Does GDPR Apply To US Customers?

By Ketch / October 17, 2021

Companies and individuals on either side of the Atlantic may feel that since the General Data Protection Regulation (GDPR) is a European Union mandate, it is only applicable to EU countries. However, this is not the case. Some of its laws also apply to US customers who purchase with EU based companies.

The reality is that the GDPR's application is more about who you are targeting than where your business is headquartered. This means that if you are a US national seeking to buy goods from an EU based company, you will need to familiarize yourself with GDPR and how it applies to you. If you are an EU business, then you may wonder if GDPR applies to your US based customers. 

There is also a lot to learn about the small business GDPR privacy policy. However, most individuals in the US still require some convincing regarding this matter.

For a reliable and easy consent management solution, connect with Ketch to learn more. 

US Data Privacy Regulations

The GDPR applies to practically every individual or business that handles personal data within the EU or is responsible for transferring personal data of people within the region. This means that if you intend to do business with an EU based company, you will be protected by some of GDPRs regulations.

Furthermore, when dealing with EU based companies, it is essential that you remember the United States has no particular data privacy laws with such a broad application like the GDPR. Various federal and state regulations overlap to form some piecemeal data protection package, with specific sectors like healthcare being the main focus. 

At times, this type of setting can make compliance difficult since data protection laws can vary from state to state. It should also be mentioned that the level of data protection needed by GDPR is usually high enough to satisfy those required by the relevant US laws.

Understanding How GDPR Applies to US Customers

Transferring of Personal Data between The EU and The US

The GDPR uses the term Personal Data whereas the equivalent term in the United States is Personally Identifiable Information (PII), which is viewed differently from state to state. 

Still, there are some general differences between the definitions of Personal Data and PII. For instance, in the EU, financial data and national insurance digits are not viewed as sensitive in the strict legal definition. On the other hand, the same elements are often considered highly sensitive when it comes to US privacy legislation. This means that US citizens are in some way covered by the GDPR privacy laws, but not in all aspects. 

In addition, US based individuals who are in possession of EU residents’ personal data have to abide by the GDPR rules if they wish to conduct business in the region.

Individuals' Rights

The GDPR was formulated on the premise that the relevant authorities should protect personal data and that people needed to have control over how other parties used their information. Some of these rights include the right to data portability, erasure, rectifying inaccurate data, withdrawal of consent, objection, restriction, and access.

US based customers, or website visitors' rights tend to be more limited even though US laws stipulate that detailed information ought to be provided to them at the time that personal data is being collected, even if the company is based in the EU. There are usually no other access rights offered to data subjects. The right to erase data collected may also not be not possible.

In the US, the laws extending the most data rights concern children. This means that parents are allowed to view the personal information gathered by a website about their child and to delete or correct it. All this is provided for under the Children's Online Privacy Protection Act. However, the GDPR does not have such considerations.

Cross-Continent Transfers

GDPR states that the transfer of personal data outside the European Economic Area (EEA) is restricted. The reason for this is to ensure that the data rights available to area residents are not undermined because an international provider has the data. As a result, the international transfer of personal information is subject to the EU-US Corporate Rules and the Model Contractual Clauses.

On the other hand, US law imposes few limits when it comes to transferring personal information outside the country. And even though US regulations continue to apply to data even after it has left the country, they usually focus on making sure that US entities remain liable for it.

This is to say that when dealing with companies in the EU, both GDPR and local privacy rules apply since you will be engaging in business with EU based customers.

Conclusion

The GDPR protects the personal data of individuals primarily in the EU, regardless of where it is collected, used, or stored. However, US clients doing business with EU companies can still enjoy some of its rights when it comes to the protection of their data.

If United States companies, universities, or non-profits offer goods or services to those residing in the EU or track their online activity, they may need to comply with GDPR laws.  

Share this: