Updated October 21, 2019.
In this blogpost, we look at how the GDPR affects the USA and how US websites can ensure compliance with the EU data law through consent management platforms like Cookiebot.
We also take a critical look at the tech industry’s narrative of “technological evolution”, in which privacy becomes an inevitable trade-off, and how the GDPR in the USA can act as a roadmap for democratic processes around a stronger regulation of privacy.
The General Data Protection Regulation (or GDPR) is an EU-wide law that protects Europeans with regards to the processing of their personal data, as well as laying down the rules relating to the free movement of personal data.
It was enforced in May 2018.
You might ask what an EU law has to do with you, if you and your website is based in the US?
The truth is a lot.
The GDPR has extra-territorial scope, which means that websites outside of the EU that process data of people inside the EU are obligated to comply with the GDPR.
So, if you have a website in the US and you have visitors from the EU, the GDPR applies to your domain. Therefore, if that is the case, you need to meet the GDPR requirements and conditions for processing data.
GDPR and USA: America is covered by the scope of the EU data law.
In doubt whether your website is GDPR compliant? Test with Cookiebot's free compliance test.
Try Cookiebot free for 30 days... or forever if you have a small website.
PII stands for personally identifiable information, i.e. any kind of data that can be linked to an individual and thereby identify them.
This can be anything from first and last names, e-mail addresses, geolocation, and browser history, among many others.
Important to know is that in the GDPR, PII is not mentioned as such. That is because personally identifiable information is a term primarily used in the US, whereas the European equivalent that is found in the GDPR is personal data.
However, in this blogpost, when we talk about the GDPR, PII is used instead of “personal data”.
So, in the GDPR, PII processing is determined by strict rules and conditions. These are in place to protect users from having their data collected and abused without their knowledge or consent.
In the GDPR, PII is protected namely because it has the potential to infringe on an individual’s private life, and even do harm, when combined with other data.
If your website processes personally identifiable information of individuals in the EU (known in the GDPR as “data subjects”), it has to be done on one of the following legal grounds:
Of the lawful grounds for processing PII, obtaining the consent of the data subject is the most widely used for websites who process, in accordance with the GDPR, PII on individuals in the EU.
So, if your US website has EU visitors and consent is the legal ground that you base your PII processing on, the GDPR has specific requirements as to how you must obtain the consent and what constitutes valid consent.
For a website to achieve GDPR compliance in the US, these conditions for consent must be met.
Your website, when engaging with visitors from inside the EU, and so processing their PII, must:
A consent management platform (known as a CMP) can help your website become GDPR compliant with minimum effort on your behalf.
Cookiebot specializes in exactly this niche area. Our scanning technology finds all cookies and trackers on your website, pauses them all until your end-users have given their consent, after which each consent is stored for legal documentation.
Cookiebot is a consent management provider for GDPR compliance in the US.
Read more about the functions of our consent management platform.
Choosing a consent management platform like Cookiebot means peace of mind for you and your end-users – we’ve taken the hard work out of protecting your users’ privacy, so you can focus on running your website and business.
We are European-based with a strong knowledge of consent management that ensures compliance with the GDPR in USA. We also have a sharp eye on the emerging privacy laws across the world, including the California Consumer Privacy Act (CCPA) and minor privacy laws such as the new Nevada privacy amendment.
Next question might be whether there is a GDPR US equivalent, a sort of “GDPR USA version” that from a federal level lays down the law of the land when it comes to cookies and website tracking and user privacy?
The answer is no.
There is nothing close to the GDPR (or any other cookie law) in USA. When processing European PII, GDPR is in effect. When processing American PII in the US, no broad federal law applies.
In fact, in the absence of such a federal data privacy regulation, many US states have begun to legislate locally on their own, to secure consumers the rights to opt out of having their data sold to third parties.
The CCPA secures Californian citizens the right to opt out of data sales, as well as the rights to access their data and request deletion. The Nevada privacy law isn’t nearly as ambitious as the CCPA but does empower Nevada residents with the right to opt out of third-party data sales as well.
GDPR in USA - state-wide regulations emerging as GDPR US equivalents.
Cookiebot offers CCPA and GDPR compliance.
The GDPR is enforced by the national data protection authorities in the EU, even if the fine or penalty is levied against a US company.
In fact, the very first GDPR enforcement was against a Canadian company, and the biggest GDPR enforced to date is the $50 million fine against Google issued by the French data protection authority CNIL for three separate violations of the GDPR, including not having obtained valid consent for processing PII of Europeans.
So, being a website in the US does not exempt you from GPDR compliance and the territorial distance will not protect you from its enforcement either.
That’s why a consent management provider is a smart choice for websites of all shapes and sizes, regardless of where in the world they’re based, to ensure GDPR compliance, avoid heavy fines and protect the privacy of their users.
Try Cookiebot for free today to ensure GDPR compliance in US.
The GDPR orders – in its Article 45 – how data is allowed to be transferred outside of the European Union. Data transfers outside of the EU, the GDPR rules, are allowed if:
The US Privacy Shield program enables US-based companies “to join the Privacy Shield Framework in order to benefit from the adequacy determinations”, which means that certified US companies are empowered to transfer and process data without restrictions with the EU.
Even though the US Privacy Shield program is recognized as an adequate way to transfer data to the US from EU and vice versa, the US in its entirety does not figure on the list of countries that the EU has deemed to have an adequate level of data protection law.
An obvious reason for the exemption of the US on the list of adequate countries is the lack of a uniform, federal data privacy law (a GDPR US equivalent) that guarantees the same rights to Americans as the GDPR does to Europeans.
However, in these times of great privacy awakenings, many eyes are on the tech industry and Washington D.C. as talks of federal privacy legislations are spurring.
Privacy is a hot topic in the age of Silicon Valley, and it has become even hotter after the privacy scandal surrounding Cambridge Analytica. It has evidently reached a boiling point, as public sentiment towards tech companies is souring and a major political candidate is calling for the breaking up of Google and Facebook on anticompetition grounds.
Google, Facebook, Apple, Amazon and Microsoft spent $582 million on political lobbying from 2005 to 2018. Google mentioned privacy in 64% of its lobbying reports, while Facebook mentioned the topic in 61% of its reports.
Overall, the topic of privacy is by far the most lobbied about topic, with more than 3.240 mentions in all filed reports by the abovementioned tech giants.
The prevalent narrative of Silicon Valley – of tech companies like Google, Facebook and Amazon – is that privacy is an inevitable trade-off in the technological evolution that is propelling human progress.
This is worrying, because it diminishes the dangers of the erosion of privacy through technological development.
It suggests that political regulation of the ad tech practices of Google and Facebook – what Harvard prof. emerita Shoshana Zuboff has famously coined “surveillance capitalism” – is impossible from the start: that the tech giants are too big to be tethered to any privacy protecting legislation.
“Evolution is a terrible metaphor for technology”, argues tech writer Rose Eveleth for the American news site Vox, and argues that talking about the growth and development of technology in the terms of evolution pushes the question of regulation and control to the fringes of public conversation.
The assertion that tech companies can’t be shaped or regulated with the public’s interest in mind, Eveleth writes, is to argue that they are fundamentally different from any other industry.
They are not.
They are industries like any other, whether it’s Oil or Coal or Pharma. Privacy at the cost of technological progress is a false narrative. The EU’s General Data Protection Regulation is a sterling example that legislation and regulation can empower citizens with enforceable rights to privacy, without halting technological development or worsening the products.
GDPR and USA: Cookiebot ensures GDPR PII compliant processing across the Atlantic.
On the contrary, the GDPR specifically mandates privacy by design in its Article 25, which means “data protection through technology design”, i.e. that privacy has to be thought into and built into the very development of technology.
That is why we see US companies like Brave – the privacy enhancing browser – publicly pushing for stronger privacy laws, both in the US and in the EU.
In fact, in October 2019, Brave submitted a letter to all twenty-eight EU governments urging them to strengthen the draft of the coming European law called the ePrivacy Regulation, which is meant to up the European data privacy game even further from the GDPR.
The narrative that promotes a tech evolution where privacy is an inevitable trade-off also frames opposition to privacy-invasive products and services as a resistance to human progress itself.
This is of course wrong.
We here at Cookiebot find it of paramount importance to secure privacy in all aspects of human existence, especially in the digital lands, where it is endangered by illicit tech industry practices.
The GDPR is an example of taking back the control of run-amok tech industries. The GDPR is an example that privacy is not a natural trade-off in the evolution of technology.
Democracy is the system that enshrines privacy as a right of the people. It is through democratic process – not technological progress – that we reign in surveillance capitalism and secure a private, free future for the generations to come.
These are on the horizon, with the California Consumer Privacy Act (CCPA) as a lodestar for future US privacy legislation, and hopefully, eventually, a strong federal law that enshrines privacy for American citizens as the GDPR does for Europeans.
Until then, using Cookiebot’s consent management platform guarantees your users the best privacy protection against third-party cookies and trackers, and ensures GDPR compliance for your website.