GDPR and Data Privacy for US Businesses

Data privacy law has transformed from a compliance backwater into one of the most rapidly evolving and financially consequential areas of business regulation. The General Data Protection Regulation, which took effect in the European Union in 2018 with fines that can reach four percent of global annual revenue, sent a signal that governments were serious about privacy enforcement. The California Consumer Privacy Act, the Virginia Consumer Data Protection Act, and a growing number of state privacy laws have brought similar obligations to US domestic businesses.

Many American business owners assume that data privacy regulations are someone else's problem: a concern for tech companies, for businesses that operate in Europe, or for enterprises large enough to have compliance departments. This assumption is increasingly wrong. Any US business that has website visitors from Europe, that collects personal information from California residents, or that operates in any of the growing number of states with comprehensive privacy laws has legal obligations it may not be meeting.

This guide explains what GDPR requires, what US businesses need to know about the California and state privacy law landscape, and the practical steps that create a defensible compliance posture without requiring a regulatory attorney on permanent retainer.

GDPR: When It Applies to US Businesses

The GDPR applies to the processing of personal data of individuals located in the European Union, regardless of where the business processing that data is located. A US-based e-commerce company that accepts orders from German customers is processing personal data of EU residents and is subject to GDPR. A US software company that provides services to European businesses whose end users are in the EU is processing EU personal data and is subject to GDPR. Geographic location of the business is not a shield.

The two main bases for GDPR jurisdiction over US businesses are targeting EU residents (offering goods or services to EU residents) and monitoring EU residents (tracking behavior of EU residents, including through website analytics). Both trigger GDPR obligations, and the bar for what constitutes targeting is lower than many businesses realize: accepting payment in Euros, using EU languages on your website, or mentioning EU countries in your marketing can establish that you are targeting EU consumers.

The key obligations for businesses subject to GDPR include maintaining a lawful basis for each processing activity, providing clear and transparent privacy notices, honoring data subject rights including the rights to access, correction, deletion, and portability, implementing appropriate security measures proportionate to the data's sensitivity, and in some cases appointing a data protection officer or a EU representative.

The US State Privacy Law Landscape

The United States does not have a comprehensive federal privacy law, which means the privacy law landscape for US businesses consists of a patchwork of state laws that apply based on where your customers are located. As of 2025, more than 20 states have enacted or are implementing comprehensive consumer privacy laws, and the number continues to grow.

California's Consumer Privacy Act, significantly expanded by the California Privacy Rights Act in 2020, applies to businesses that meet at least one of three thresholds: annual gross revenues over $25 million, the buying or selling or sharing of personal information of 100,000 or more consumers or households, or deriving 50% or more of annual revenues from selling consumers' personal information. Businesses that meet these thresholds must honor California residents' rights to know what data is collected, delete it, opt out of its sale, and not be discriminated against for exercising these rights.

The practical challenge of multi-state privacy compliance is that each state law has its own definitions, thresholds, and requirements that do not fully align with each other or with GDPR. Building a compliance program that handles the most demanding requirements across all applicable laws is typically more efficient than trying to maintain separate compliance tracks for each jurisdiction, and it positions the business well as additional states enact privacy legislation.

Practical Compliance Steps for Small and Mid-Sized Businesses

The foundational step in data privacy compliance is a data inventory: a systematic mapping of what personal data your business collects, where it comes from, how it is used, with whom it is shared, and how long it is retained. This inventory is not just a compliance exercise; it frequently reveals data collection and retention practices that the business was not fully aware of and that create security and legal exposure.

A compliant privacy policy is a legal document, not a marketing document, that accurately describes your data practices in the terms required by the laws that apply to your business. Generic privacy policy templates downloaded from the internet are rarely adequate; they may not reflect your actual practices, may not include required provisions under applicable law, and may not be updated to reflect current legal requirements. An attorney-reviewed privacy policy that accurately describes your actual practices is the public-facing foundation of your compliance posture.

Vendor management is a frequently overlooked but critical component of data privacy compliance. When you share personal data with vendors who process it on your behalf, including cloud service providers, marketing platforms, analytics tools, and payment processors, the applicable privacy laws typically require that you have specific contractual provisions in place governing how those vendors may use the data and what security obligations they must meet. Review your vendor agreements and add required data processing terms where they are missing.

Data Breach Response: What the Law Requires

Every state now has a data breach notification law, and most require notification to affected individuals within a specified period after discovering a breach. GDPR requires notification to the relevant supervisory authority within 72 hours of becoming aware of a breach. These notification requirements apply regardless of the business's size, and failure to notify in a timely manner is independently actionable separate from the breach itself.

The definition of a reportable breach varies by law. GDPR defines a personal data breach broadly as any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. US state laws typically trigger notification when specific categories of sensitive data, including Social Security numbers, financial account information, and health information, are involved. Understanding what categories of data you hold and which breach laws apply is essential to being able to respond correctly when an incident occurs.

Having an incident response plan documented and tested before a breach occurs is the difference between a managed response and a chaotic one. The plan should identify who is responsible for breach detection and reporting, who makes the notification decision, what forensic and legal resources will be engaged, and how notification to affected individuals will be handled. Running through the plan before you need it reveals gaps and ensures that the people who must execute it understand their roles.

Final Thoughts

Data privacy compliance is no longer optional for any business that collects personal information, which in the digital economy means virtually every business. The legal landscape is complex, rapidly evolving, and carries real financial and reputational consequences for businesses that treat it as someone else's problem.

The investment in getting your data privacy posture right is manageable, particularly when approached systematically: understand what data you collect, be honest about it in your privacy policy, manage your vendors appropriately, protect the data with reasonable security, and have a plan for when something goes wrong. None of these steps requires enterprise-scale resources.

Consult a privacy attorney to assess your specific obligations under the laws that apply to your business. The specific requirements depend on your data practices, your customer base, and your industry, and getting tailored guidance is more efficient and more reliable than trying to apply general principles to your specific situation.