Why Tech Companies in the USA Need to be Concerned with GDPR

The General Data Protection Regulation (GDPR) is only for European-based businesses, right? WRONG!

Even if your software or technology company doesn’t have a single office or employee overseas, it doesn't matter because the law actually applies to where your customers are located.

Don’t have a single customer in Europe? What about California? If so, the newer California Consumer Privacy Act (CCPA) might come into play. AND more states are considering similar legislation as you read this.

What’s our point? Even if you don’t do business in Europe, it’s worthwhile to brush up on GDPR so you’re prepared for upcoming changes to domestic privacy and compliance laws.

What does the GDPR say again?

You probably paid attention to the GDPR when it first came out—three months after its debut, nearly 8 out of 10 US companies had conducted a GDPR gap assessment or updated their privacy policies. 

It’s been a few years though, so let’s do a quick refresher.

With the GDPR, companies must build into their websites and digital products privacy settings that protect personal data by default.

They also have to regularly conduct privacy impact assessments to help them improve the ways they seek permission to use data and improve the way they communicate data breaches.

A note on language…

Article 5(1) of the UK GDPR says:

“1. Personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness, transparency')”

Makes perfect sense, right? No?

Deep breath…We’re not lawyers, but we do humbly offer these definitions to help you understand what the heck that means.👇 👇 👇 

Transparent and secure—
In this context, you must be clear, open and honest with people from the start about how you plan to use their personal data.

Lawfulness—You may also process data if you can prove that you have a lawful basis to do so. This means that you have to identify valid grounds under the GDPR by which you may process data.

Fairness—Per the ICO, this means that you may only process data in a way that an individual would reasonably expect you to or in a way that you could reasonably explain. What you can’t do is process data in a way that’s unexpected, deceptive/misleading or in a way that causes unduly adverse effects.

Our tech business isn’t located in the EU…why should we care about a European regulation?

The fact is that the GDPR applies not only to EU-based businesses but also to any business that controls or processes data of EU citizens, regardless of their location. Remember that:

  1. It matters where the CONSUMER is, not where the brand or the agency is
  2. It doesn’t matter if the consumer made or makes a purchase—only residency matters

On top of that, many databases actually contain info about European residents without the database owner realizing it. So before you say this doesn’t apply to you, audit your CRM and make sure you don’t have any rogue data floating around.

Why can't I just rely on American privacy laws?

The GDPR’s definition of “personal data” is much more far-reaching than that of most American breach notification laws and longstanding privacy acts.

All 50 states and Puerto Rico, Guam, the Virgin Islands and the District of Columbia have enacted laws requiring businesses to report security breaches of personal data. 

However, Americans generally take a much more open-book approach to privacy than Europeans, so it’s really not enough to just stay in compliance with your state’s laws.

With the exception of the CCPA , US security breach laws/privacy acts typically define personal information as data like:

  • Name combined with SSN
  • Drivers license/state ID
  • Financial account numbers

Meanwhile, according to the GDPR, personal data is any “information related to an identified or identifiable individual.” This includes data like:

  • Name, address, ID numbers
  • Web data (location, cookie data, IP address, RFID tags)
  • Biometric data
  • Health and genetic data
  • Racial or ethnic data
  • Social media posts
  • Mobile device IDs
  • Sexual orientation
  • Political opinions

That’s a pretty big difference!

In addition to this difference in language, it’s smart to get in line with the GDPR regardless of what’s going on in your state or region right now—
we predict that the wave of GDPR-like activity will continue on a state level WHILE pressure ramps up on regulators to adopt a federal standard in the USA.

To see how things are going, check out this map of US state privacy legislation as of September 2021.

Okay, but is anyone even going to notice if I don’t comply with the GDPR??


YES, someone will notice because, unlike the 1995 policy that it replacedthe GDPR is a regulation, not a directive. What’s the difference? Basically, you’re not allowed to simply opt-out or ignore it. If you do, you could find yourself grappling with some pretty hefty fines.

For example, in 2020, the UK’s ICO fined the American company Marriott International £18.4 million for failing to protect the personal data of 339 million guests worldwide during a cyberattack…yikes!

This is just one of MANY examples. So if you want to avoid fines, you’d do well to get in compliance.

Okay…you've convinced me! What should my tech company do to stay compliant?

Now that we’ve worked you up into a tizzy about the GDPR, how can you stay in compliance? 🧐

(Again, in case we didn’t tell you this enough times already, we are not lawyers! Please consult with your legal advisors for advice for your specific situation.)

First, find out where your marketing campaign is currently in line with the GDPR, and where it isn’t. To do this, audit the way you collect and process data from your website and make sure your practices fit into its parameters.

Ask yourself:

  • Are we communicating clearly about the information we’re collecting?
  • Are we being transparent about the specific things that we plan to do with/use the information for?
  • Are we collecting only the information we need?
  • Do we address data and privacy compliance in all our vendor/third-party contracts?

Once you’ve done that, we also recommend that you make the following changes:*

  1. Amend stale cookie notices
  2. Make sure you’re asking for consent to store/process data
  3. Switch from implied consent to explicit consent
  4. Dump your pre-checked consent boxes like it’s tea in the year 1773
  5. Update your privacy settings

 *Pssst…Find more on this here.

So if you haven’t yet, start caring today.


DISCLAIMER—We’re pretty smart tech marketers—if we do say so ourselves—but we’re definitely not lawyers…the legal information in this blog is not intended to be taken as legal advice. You may neither rely on this document as legal advice nor as a recommendation of any legal understanding.


Interested in even more legal compliance stats and strategies? Download our free “Marketing Legal Compliance in the Real World" report to see how your compliance tactics stack up against other tech and software companies.