ContractsCounsel Logo
Home Blog GDPR Compliance in US

Jump to Section

GDPR Compliance in US: A Detailed Overview

The GDPR (General Data Protection Regulation) handles personal information, described as any data that can determine a person, called a "data subject." In addition, concerned organizations must comply with data subjects' desires on how their data gets processed and maintain records of how this process happens. Moreover, the GDPR intends to give EU citizens more authority over the personal data that organizations gather, approach and stock.

So if you own a company in the United States and wish to comply with the General Data Protection Regulation, it is best to hire a professional attorney who can help you with your GDPR compliance.

Does the General Data Protection Regulation (GDPR) Apply to US Citizens?

The GDPR (General Data Protection Regulation) protects the details of anyone in the EU (European Union). Thus, when a US resident lives in an EU (European Union) nation, the GDPR will apply to that information when a business gathers data.

In addition, the phrase "personal data" under the GDPR is especially more comprehensive than most US compliance regulations, which tend only to guard data used to perpetrate fraud. However, GDPR can apply to businesses running in the United States as it has an extraterritorial extent, indicating it can also apply outside the EU (European Union) i.e. the United States. And since the regulation is meant to guard European users, it can extend to foreign enterprises, too.

Still, numerous national and state-level privacy laws in the United States of America present similar protections. In addition, the California Consumer Privacy Act (CCPA) and California Privacy Protection Act (CalOPPA) govern the group of "personally identifiable data" from any individual living in the state of California (which comprises any California citizens who are EU residents).

Furthermore, the Children's Online Privacy Protection Act (COPPA) regulates the use, supply, and distribution of data belonging to any minor under the age of 13, regardless of nationality, so long as they stay in the US (United States) when their information is gathered.

What are the Most Crucial GDPR Prerequisites for US Businesses?

Any private or public sector business that supplies or processes personal data concerning EU (European Union) citizens must comply with the General Data Protection Regulation, even if it does not have a physical existence within the EU. The essential prerequisites are as follows:

  • Controllers: They determine the objectives and standards of processing individual data. They must execute reasonable technical and administrative steps to ensure and confirm that personal data processing is performed following the General Data Protection Regulation.
  • Processors: They regulate private information on the recorded instructions of a controller. In addition, processors can be internal bodies that keep and process individual data documents or an outsourcing company that fulfills all or part of those actions.

Besides, the GDPR holds both processors and controllers are accountable for breaches of its requirements. Thus, your business and a data processing associate, such as a cloud service provider, will be accountable for penalties and other liabilities under the GDPR, even if the blame is entirely on the part of your processing associate. So to ensure you never have to pay hefty penalties for non-compliance, you must hire a professional attorney who can help you remain fully compliant with the GDPR laws applicable in the US.

GDPR Compliance Rules for US Companies

For your US company to comply with the GDPR (General Data Protection Regulation), here are some steps they must follow:

  • Maintain a Lawful Basis: The GDPR (General Data Protection Regulation) requires that you have at least one legal ground for processing individual data.
  • Ensure it's Opt-in Permission: While United States regulations generally allow the processing and collecting of private data without the user's permission, the GDPR demands that you gather "freely shared, explicit, informed and unambiguous" consent through an evident "opt-in" action.
  • Designate a Data Protection Officer (DPO): If a company is based outside the European Union, you may require a European agent to guarantee that your business complies with the GDPR. Nevertheless, a DPO (Data Protection Officer) appointment is optional.
  • Maintain Unambiguous Documents/ Proof of Consent: The General Data Protection Regulation also offers users a specific privilege to withdraw permission. Therefore, it must be as effortless to withdraw permission as it is to share it. Since approval under the General Data Protection Regulation is a fundamental problem, you must register and maintain clear documents related to the license.
  • Make Legally Mandated Disclosures Via your Privacy Regulation: This information should comprise who is processing the information, the user's rights regarding their data, and how they can use these privileges.
  • Guarantee that you can Safely Transmit EU Data: Under the General Data Protection Regulation (GDPR), you can only transmit EU resident data beyond the European Economic Area when specific data protections are fulfilled.

Requirements for Data Processing Contracts in the United States

The General Data Protection Regulation mandates that processors and controllers document into a lawfully binding contract when a controller employs a processor to process private information on its behalf. In addition, controllers must only use processors that deliver adequate guarantees of appropriate technical and administrative steps to comply with the GDPR. These steps should remain outlined in the company's data security guidelines.

In addition, Article 28 of the GDPR describes what must be incorporated in a Data Processing Agreement between a data processor and data controller. Initially, it must comprise the following information:

  • The subject matter, nature, duration, and objective of the data processing.
  • Prerequisites and privileges of the controller.
  • The kind of private data being processed.
  • Classifications of data subjects whose confidential information is being processed.

Furthermore, the contract must comprise the following conditions:

  • The processor handles all steps instructed by Article 32, including executing reasonable technological and administrative measures to guard confidential data from the controller.
  • They will use private data obtained from the controller only on recorded instructions of the controller (unless mandated by law to process private data without such prerequisites).
  • The processor guarantees that any individual processing private data is subject to the responsibility of confidentiality.
  • Any sub-processors must comply with the same data protection prerequisites as the processor, and the processor stays directly accountable to the controller for the conduct of the sub-processors data protection provisions.
  • They receive documented consent for any sub-processors the processor may hire to process the private data obtained from the controller. Moreover, if the controller delivers public written consent for hiring sub-processors, the controller must be entitled to object in advance to each person the processor offers to employ.
  • The processor helps the controller by executing reasonable technological and administrative efforts to reply to requests from data issues under the GDPR.

Moreover, when your US-based organization is a part of a global corporation established in the European Union, and you regularly obtain data from your EU companions about EU residents, you are subject to regulations that control these data transmissions between nations.

Meet some lawyers on our platform

Darryl S.

79 projects on CC
CC verified
View Profile

Daniel R.

154 projects on CC
CC verified
View Profile

Tabetha H.

36 projects on CC
CC verified
View Profile

Michael M.

615 projects on CC
CC verified
View Profile


In a nutshell, unlike industry-specific United States compliance laws like GLBA for finance or HIPAA for medicine, the GDPR is a public data privacy law that applies to all companies, public and private, that gather or process the private data of EU citizens. That implies many US businesses are also subject to the GDPR law.

At ContractsCounsel, we are a team of expert legal professionals, and our team of competent attorneys can help you remain compliant with all the GDPR statutes applicable to US companies. So why wait? Call our professional lawyers today and make your business fully GDPR compliant.

ContractsCounsel is not a law firm, and this post should not be considered and does not contain legal advice. To ensure the information and advice in this post are correct, sufficient, and appropriate for your situation, please consult a licensed attorney. Also, using or accessing ContractsCounsel's site does not create an attorney-client relationship between you and ContractsCounsel.

Need help with a GDPR Compliance?

Create a free project posting
Clients Rate Lawyers 4.9 Stars
based on 11,588 reviews

Meet some of our Lawyers

Jason H. on ContractsCounsel
View Jason
4.9 (16)
Member Since:
March 5, 2023

Jason H.

Managing Attorney
Free Consultation
Dallas, Texas
23 Yrs Experience
Licensed in TX, VA
Regent University, School of Law

Jason has been providing legal insight and business expertise since 2001. He is admitted to both the Virginia Bar and the Texas State Bar, and also proud of his membership to the Fellowship of Ministers and Churches. Having served many people, companies and organizations with legal and business needs, his peers and clients know him to be a high-performing and skilled attorney who genuinely cares about his clients. In addition to being a trusted legal advisor, he is a keen business advisor for executive leadership and senior leadership teams on corporate legal and regulatory matters. His personal mission is to take a genuine interest in his clients, and serve as a primary resource to them.

Keidi C. on ContractsCounsel
View Keidi
5.0 (12)
Member Since:
August 25, 2021

Keidi C.

Principal Attorney
Free Consultation
Boston, MA
26 Yrs Experience
Licensed in MA, NY
New England Law | Boston

Keidi S. Carrington brings a wealth of legal knowledge and business experience in the financial services area with a particular focus on investment management. She is a former securities examiner at the United States Securities & Exchange Commission (SEC) and Associate Counsel at State Street Bank & Trust and has consulted for various investment houses and private investment entities. Her work has included developing a mutual fund that invested in equity securities of listed real estate investment trusts (REITs) and other listed real estate companies; establishing private equity and hedge funds that help clients raise capital by preparing offering materials, negotiating with prospective investors, preparing partnership and LLC operating agreements and advising on and documenting management arrangements; advising on the establishment of Initial Coin Offerings (ICOs/Token Offerings) and counseling SEC registered and state investment advisers regarding organizational structure and compliance. Ms. Carrington is a graduate of Johns Hopkins University with a B.A. in International Relations. She earned her Juris Doctorate from New England Law | Boston and her LL.M. in Banking and Financial Law from Boston University School of Law. She is admitted to practice in Massachusetts and New York. Currently, her practice focuses on assisting investors, start-ups, small and mid-size businesses with their legal needs in the areas of corporate and securities law.

Jeremiah C. on ContractsCounsel
View Jeremiah
5.0 (49)
Member Since:
March 5, 2021

Jeremiah C.

Partner/Attorney at Law
Free Consultation
16 Yrs Experience
Licensed in NV, TX
Thomas Jefferson

Creative, results driven business & technology executive with 24 years of experience (15+ as a business/corporate lawyer). A problem solver with a passion for business, technology, and law. I bring a thorough understanding of the intersection of the law and business needs to any endeavor, having founded multiple startups myself with successful exits. I provide professional business and legal consulting. Throughout my career I've represented a number large corporations (including some of the top Fortune 500 companies) but the vast majority of my clients these days are startups and small businesses. Having represented hundreds of successful crowdfunded startups, I'm one of the most well known attorneys for startups seeking CF funds. I hold a Juris Doctor degree with a focus on Business/Corporate Law, a Master of Business Administration degree in Entrepreneurship, A Master of Education degree and dual Bachelor of Science degrees. I look forward to working with any parties that have a need for my skill sets.

Rene H. on ContractsCounsel
View Rene
5.0 (24)
Member Since:
February 6, 2023

Rene H.

Free Consultation
San Diego, CA
13 Yrs Experience
Licensed in CA
Northwestern University

I am an attorney licensed in both California and Mexico. I offer a unique blend of 14 years of legal expertise that bridges the gap between diverse legal landscapes. My background is enriched by significant roles as in-house counsel for global powerhouses such as Anheuser-Busch, Campari Group, and Grupo Lala, alongside contributions to Tier 1 law firms. I specialize in navigating the complexities of two pivotal areas: AI/Tech Innovation: With a profound grasp of both cutting-edge transformer models and foundational machine learning technologies, I am your go-to advisor for integrating these advancements into your business. Whether it's B2B or B2C applications, I ensure that your company harnesses the power of AI in a manner that's not only enterprise-friendly but also fully compliant with regulatory standards. Cross-Border Excellence: My expertise extends beyond borders, with over a decade of experience facilitating cross-border operations for companies in more than 20 countries. I am particularly adept at enhancing US-Mexico operations, ensuring seamless and efficient business transactions across these territories.

Karen S. on ContractsCounsel
View Karen
4.8 (24)
Member Since:
January 31, 2023

Karen S.

Free Consultation
Atlanta, GA
13 Yrs Experience
Licensed in GA
Georgia State University

I'm an attorney available to help small businesses in Georgia get started with initial business set-up, required filings, tax strategies, etc. I'm also available to draft, review, and negotiate contracts. I can draft and file real estate quit claims as well. My experience areas include small business startups, information technology, technology innovation, real estate transactions, taxes, community associations, intellectual property, electrical engineering, the business of video game development, higher education, business requirements definition, technology consulting, program management, and the electric utility industry. I work part-time for a local law firm and part-time in my solo practice. I'm also an adjunct professor at Southern New Hampshire University teaching business innovation and business law. In addition, I'm part owner, legal counsel to, and a board member of a virtual reality video game development company. I am a member of the Georgia Bar Association. Please reach out if you need attorney, documentation or consulting help in any of those areas!

Philip D. on ContractsCounsel
View Philip
Member Since:
February 3, 2023

Philip D.

Free Consultation
New York
36 Yrs Experience
Licensed in NY
Boston University

I was born and raised in New York and am a dual national of the U.S. and France. I am admitted to the bar of New York where I have my base and I have also lived and worked in France and Italy for many years. My practice is virtual with most business conducted by video conference, email and phone calls. I meet clients, co-counsel and others in person at their locations as needed. I obtained my law degree from Boston University. My undergraduate studies were done at Fairfield University, the University of Florence and the American University of Paris. I served as general counsel to the French consulate in Boston from 1993 to 1999 representing the French government and French citizens living and doing business in New England. My clients have included the City of New York, the New York Stock Exchange and numerous dot coms, negotiating and drafting tech contracts and advising them on international business issues. In my asset recovery and investigation work, I have obtained multi-million-dollar judgments against defendants in fraud cases. Please visit my website:

Find the best lawyer for your project

Browse Lawyers Now

Quick, user friendly and one of the better ways I've come across to get ahold of lawyers willing to take new clients.

View Trustpilot Review

Need help with a GDPR Compliance?

Create a free project posting
Clients Rate Lawyers 4.9 Stars
based on 11,588 reviews
See All Technology Lawyers
See All GDPR Compliance in US Lawyers

Contracts Counsel was incredibly helpful and easy to use. I submitted a project for a lawyer's help within a day I had received over 6 proposals from qualified lawyers. I submitted a bid that works best for my business and we went forward with the project.

View Trustpilot Review

I never knew how difficult it was to obtain representation or a lawyer, and ContractsCounsel was EXACTLY the type of service I was hoping for when I was in a pinch. Working with their service was efficient, effective and made me feel in control. Thank you so much and should I ever need attorney services down the road, I'll certainly be a repeat customer.

View Trustpilot Review

I got 5 bids within 24h of posting my project. I choose the person who provided the most detailed and relevant intro letter, highlighting their experience relevant to my project. I am very satisfied with the outcome and quality of the two agreements that were produced, they actually far exceed my expectations.

View Trustpilot Review

Need help with a GDPR Compliance?

Create a free project posting
Clients Rate Lawyers 4.9 Stars
based on 11,588 reviews

Want to speak to someone?

Get in touch below and we will schedule a time to connect!

Request a call

Find lawyers and attorneys by city