Avoid GDPR Fines as a U.S. Company

The GDPR’s extraterritorial scope makes it applicable to all businesses, including those in the United States, as long as it gathers information from “data subjects in the Union” and engages in “professional or commercial activity” with 250 or more employees.

For instance, if your website collects visitor data via cookies, then GDPR applies to all visitors from the EU and UK. Noncompliance can result in fines.

How GDPR Is Enforced on U.S. Companies

GDPR applies to non-EU companies if they offer goods or services to EU residents or monitor their online activities. Any US company subject to the GDPR has to meet the same strict requirements as companies in the EU.

For instance, if you have a website in the official language of any EU member state or offer prices in Euros, you’re deemed to be targeting EU citizens and liable to the GDPR.

To comply with GDPR as a US company, you can use the following checklist, with the advice of your local privacy counsel:

• • Comply with GDPR cookie consent

• • Designate a data protection officer to oversee all EU resident’s data

• • Inform consumers how you’re collecting their data and for what purposes

• • Have a data processing agreement with your vendors

• • Review your data processing protocols and tighten security

• • Identify steps to follow in case of a data breach

• • Observe cross-border data transfer rules

• • Appoint an EU representative

Bulleted List

Complying with GDPR cookie consent means your users must explicitly agree to store cookies on their devices. You can implement this by getting users’ consent through a checkbox, button, or by accepting a GDPR notification.

Following the above GDPR compliance checklist and consulting your local privacy counsel could help reduce the risk of EU regulatory action.

Fines for Non-Complying U.S. Companies

It pays to be GDPR compliant, given that US companies found to be breaking GDPR can rack up fines of up to €10 to €20 million, or up to 4% of the company’s annual revenue.