General Data Protection Regulation (“GDPR”)
In May 2018, the European Union transformed its legislative landscape for data privacy and protection when it introduced the General Data Protection Regulation (“GDPR”). The regulation harmonized existing EU data protection laws to adapt to the modern digital age. Since that time, many other countries, and certain states within the US have enacted stricter more comprehensive data privacy laws, often based on the tenants of the GDPR and carry significant penalties for non-compliance.
The most significant aspect of the GDPR is that it dramatically-increased the scope of personally identifiable information (“PII”) by including any information that can be used to directly or indirectly identify an individual. This broader definition captures information that can be used to identify a specific individual, including, identification numbers, IP addresses, social insurance numbers, location data, etc. It also imposes significant fines for non-compliance.
Organizations worldwide have had to put new privacy policies in place, assess whether their data privacy program complies with each new aspect of the GDPR. Implement or revise internal policies, externally facing privacy policies, cookie banners, perform data mapping studies, and set-up programs for data subjects to make various requests. This sparks serious new security and privacy challenges for businesses.
Does the GDPR apply to US Companies? The answer is a resounding YES! Article 3 of the GDPR explicitly states that it applies beyond the EU/EEA in two main scenarios:
a) Offering goods or services to people in the EU.
If a U.S. company markets, sells, or even targets products or services (paid or free) to people in the EU — for example:
-
- A website that ships to the EU or lists prices in euros
-
An app available in EU app stores
-
An online service that offers sign-ups to EU residents
Then GDPR applies to that company for all data it collects about EU users.
b) Monitoring behavior of people in the EU
If a U.S. business tracks EU users — e.g., through cookies, analytics, advertising profiles, or behavioral tracking — it is also subject to GDPR obligations.
In fact, many U.S. tech companies' (like Meta, Google, or LinkedIn) services monitor user behavior within the EU.
California Privacy Rights Act ("CPRA")
Enacted in November 2020 and effective January 1, 2023, the CPRA expands and strengthens the earlier California Consumer Privacy Act (CCPA). It enhances consumer rights and increases business accountability regarding personal data. The law gives California residents greater control over how their information is collected, used, and shared — including new rights to correct inaccurate data, limit the use of sensitive personal information, and opt out of data sharing for cross-context behavioral advertising.
The CPRA also established the California Privacy Protection Agency (CPPA), an independent regulator responsible for enforcing state privacy laws. Overall, the CPRA brings California’s data protection standards closer to the rigor of the EU’s GDPR.
Other Data Privacy Laws and Regulations
Beyond GDPR and CPRA, other data privacy laws include the U.S. Privacy Act of 1974, HIPAA (for health information) and COPPA (for children's online data). Other international regulations include Brazil's LGPD, Canada's CPPA, and China's PIPL just to name a few. Our team is highly skilled in navigating the complex landscape of data privacy laws and regulations across the United States and around the world.
Compliance
Data Privacy Officer Services
Breach Council
Data Privacy Training
