Does the GDPR apply in the USA?

The short answer is…yes, but you didn’t come here for the short answer. The General Data Protection Regulation (GDPR) is a European Union (EU) data privacy law that was adopted April 2016 (effective date of May 25, 2018), and has been called “the toughest privacy and security law in the world.”

Although the GDPR is intended to protect the personal information and data security of EU citizens and residents, it can apply to organizations that do not have locations or employees in the EU, including U.S. businesses, nonprofits, and universities. And the penalties for violating the GDPR are significant. The most serious types of violations can result in fines of up to €20 million or 4% of an organization’s worldwide annual revenue from the preceding financial year, whichever amount is higher.

How can U.S. organizations be subject to EU law?

The GDPR is designed to protect the personal data of people in the EU, regardless of where their data is collected, used, or stored. Article 3.2 of the GDPR states that the law applies to organizations outside the EU if they:

  1. offer goods or services to people in the EU or 
  2. monitor the online behavior of people in the EU 

This means that if U.S. businesses, non-profits, or universities choose to offer goods or services to people in the EU or track the online activity of people in the EU, they may be required to comply with the GDPR. 

Goods or services to people in the EU

In determining whether a U.S. organization offers goods and services to data subjects in the EU for purposes of the GDPR, EU regulators are likely to look at whether the organization caters to EU customers.

In today’s internet economy, a person in France could place an order with a Kansas City bakery and have a cake delivered to a friend in Kansas City.  Would that make the bakery subject to the requirements of the GDPR? It likely depends on whether the bakery has taken steps to cater to EU customers. EU regulators may look at factors such as whether the bakery advertises in the EU, has online menus in European languages, or includes pricing in euros.

  • If the bakery has taken steps to cater to European customers, EU regulators may find that the bakery is subject to the requirements in the GDPR. 
  • If the bakery does not regularly do business with people in the EU and has not taken steps to cater to EU customers, EU regulators are likely to determine that the bakery is not offering goods or services to people in the EU.

Monitoring online behavior of people in the EU

In determining whether U.S. organizations monitor the online behavior of people in the EU, EU regulators are likely to look at whether the organization uses web tools that allow them to track cookies or the IP addresses of Europeans who visit their website(s).

This provision could potentially sweep in organizations that have minimal contacts with people in the EU; it remains to be seen how strictly it will be interpreted and how aggressively it will be enforced.

Are there GDPR Exemptions?

The GDPR does contain some limited exceptions. For example, it does not apply to “purely personal or household activity” and, in most cases, organizations that employ less than 250 people are exempt from record-keeping requirements. These organizations, however, are still subject to the other requirements of the data protection law.  

US companies still may be subject to the GDPR…

Although the GDPR is a European law, its requirements apply to many companies, nonprofits, and universities in the United States. Organizations outside of the EU that offer goods or services to Europeans or that monitor Europeans’ online activities are subject to the GDPR. This means that US organizations that do not have locations or employees in the EU may still be subject to the GDPR and could face significant financial penalties if they fail to comply.