Updated July 7, 2020.
In this blogpost, we look at how the GDPR affects the USA and how US websites can ensure compliance with the EU data law through consent management platforms like Cookiebot consent management platform (CMP).
We also take a critical look at the tech industry’s narrative of “technological evolution”, in which privacy becomes an inevitable trade-off, and how the GDPR in the USA can act as a roadmap for democratic processes around a stronger regulation of privacy.
GDPR in USA
The General Data Protection Regulation (or GDPR) is an EU-wide law that protects Europeans in regard to to the processing of their personal data, as well as laying down the rules relating to the free movement of personal data.
It was enforced in May 2018.
You might ask what an EU law has to do with you, if you and your website is based in the US?
The truth is a lot.
Does the GDPR affect the US?
The GDPR has extra-territorial scope, which means that websites outside the EU that process data of people inside the EU are obligated to comply with the GDPR.
So, if you have a website in the US and you have visitors from the EU, the GDPR applies to your domain. Therefore, if that is the case, you need to meet the GDPR requirements and conditions for processing data.
In doubt whether your website is GDPR-compliant? Test with the free Cookiebot CMP compliance test.
GDPR and PII
PII stands for personally identifiable information, i.e. any kind of data that can be linked to an individual and thereby identify them.
This can be anything from first and last names, e-mail addresses, geolocation, and browser history, among many others.
Important to know is that in the GDPR, PII is not mentioned as such. That is because personally identifiable information is a term primarily used in the US, whereas the European equivalent that is found in the GDPR is personal data.
However, in this blogpost, when we talk about the GDPR, PII is used instead of “personal data”.
So, in the GDPR, PII processing is determined by strict rules and conditions. These are in place to protect users from having their data collected and abused without their knowledge or consent.
In the GDPR, PII is protected namely because it has the potential to infringe on an individual’s private life, and even do harm, when combined with other data.
If your website processes personally identifiable information of individuals in the EU (known in the GDPR as “data subjects”), it has to be done on one of the following legal grounds:
- With the consent of the data subject,
- Processing necessary for the performance of a contract,
- Processing necessary for compliance with legal obligations,
- Processing necessary to protect “vital interests” of the data subject,
- Processing necessary for tasks carried out in public interest,
- Processing necessary for purposes of legitimate interests pursued by the controller or by a third party.
Of the lawful grounds for processing PII, obtaining the consent of the data subject is the most widely used for websites who process, in accordance with the GDPR, PII on individuals in the EU.
GDPR for US companies and websites
So, if your US website has EU visitors and consent is the legal ground that you base your PII processing on, the GDPR has specific requirements as to how you must obtain the consent and what constitutes valid consent.
For a website to achieve GDPR compliance in the US, these conditions for consent must be met.
Your website, when engaging with visitors from inside the EU, and so processing their PII, must:
- obtain clear and unambiguous consent from its users,
- prior to any processing of personal data,
- after specifying all types of cookies and other tracking technology present and operating on its pages,
- in easy-to-understand ways that enable users to consent and to revoke consent on each specific category of cookies,
- to then be able to safely and confidentially document each user consent,
- and to ask for renewed consent regularly.
A consent management platform (known as a CMP) can help your website become GDPR-compliant with minimum effort on your behalf.
Cookiebot CMP specializes in exactly this niche area. Our scanning technology finds all cookies and trackers on your website, pauses them all until your end-users have given their consent, after which each consent is stored for legal documentation.
Read more about the functions of our consent management platform.
Choosing a consent management platform like Cookiebot CMP means peace of mind for you and your end-users – we’ve taken the hard work out of protecting your users’ privacy, so you can focus on running your website and business.
We are European-based with a strong knowledge of consent management that ensures compliance with the GDPR in the US. We also have a sharp eye on the emerging privacy laws across the world, including the California Consumer Privacy Act (CCPA) and minor privacy laws such as the new Nevada privacy amendment.
GDPR – EU vs US
Next question might be whether there is a GDPR US equivalent, a sort of “GDPR USA version” that from a federal level lays down the law of the land when it comes to cookies and website tracking and user privacy?
The answer is no.
There is nothing close to the GDPR (or any other cookie law) in the US. When processing European PII, GDPR is in effect. When processing American PII in the US, no broad federal law applies.
GDPR vs US privacy law
In fact, in the absence of such a federal data privacy regulation, many US states have begun to legislate locally on their own, to secure consumers the rights to opt out of having their data sold to third parties.
The CCPA secures Californian citizens the right to opt out of data sales, as well as the rights to access their data and request deletion. The Nevada privacy law isn’t nearly as ambitious as the CCPA but does empower Nevada residents with the right to opt out of third-party data sales as well.
GDPR in the USA – state-wide regulations emerging as GDPR US equivalents.
Cookiebot CMP offers CCPA and GDPR compliance.
Who enforces the GDPR in the USA?
The GDPR is enforced by the national data protection authorities in the EU, even if the fine or penalty is levied against a US company.
In fact, the very first GDPR enforcement was against a Canadian company, and the biggest GDPR enforced to date is the $50 million fine against Google issued by the French data protection authority CNIL for three separate violations of the GDPR, including not having obtained valid consent for processing PII of Europeans.
So, being a website in the US does not exempt you from GPDR compliance and the territorial distance will not protect you from its enforcement either.
That’s why a consent management provider is a smart choice for websites of all shapes and sizes, regardless of where in the world they’re based, to ensure GDPR compliance, avoid heavy fines and protect the privacy of their users.
Try Cookiebot CMP for free today to ensure GDPR compliance in US.
GDPR and sharing data between the US and EU
The GDPR orders – in its Article 45 – how data is allowed to be transferred outside the European Union. Data transfers outside the EU, the GDPR rules, are allowed if:
- the country receiving the data has an adequacy agreement with the EU,
- the data processor or controller demonstrates an adequate level of data privacy safeguards (such as the US Privacy Shield).
The US Privacy Shield program enables US-based companies “to join the Privacy Shield Framework in order to benefit from the adequacy determinations”, which means that certified US companies are empowered to transfer and process data without restrictions with the EU.
Even though the US Privacy Shield program is recognized as an adequate way to transfer data to the US from EU and vice versa, the US in its entirety does not figure on the list of countries that the EU has deemed to have an adequate level of data protection law.
An obvious reason for the exemption of the US on the list of adequate countries is the lack of a uniform, federal data privacy law (a GDPR US equivalent) that guarantees the same rights to Americans as the GDPR does to Europeans.
However, in these times of great privacy awakenings, many eyes are on the tech industry and Washington D.C. as talks of federal privacy legislations are spurring.
GDPR and Silicon Valley
Privacy is a hot topic in the age of Silicon Valley, and it has become even hotter after the privacy scandal surrounding Cambridge Analytica. It has evidently reached a boiling point, as public sentiment towards tech companies is souring and a major political candidate is calling for the breaking up of Google and Facebook on anti-competition grounds.
Tech lobbying and data privacy in the US
Google, Facebook, Apple, Amazon and Microsoft spent $582 million on political lobbying from 2005 to 2018. Google mentioned privacy in 64% of its lobbying reports, while Facebook mentioned the topic in 61% of its reports.
Overall, the topic of privacy is by far the most lobbied about topic, with more than 3.240 mentions in all filed reports by the above-mentioned tech giants.
The prevalent narrative of Silicon Valley – of tech companies like Google, Facebook and Amazon – is that privacy is an inevitable trade-off in the technological evolution that is propelling human progress.
This is worrying, because it diminishes the dangers of the erosion of privacy through technological development.
It suggests that political regulation of the ad tech practices of Google and Facebook – what Harvard prof. emerita Shoshana Zuboff has famously coined “surveillance capitalism” – is impossible from the start: that the tech giants are too big to be tethered to any privacy protecting legislation.
Surveillance is not the inevitable end of technology
“Evolution is a terrible metaphor for technology”, argues tech writer Rose Eveleth for the American news site Vox, and argues that talking about the growth and development of technology in the terms of evolution pushes the question of regulation and control to the fringes of public conversation.
The assertion that tech companies can’t be shaped or regulated with the public’s interest in mind, Eveleth writes, is to argue that they are fundamentally different from any other industry.
They are not.
They are industries like any other, whether it’s Oil or Coal or Pharma. Privacy at the cost of technological progress is a false narrative. The EU’s General Data Protection Regulation is a sterling example that legislation and regulation can empower citizens with enforceable rights to privacy, without halting technological development or worsening the products.
On the contrary, the GDPR specifically mandates privacy by design in its Article 25, which means “data protection through technology design”, i.e. that privacy has to be thought into and built into the very development of technology.
That is why we see US companies like Brave – the privacy enhancing browser – publicly pushing for stronger privacy laws, both in the US and in the EU.
In fact, in October 2019, Brave submitted a letter to all twenty-eight EU governments urging them to strengthen the draft of the coming European law called the ePrivacy Regulation, which is meant to up the European data privacy game even further from the GDPR.
The narrative that promotes a tech evolution where privacy is an inevitable trade-off also frames opposition to privacy-invasive products and services as a resistance to human progress itself.
This is of course wrong.
We find it of paramount importance to secure privacy in all aspects of human existence, especially in the digital lands, where it is endangered by illicit tech industry practices.
GDPR as a road map
The GDPR is an example of taking back the control of run-amok tech industries. The GDPR is an example that privacy is not a natural trade-off in the evolution of technology.
Democracy is the system that enshrines privacy as a right of the people. It is through democratic process – not technological progress – that we reign in surveillance capitalism and secure a private, free future for the generations to come.
These are on the horizon, with the California Consumer Privacy Act (CCPA) as a lodestar for future US privacy legislation, and hopefully, eventually, a strong federal law that enshrines privacy for American citizens as the GDPR does for Europeans.
Until then, using Cookiebot CMP guarantees your users the best privacy protection against third-party cookies and trackers, and ensures GDPR compliance for your website.
What is the GDPR?
The General Data Protection Regulation (GDPR) is an EU data privacy law that governs the collection and use of personal data of individuals inside the European Union. The GDPR requires websites to first ask for and obtain the explicit consent from its visitors before it is allowed to collect and process their personal data.
Does the GDPR apply inside the US?
Yes, if your US-based website collects and processes personal data on individuals inside the EU, you are required to comply with the GDPR. You must ask and obtain the explicit consent of the data subjects (your users inside EU) before legally being able to collect their personal data.
What is personal data under the GDPR?
The GDPR defines personal data as any kind of information that is able to identify a living individual either directly or indirectly. Personal data under the GDPR includes direct identifiers such as names, addresses, social security numbers, health data, but also indirect identifiers such as IP addresses, cookies, browser and search history.
How can my website become GDPR compliant?
Using a consent management platform to control your website’s cookies and manage the consent of users to the collection of their personal data us a safe way to ensure GDPR compliance on your domain.