How GDPR Affects American Companies

How GDPR Affects American Companies

There is more discussion than ever about data privacy, especially considering that technology is continually evolving, and more companies are interested in gathering data on individuals. Facebook, which boasts over 2 billion monthly active users, recently suffered data breaches that affected hundreds of millions of users and their personal information. Equifax, one of the largest consumer reporting agencies, also suffered a high-profile data breach in 2017. The company was even forced to pay up to $700 million to the Federal Trade Commission as a result of the breach, as well.

The European Union (EU) has taken concrete steps towards protecting personal data in the form of the General Data Protection Regulation, or GDPR. The legislation outlines regulations regarding how companies can collect and process consumer data, and many consider it to be the largest step take regarding data privacy in the last several decades. Many assume that the legislation only affects Europe, but the truth is that it also affects U.S. entities, as well. Luckily, there are steps that American organizations can take to remain compliant, avoid fines, and continue to target the EU market.

Targeting European Consumers

Thanks to the Internet, U.S. companies can target anyone in the world. For example, there are companies based in the United States that might notice that much of their revenue comes from European consumers, whether they are a clothing company, a social media platform, or a tech startup. You might believe that the GDPR only affects Europe. However, the truth is that if you collect data on European consumers, you will have to consider GDPR regulations.

You might believe that you only need to follow U.S. laws, but the truth is that the Internet allows you to market goods and services to anyone in the world. You might want to ramp up operations in Europe if you feel like there’s a real opportunity for growth and expansion. However, you should also understand that European citizens have their own expectations for privacy due to the GDPR. If you want to take advantage of Europe as a market, you will have to comply with the GDPR or expect to be fined.

In fact, you might be surprised to find that this applies to your U.S. organization even if no financial transaction is involved. You might not have a physical office in the EU, but will still have to comply by its regulations if you are collecting data worldwide.

No Financial Transaction Needed

Let’s say that you are offering a global survey and want to obtain information from executives all around the world. You might feel as though there is no need to consider the GDPR, considering that you are not actually “doing business” in that country whatsoever.

However, the truth is that you are still collecting information from people who live in the European Union. If you collect their email address, your organization will have to explain how the data will be used and also ask for permission to use their email. These laws might not exist in the United States, but the fact that your survey is global requires you to comply with GDPR legislation. There’s a good chance that you will have to appoint an EU representative if you want to utilize the email address, as well.

Penalties and Fines

There will undoubtedly be U.S. organizations that believe that they can continue to collect data without repercussions. After all, many consider data to be the “new oil”, considering how valuable it can prove to companies of all kinds. Facebook and its access to user data is one of the reasons that the platform is valued at over $500 billion. However, this would be a mistake.

Of course, the fines and penalties depend on how serious the mistake is. The largest fine that the GDPR can enact is 20 million euros. However, companies that boast billions in revenue are still at risk – because 4% of global turnover can also be used as a fine, and is often used for severe fines. If 4% of a company’s global turnover exceeds 20 million euros, then that is the metric that will be used. Because of GDPR regulations, Google was fined over double $20 million euros recently. Specifically, the tech giant was fined 44 million euros from the French data protection watchdog CNIL earlier this year.

Google isn’t alone. Other large and powerful corporations that have been fined thanks to the new GDPR regulations. British Airways suffered a data breach in 2018, and was fined over 180 million euros as a result. The worldwide hotel chain Marriott International was also fined, and many believe these incidents to be proof that GDPR regulation will lead to real punishments rather than a “slap on the wrist.” Marriott International is headquartered in Bethesda, Maryland.

A mistake on your organization’s part can lead to millions of U.S. dollars in fines, and that can directly affect the future of many small firms. Larger organizations should understand that the right time and energy to comply with the GDPR can end up being the right choice for their overall bottom line. Of course, smaller firms should take these fines even more seriously, considering that one fine might prove fatal to their future.

One way to avoid fines is if your organization utilizes video and audio redaction software in order to protect the privacy of EU citizens. There is more data than ever being collected around the world, and redaction software can help your company remain compliant with GDPR standards. This can potentially help you save a tremendous amount of time, energy, and money.

Empowering the Customer

The GDPR wasn’t passed simply so that financial agencies could exact fines on large corporations, however. One of the central tenets of the legislation is the fact that the customer should have control over their own digital identity. This isn’t exactly a new concept, and many companies that have grown because they care more about consumer privacy than others.

While Brave, a privacy-focused browser, does not have the name recognition of Google Chrome or Safari browser (developed by Apple); it has gained considerable traction. Specifically, the browser has already been downloaded 40 million times, and its monthly active users have doubled in the past year.

Brave is an open-source browser that is completely free, and one of the reasons for its rise in popularity is the fact that it actively blocks ads and website trackers. DuckDuckGo is a search engine that also markets the fact that it does not track its users, and is also quickly gaining popularity.

The GDPR legislation aims to put more power back into the user regarding their information. Expressly, the user can withdraw consent AT ANY TIME. Your organization may have to change the way that it engages with consumers, and provide concrete proof that they “opted in” to receiving e-mails, or newsletters, for example. The “opt-out” option is no longer enough to justify your actions as a company.

Determining What to Keep

All companies understand that data is valuable. The right data can determine how to market to a consumer, or gain market share – but data has much larger implications than that. Data can help to influence a presidential election, as the Facebook-Cambridge Analytica scandal proved to the world. The GDPR regulations understand this power, which is why they are much stricter regarding not only how businesses collect data, but how long they can keep this data.

More companies will have to understand that it isn’t worth to save as much data as possible anymore, especially due to the fact that real fines can be levied. Organizations will have to make important choices about what data should be kept or erased, and also figure out on a financial level whether data is worth the trouble of keeping or not. Of course, video redaction can also blur or pixelate images in order to protect privacy, which is another solution. You might also utilize audio redaction software to delete customer service calls, for example, as well.

In addition, U.S. entities have to understand that there has to be clear procedures in place in case a user requests that his or her data be deleted, and employees have to be trained to handle these situations as quickly and efficiently as possible. Similarly, employees might also learn to use redaction software in order to mitigate risks, as well.

If you decide to use redaction software; it can be a very straightforward way to remain GDPR compliant and also protect individual privacy. Many companies might choose to delete the data, but what if that simply isn’t an option? That would be a situation where data redaction might play a crucial role in solving your dilemma.


Cybersecurity and data privacy will continue to be one of the most important topics discussed in the world, whether we are talking about governments or corporations. While Europe might be leading the charge, the truth is that many individuals all across the world are wondering about how their data might be collected, harvested, or exploited, and this might lead to more legislation.

Of course, companies require data to operate. It might not make sense for corporations to simply delete all data, especially if they are a large multinational corporation. In these situations, a policy of redaction – instead of deletion – might be the only viable solution. For example, a company might redact information in its documents in order to remain GDPR compliant, while utilizing data from countries outside of the realm of the EU to hone its marketing messaging or brand positioning.

However, one thing is for sure: whether your American organization is a large corporation or a small business; changes will have to be made if you want to adapt to the evolving global business climate. This will not only involve remaining compliant, it also means changes in the way that the consumer is engaged, and remaining transparent about any hacks or data breaches that do occur.

Related Reads