November 18, 2022


by: kapp


Categories: Blog

How to Comply with the GDPR in the U.S: A Step-by-Step Guide

What is the GDPR?

Since the General Data Protection Regulation (GDPR) was introduced in May 2018, there has been a lot of confusion about what it is and how it impacts businesses in the United States.

U.S. businesses that process the personal data of European Union (EU) citizens must follow the GDPR if they want to continue doing business in the EU. The GDPR applies to any company that processes the personal data of EU citizens, regardless of whether the company is based in the EU or not.

The GDPR is important for U.S. companies because it establishes strict rules for how personal data must be collected, processed, and stored. If a company fails to adhere to the GDPR rules, it can be fined up to 4% of its annual global revenue or €20 million, whichever is greater.

Here are some steps U.S. businesses can take to become GDPR-compliant.

Step 1: Relevance

Does GDPR apply to your U.S. based business?

The short answer is no, the GDPR does not apply to businesses based in the United States. But, domestic laws are enacted in several states, and you should look into complying.

That being said, there are still some important things U.S. businesses should know about GDPR. First, even though GDPR may not apply to your business, you may still be handling data that is subject to GDPR. So if your U.S. based business processes the data of any EU citizens, you need to be aware of GDPR and take steps to obey it.

Here are some factors to consider:

  • Do you have customers or employees in the EU?
  • Do you process or store the personal data of EU citizens?
  • Does your website target EU citizens?

If you answered yes to any of these questions, then GDPR may apply to your business. Even if your business is based outside the EU, you may still be required to follow GDPR.

Step 2: Appoint a “Data Protection Officer”

It’s important to appoint a Data Protection Officer (DPO) to help make sure that your data is protected in line with GDPR. A Data Protection Officer could be a person or third-party company appointed by an organization to handle data protection compliance. The DPO will handle the process of ensuring that all data processing activities are carried out in a lawful and transparent manner, and will oversee the data protection policies and advice on data protection issues.

Step 3: Conduct a data audit

There are a few different ways that data is typically collected from website visitors. The most common method is through the use of cookies. Cookies are small text files that are placed on a user’s computer when they visit a website. They are used to store information about the user’s activity on the site, which can then be used to customize the user’s experience or for marketing purposes.

Another way that data is collected from website visitors is through the use of web beacons. Web beacons are small images that are embedded in web pages. They can be used to track a user’s activity on a page, and they can also be used for marketing purposes.

Finally, some websites also collect data through the use of forms. Forms can be used to gather information about a user’s preferences or contact information.

Some collected data from these sources can include things like the visitor’s IP address, browser type, and geographical location.

A list of all the sources that collect data from website visitors should be made. This list will help the team find what data is being collected, how often it is being collected, and from which sources. This will help you in the process of putting together a privacy policy, cookie policy, and term of service and required explicit consent from your users.

Step 4: Create policy documents

Whether you’re a small business or a large enterprise, you need to have data policies in place. Data policies are the set of rules that govern how your company collects, stores, and uses data. Some of these data policies include a privacy policy, a cookies policy, and your website terms of service.

Privacy policies are designed to inform users about how their data will be used, and what rights they have.

A privacy policy should include the following:

  • The types of personal data collected by the company
  • The purpose of collecting this data
  • How long it will be stored
  • Who will have access to this data
  • What rights you have over your personal information

Cookies policies are legally binding documents that inform website or application users about how your company engages in data tracking and online privacy. A cookies policy should explain to users what cookies are, how the website uses them, and how to disable them. The GDPR has made it mandatory for all websites to have such policies in place.

Terms of service, also known as Terms and Conditions, or Terms of Use, are the rules your website follows. While they are rarely required by law, your terms and conditions are sometimes addressed in court. They state whether users are allowed to use your site in specific situations, and what is and is not allowed.

Step 5: Require Explicit Consent

To collect data from any EU user, users need to give their explicit consent. Consent is a prerequisite for the use of cookies, and it must be clear that the user has given consent.

To get consent, you need to give users a choice about whether they want to accept cookies. A cookie banner, which is text displayed on the website that informs visitors about the use of cookies and asks for their acceptance, is one way to do this. Another choice is a pop-up window that gives users an opportunity to accept or decline cookies.

You will also need to keep a user consent log. User consent logs are a way to show that the user has agreed to the policies of the company. It is a way for companies to make sure that they have received consent from their users. Consent logs are a good practice for companies who want to avoid fines or penalties from regulatory agencies.

If a data breach would happen, it is very important to have a log of user consent in place. This will help you prove that your company has permission to use their data. It is also helpful in the event a user withdraws their consent, and you need to remove their information.


Following these steps will help your business get closer to privacy compliance and avoid any costly penalties. Keep in mind that privacy compliance is an ongoing process, so it’s important to have a system in place to keep track of changes and make sure you are always up-to-date.

If you need help we are here to help you in the process. Contact us with any questions.