It was enforced in May 2018<\/strong>.<\/p>\n\n\n\n You might ask what an EU law has to do with you, if you and your website is based in the US?<\/p>\n\n\n\n The truth is a lot.<\/p>\n\n\n\n Yes!<\/p>\n\n\n\n The GDPR has extra-territorial scope<\/strong>, which means that websites outside the EU that process data of people inside the EU are obligated to comply with the GDPR.<\/p>\n\n\n\n So, if you have a website in the US and you have visitors from the EU, the GDPR applies to your domain. Therefore, if that is the case, you need to meet the GDPR requirements and conditions for processing data.<\/p>\n\n\n\n In doubt whether your website is GDPR-compliant? Test with the free Cookiebot CMP compliance test<\/a>.<\/p>\n\n\n\n PII stands for personally identifiable information<\/em>, i.e. any kind of data that can be linked to an individual and thereby identify<\/em> them.<\/p>\n\n\n\n This can be anything from first<\/strong> and last names<\/strong>, e-mail addresses<\/strong>, geolocation<\/strong>, and browser history<\/strong>, among many others.<\/p>\n\n\n\n Important to know is that in the GDPR, PII is not mentioned as such. That is because personally identifiable information<\/strong> is a term primarily used in the US, whereas the European equivalent that is found in the GDPR is personal data<\/strong>.<\/p>\n\n\n\n However, in this blogpost, when we talk about the GDPR, PII is used instead of \u201cpersonal data\u201d.<\/p>\n\n\n\n So, in the GDPR, PII processing is determined by strict rules and conditions. These are in place to protect users from having their data collected and abused without their knowledge or consent.<\/p>\n\n\n\n In the GDPR, PII is protected namely because it has the potential to infringe on an individual\u2019s private life, and even do harm, when combined with other data.<\/p>\n\n\n\n If your website processes personally identifiable information of individuals in the EU (known in the GDPR as \u201cdata subjects\u201d), it has to be done on one of the following legal grounds:<\/p>\n\n\n\n Of the lawful grounds for processing PII, obtaining the consent of the data subject<\/strong> is the most widely used for websites who process, in accordance with the GDPR, PII on individuals in the EU.<\/p>\n\n\n\n So, if your US website has EU visitors<\/strong> and consent is the legal ground that you base your PII processing on, the GDPR has specific requirements as to how you must obtain the consent and what constitutes valid consent.<\/p>\n\n\n\n For a website to achieve GDPR compliance in the US<\/strong>, these conditions for consent must be met.<\/p>\n\n\n\n Your website, when engaging with visitors from inside the EU, and so processing their PII, must:<\/p>\n\n\n\n A consent management platform (known as a CMP) can help your website become GDPR-compliant with minimum effort on your behalf.<\/p>\n\n\n\n Cookiebot CMP specializes in exactly this niche area. Our scanning technology finds all cookies and trackers on your website, pauses them all until your end-users have given their consent, after which each consent is stored for legal documentation.<\/p>\n\n\n\n Read more about the functions of our consent management platform<\/a>.<\/p>\n\n\n\n Choosing a consent management platform like Cookiebot CMP means peace of mind for you and your end-users \u2013 we\u2019ve taken the hard work out of protecting your users\u2019 privacy, so you can focus on running your website and business.<\/p>\n\n\n\n We are European-based with a strong knowledge of consent management that enables compliance with the GDPR in the US. We also have a sharp eye on the emerging privacy laws across the world, including the California Consumer Privacy Act<\/a> (CCPA) and minor privacy laws such as the new Nevada privacy amendment<\/a>.<\/p>\n\n\n\n Next question might be whether there is a GDPR US equivalent, a sort of \u201cGDPR USA version\u201d that from a federal level lays down the law of the land when it comes to cookies and website tracking and user privacy?<\/p>\n\n\n\n The answer is no<\/strong>.<\/p>\n\n\n\n There is nothing close to the GDPR (or any other cookie law) in the US. When processing European PII, GDPR is in effect. When processing American PII in the US, no broad federal law applies.<\/p>\n\n\n\n In fact, in the absence of such a federal data privacy regulation, many US states have begun to legislate locally on their own, to secure consumers the rights to opt out of having their data sold to third parties.<\/p>\n\n\n\n These include the California Consumer Privacy Act <\/a>(known as CCPA) that took effect January 1, 2020, and the Nevada privacy law<\/a> that was enforced on October 1, 2019.<\/p>\n\n\n\n The CCPA<\/a> secures Californian citizens the right to opt out of data sales, as well as the rights to access their data and request deletion. The Nevada privacy law<\/a> isn\u2019t nearly as ambitious as the CCPA but does empower Nevada residents with the right to opt out of third-party data sales as well.<\/p>\n\n\n\n GDPR in the USA - state-wide regulations emerging as GDPR US equivalents.<\/p>\n\n\n\n Cookiebot CMP offers CCPA and GDPR compliance.<\/p>\n\n\n\n The GDPR is enforced by the national data protection authorities in the EU, even if the fine or penalty is levied against a US company.<\/p>\n\n\n\n In fact, the very first GDPR enforcement<\/a> was against a Canadian company, and the biggest GDPR enforced to date is the $50 million fine against Google<\/a> issued by the French data protection authority CNIL for three separate violations of the GDPR, including not having obtained valid consent for processing PII of Europeans.<\/p>\n\n\n\n So, being a website in the US does not exempt you from GPDR compliance and the territorial distance will not protect you from its enforcement either.<\/p>\n\n\n\n That\u2019s why a consent management provider<\/a> is a smart choice for websites of all shapes and sizes, regardless of where in the world they\u2019re based, to enable GDPR compliance, avoid heavy fines and protect the privacy of their users.<\/p>\n\n\n\n Try Cookiebot CMP for free today<\/a> to enable GDPR compliance in US.<\/p>\n\n\n\n The US Privacy Shield<\/a> is a way for US companies and organizations to obtain an adequacy agreement<\/a> with the EU, allowing for free data transfers between the US and EU.<\/p>\n\n\n\n The GDPR orders \u2013 in its Article 45<\/a> \u2013 how data is allowed to be transferred outside the European Union. Data transfers outside the EU, the GDPR rules, are allowed if:<\/p>\n\n\n\n The US Privacy Shield program <\/a>enables US-based companies \u201cto join the Privacy Shield Framework in order to benefit from the adequacy determinations\u201d, which means that certified US companies are empowered to transfer and process data without restrictions with the EU.<\/p>\n\n\n\n Even though the US Privacy Shield program<\/a> is recognized as an adequate way to transfer data to the US from EU and vice versa, the US in its entirety does not figure on the list of countries that the EU has deemed to have an adequate level of data protection law.<\/p>\n\n\n\n An obvious reason for the exemption of the US on the list of adequate countries is the lack of a uniform, federal data privacy law (a GDPR US equivalent) that guarantees the same rights to Americans as the GDPR does to Europeans.<\/p>\n\n\n\n However, in these times of great privacy awakenings, many eyes are on the tech industry and Washington D.C. as talks of federal privacy legislations are spurring.<\/p>\n\n\n\n Privacy is a hot topic in the age of Silicon Valley, and it has become even hotter after the privacy scandal surrounding Cambridge Analytica. It has evidently reached a boiling point, as public sentiment<\/a> towards tech companies is souring and a major political candidate is calling for the breaking up<\/a> of Google and Facebook on anti-competition grounds.<\/p>\n\n\n\n Google, Facebook, Apple, Amazon and Microsoft spent $582 million on political lobbying<\/a> from 2005 to 2018. Google mentioned privacy in 64% of its lobbying reports, while Facebook mentioned the topic in 61% of its reports.<\/p>\n\n\n\n Overall, the topic of privacy is by far the most lobbied about topic, with more than 3.240 mentions in all filed reports by the above-mentioned tech giants.<\/p>\n\n\n\n The prevalent narrative of Silicon Valley \u2013 of tech companies like Google, Facebook and Amazon \u2013 is that privacy is an inevitable trade-off in the technological evolution that is propelling human progress.<\/p>\n\n\n\n This is worrying, because it diminishes the dangers of the erosion of privacy through technological development.<\/p>\n\n\n\n It suggests that political regulation of the ad tech practices of Google and Facebook \u2013 what Harvard prof. emerita Shoshana Zuboff has famously coined \u201csurveillance capitalism\u201d<\/a> \u2013 is impossible from the start: that the tech giants are too big to be tethered to any privacy protecting legislation.<\/p>\n\n\n\n \u201cEvolution is a terrible metaphor for technology\u201d, argues tech writer Rose Eveleth for the American news site Vox<\/a>, and argues that talking about the growth and development of technology in the terms of evolution pushes the question of regulation and control to the fringes of public conversation.<\/p>\n\n\n\n The assertion that tech companies can\u2019t be shaped or regulated with the public\u2019s interest in mind, Eveleth writes, is to argue that they are fundamentally different from any other industry.<\/p>\n\n\n\n They are not.<\/p>\n\n\n\n They are industries like any other, whether it\u2019s Oil or Coal or Pharma. Privacy at the cost of technological progress is a false narrative. The EU\u2019s General Data Protection Regulation is a sterling example that legislation and regulation can empower citizens with enforceable rights to privacy, without halting technological development or worsening the products.<\/p>\n\n\n\n On the contrary, the GDPR specifically mandates privacy by design<\/a> in its Article 25, which means \u201cdata protection through technology design\u201d, i.e. that privacy has to be thought into and built into the very development of technology.<\/p>\n\n\n\n That is why we see US companies like Brave<\/a> \u2013 the privacy enhancing browser \u2013 publicly pushing for stronger privacy laws, both in the US and in the EU.<\/p>\n\n\n\n In fact, in October 2019, Brave submitted a letter to all twenty-eight EU governments<\/a> urging them to strengthen the draft of the coming European law called the ePrivacy Regulation, which is meant to up the European data privacy game even further from the GDPR. <\/p>\n\n\n\n The narrative that promotes a tech evolution where privacy is an inevitable trade-off also frames opposition to privacy-invasive products and services as a resistance to human progress itself.<\/p>\n\n\n\n This is of course wrong.<\/p>\n\n\n\n We find it of paramount importance to secure privacy in all aspects of human existence, especially in the digital lands, where it is endangered by illicit tech industry practices.<\/p>\n\n\n\n The GDPR<\/a> is an example of taking back the control of run-amok tech industries. The GDPR is an example that privacy is not a natural trade-off in the evolution of technology.<\/p>\n\n\n\n Democracy is the system that enshrines privacy as a right of the people. It is through democratic process \u2013 not technological progress \u2013 that we reign in surveillance capitalism and secure a private, free future for the generations to come.<\/p>\n\n\n\n That is why legislations like the GDPR<\/a> and the coming ePrivacy Regulation<\/a> in the EU are milestones of regulatory achievements, which hopefully will inspire American equivalents.<\/p>\n\n\n\nDoes the GDPR affect the US?<\/h3>\n\n\n\n
![\"Planet](\"\/media\/3731\/skaermbillede-2019-10-15-kl-134758.png?width=400&\")
GDPR and PII<\/h3>\n\n\n\n
\n
GDPR for US companies and websites<\/h3>\n\n\n\n
\n
GDPR - EU vs US<\/h2>\n\n\n\n
GDPR vs US privacy law<\/h3>\n\n\n\n
![\"Map](\"\/media\/3733\/skaermbillede-2019-10-15-kl-135302.png?width=410&\")
<\/figure>\n\n\n\nWho enforces the GDPR in the USA?<\/h3>\n\n\n\n
GDPR and sharing data between the US and EU<\/h3>\n\n\n\n
\n
GDPR and Silicon Valley<\/h2>\n\n\n\n
Tech lobbying and data privacy in the US<\/h3>\n\n\n\n
Surveillance is not the inevitable end of technology<\/h2>\n\n\n\n
![\"Flag](\"\/media\/3734\/eu_us_0.jpg?width=402&\")
GDPR as a road map<\/h3>\n\n\n\n