{"id":469,"date":"2024-03-29T11:34:31","date_gmt":"2024-03-29T10:34:31","guid":{"rendered":"https:\/\/stage.usercentrics.com\/?post_type=knowledge&p=13591"},"modified":"2025-06-25T09:21:08","modified_gmt":"2025-06-25T07:21:08","slug":"gdpr-compliance-checklist-for-us-companies","status":"publish","type":"knowledge","link":"https:\/\/usercentrics-poc.psapp.dev\/us\/knowledge-hub\/gdpr-compliance-checklist-for-us-companies\/","title":{"rendered":"Comprehensive GDPR compliance checklist for U.S. companies"},"content":{"rendered":"

The General Data Protection Regulation (GDPR)<\/a> has been in effect in the European Union since May 2018. Any organization that handles the consumer data of EU residents needs to take GDPR compliance seriously.<\/p>\n

GDPR compliance is also valuable for those doing business in the United States, among other countries that have since introduced data privacy laws. California, for example, borrowed heavily from the GDPR when drafting its data privacy regulations. This has since influenced data privacy legislation drafted by other states.<\/p>\n

Achieving GDPR compliance puts U.S. companies ahead of the game in ensuring state-by-state compliance at home. By adopting its more stringent best practices, you\u2019re set up to avoid future disruptions as more regulations are passed in the U.S. and other countries.<\/p>\n

The following information will help clarify your company\u2019s GDPR compliance requirements. Please note that due to differences in implementation and enforcement among EU countries, we strongly recommend that you consult with a lawyer specializing in data protection and privacy.<\/p>\n

\u00a0<\/p>\n\n\n

GDPR in the U.S.: Does your company need to be compliant?<\/h2>\n\n\n

One of the first questions asked by U.S. companies is, \u201cDoes the GDPR apply to us?\u201d If your company does business in the EU that involves collecting and processing user data, then yes, you do need to be GDPR-compliant.<\/p>\n

This can mean you sell products or services in the EU, work with partners or customers there, or receive web traffic from visitors located there.<\/p>\n

Note that the GDPR is extraterritorial. This means it applies to organizations that process EU residents\u2019 personal data whether or not those entities are actually located in the EU. It only matters that the personal data being used belongs to people in the EU.<\/p>\n

In July 2023, the EU-U.S. Data Privacy Framework<\/a> introduced a new adequacy agreement between the two regions, which had been without one since the Schrems II decision struck down the previous EU\u2013U.S. Privacy Shield framework in 2020.<\/p>\n

The EU-U.S. Data Privacy Framework does not apply GDPR requirements to the U.S., though it is a legal agreement and does apply certain standards to data protection and international transfers. The framework also outlines data subjects\u2019 rights, responsibilities and requirements for certified companies, redress mechanisms for complaints, and requirements and restrictions on US intelligence services.<\/p>\n\n\n

GDPR requirements for U.S. companies<\/h2>\n\n\n\n

The GDPR\u2019s requirements differ from data privacy regulations in the U.S., so you need to understand the distinctions. These include the following.<\/p>\n\n\n\n

Scope of jurisdiction<\/h4>\n\n\n\n

Data privacy laws passed to date in the U.S. are all at the state level, each one only applies in the state where it was enacted. The U.S. does not yet have a federal data privacy regulation, so companies need to check if there\u2019s a law for each state where they do business, and what its requirements are.<\/p>\n\n\n\n

Scope of protection<\/h4>\n\n\n\n

Privacy laws in the U.S., like the California Consumer Privacy Act (CCPA)<\/a>, are centered around consumer protection, whereas the GDPR regulates data protection more comprehensively. That includes the B2C and B2B sectors.<\/p>\n\n\n\n

Dedicated roles<\/h4>\n\n\n\n

In many instances, the GDPR requires organizations to appoint a data protection officer. This isn\u2019t the case under the majority of U.S. state-level laws passed to date.<\/p>\n\n\n\n

Opting in and opting out<\/h4>\n\n\n\n

Under the GDPR, individuals must provide explicit opt-in consent prior to having their personal data collected and processed. The U.S. uses an opt-out model in all privacy laws passed to date, meaning you can collect and use data in many cases without obtaining consent (with the common exception of children\u2019s data or that categorized as \u201csensitive\u201d), You do have to provide a way for people to opt out of data collection and\/or processing for various purposes (these vary by state law).<\/p>\n\n\n\n

Terms and definitions<\/h4>\n\n\n\n

While the GDPR refers to \u201cpersonal data,\u201d the term \u201cpersonally identifiable information\u201d (PII) is more common in the U.S. The specific requirements for data to be \u201csensitive\u201d also vary. We explain these differences in depth: Personally Identifiable Information (PII) vs. Personal Data \u2014 What\u2019s the difference?<\/a><\/p>\n\n\n\n

Under the GDPR, you need a legal reason that can be proven to collect and process customer data. Valid consent is one of the six legal bases listed in Art. 6 GDPR<\/a>. The conditions for consent to be valid are outlined in Art. 7 GDPR<\/a>.<\/p>\n\n\n\n

You need to document and clearly communicate to site visitors, customers, app users, etc. what personal data you want to collect, for what purpose(s), who may have access to it, and several other requirements. If the purpose for processing user data changes, you must obtain new consent from users.<\/p>\n\n\n\n

Data controllers (e.g. companies collecting data from visitors to its website), can use any of the legal bases for data processing if they can prove the necessity of doing so. You can\u2019t simply choose or change a legal basis because a business need a change or one method (like obtaining valid consent) is more work.<\/p>\n\n\n

\n
\n \n\n<\/svg>\n <\/div>\n
\n

Read about marketing data strategy in alignment with GDPR<\/a> now<\/p>\n <\/div>\n<\/div>\n\n\n\n\n\n

U.S. GDPR compliance checklist<\/h2>\n\n\n

\u2705 Keep data privacy and protection top of mind in all aspects of your business, especially the customer-facing parts. It\u2019s cheaper, more efficient, and less resource-intensive to build compliance into your system from the beginning using a privacy by design<\/a> approach, rather than retrofitting it. Especially when considering the risks of violations if efforts are not comprehensive enough.<\/p>\n

\u2705 Create an internal security policy<\/a> for employees, partners and contractors to ensure security measures are adequate, and keep it updated. Ensure it\u2019s clear and covers all operations and specific roles within the organization where accessing personal data is necessary.<\/p>\n

\u2705 Know what a data protection impact assessment<\/a> is and have a process to carry it out. These are legally required under some regulations, but a good idea regardless.<\/p>\n

\u2705 Wherever possible, when personal data is collected, anonymize, pseudonymize, and encrypt it<\/a>.<\/p>\n

\u2705 In the event of a data breach, have a process in place to notify data subjects and the correct authorities<\/a> within the required time frame. Where possible, act as quickly and thoroughly as possible to provide information, cooperate with authorities, protect affected users, and mitigate and repair damage from the breach.<\/p>\n

Data subjects\u2019 privacy rights<\/h4>\n

It must be clear and easy for customers, users, and visitors to:<\/p>\n