You’ve probably heard of the dreaded four-letter word – GDPR. Companies around the globe had been preparing for the May 25th implementation date for quite some time. But U.S.-based companies with no apparent EU presence may not have thought twice about whether the data protection law across the pond even applies to them. Let’s face it, we have enough federal and state laws here in the U.S. to worry about. But now that the GDPR dust has settled a bit, these U.S. companies may want to take a closer to look to confirm they aren’t captured within GDPR’s sweeping scope.

In this first installment of GDPR SIDEBAR, we address the fundamental threshold question of whether and to what extent a U.S.-based company must comply with the GDPR. [click here for a primer on GDPR]

If you are a U.S.-based company, you may want to take a second look and ask yourself the below questions:

  • Do one or more of your platforms or ecommerce sites follow or track European Economic Area (EEA) users as they browse the Internet (e.g., tracking them over time and across various websites – *think, interest-based advertising*)?
  • Does your company have a physical office, subsidiary, or other establishment(s) located in the EEA that collects, receives, transmits, uses, stores, or otherwise processes personal data[1] (even if the processing does not occur in the EEA)?
  • Do one or more of your platforms or ecommerce sites offer[2] and/or target goods or services for sale to persons in one or more Member States in the EEA (irrespective of whether the goods or services are paid for or offered for free)?
  • Do one or more of your platforms or ecommerce sites offer your services or website in the language of an EEA member state?
  • Do one or more of your platforms or ecommerce sites accept currency that is generally used in one or more EEA Member States?
  • Do one or more of your platforms or ecommerce sites offer to ship products to buyers in one or more EEA Member States?
  • Do one or more of your platforms or ecommerce sites hold events in the EEA and/or target registration to persons in one or more Member States in the EEA?
  • Do one or more of your platforms or ecommerce sites monitor[3] the online activity of persons in one or more Member States in the EEA (in so far as their online behavior takes place within the EEA)?
  • Do one or more of your platforms or ecommerce sites collect geolocation information (either general or precise geolocation) about users in one or more Member States in the EEA?

If you answered “YES” to any of the above questions, then your business, or one or more of your platforms or e-commerce websites, may be subject to the requirements of GDPR.[4] (It’s ok, take long…deep…breaths. We’re here to help.) Just because the May 25th implementation date is already upon us, this doesn’t mean that all hope is lost. You can still take the necessary steps to satisfy GDPR compliance requirements.

Stay tuned for more installments of GDPR SIDEBAR.