Utah
More posts by Marie Kulbeth