Blog
Brightly colored locks on a fence

What You Need to Know about the GDPR (Even if You're In the U.S.)

Did you receive tons of emails on May 25th, updating you on company's privacy policies? If you wondered what that was all about, then you're a little behind when it comes to digital marketing news. The EU's General Data Protection Regulation went into effect on May 25th. And while for some this may be old news, for many, they may have brushed it off as something that won’t affect them--because the GDPR only matters if your business is located in an E.U. country or serves customers in the E.U., right?

Wrong, actually.

But for those in digital marketing, we’ve been thinking about it for a while. While the GDPR will directly affect all businesses in the European Union countries, it will also apply to any individual within the EU. What does that mean for U.S.-based businesses, even those who have no direct business operations in any of the EU countries? It means that if you have any kind of web presence, the GDPR does affect you.

If you collect data (even if that means someone located in the EU simply clicks to your website) from anyone in the EU, your company becomes subject to the requirements of the GDPR. (A caveat to this is that an EU citizen has to be in a EU country for their data to be subject to the GDPR.)

Here’s what you need to know.

  • You cannot bury consent for use of personal information in T&C. It has to be explained clearly and separately.
  • Consent to use private information is opt-in. Not opt-out.
  • Consent can be withdrawn easily. That means if someone unsubscribes from your email list, they are completely removed from your system. And it must be as easy for them to revoke consent as it was for them to sign up. No teeny tiny, roundabout unsubscribe systems. No wait lists for deleting accounts.
  • Data breach notifications must be made within 72 hours of becoming aware of the breach.
  • Customers are allowed to ask for copies of all the personal data you have collected on them, as well as where that information is stored and why you need it and use it for.
  • The “Right to Be Forgotten”: as stated, you instantly erase data the moment the individual revokes consent to use their information and you stop any third-parties that may have access to that data.


Penalties for not complying with these regulations can be steep. If reading this list made you start to question whether your business is protected from potential fines for E.U. visitors and customers, it’s time to do a little homework.
Are You Ready to Start Your Project?