GDPR Compliance

The General Data Protection Regulation is the European Union's comprehensive data privacy law. It applies to any organization that collects or processes personal data from people in the EU, regardless of where the organization is based -- including U.S. businesses with a website accessible to EU visitors.

Disclaimer: This guide is for educational purposes only and does not constitute legal advice. GDPR compliance can be complex. For specific questions about your obligations, consult a qualified attorney or data protection specialist.

What Is the GDPR?

The General Data Protection Regulation (Regulation (EU) 2016/679) was adopted by the European Parliament and Council on April 27, 2016, and took effect on May 25, 2018. It replaced the 1995 Data Protection Directive and established a unified data protection framework across all EU member states. The GDPR is enforced by data protection authorities in each EU member state.

The GDPR governs the collection, processing, storage, and transfer of personal data of individuals in the European Economic Area (EEA), which includes all EU member states plus Iceland, Liechtenstein, and Norway. The United Kingdom has its own version, the UK GDPR, which is substantially similar and was retained after Brexit.

Does the GDPR Apply to U.S. Businesses?

Yes, the GDPR can apply to businesses outside the EU. Under Article 3, the GDPR applies to organizations that:

  • Have an establishment in the EU and process personal data in the context of that establishment, or
  • Offer goods or services to individuals in the EU (even if no payment is required), or
  • Monitor the behavior of individuals in the EU (such as through website tracking or profiling)

If your website uses cookies or analytics tools that track visitors from the EU, collects email addresses from EU residents for a newsletter, or sells products or services to EU customers, the GDPR likely applies to you. The regulation does not require that you specifically target the EU market -- simply being accessible and collecting data from EU visitors can trigger obligations.

Key Concepts

Understanding GDPR requires knowing these fundamental terms:

  • Personal data -- Any information relating to an identified or identifiable person. This includes names, email addresses, IP addresses, cookie identifiers, location data, and more.
  • Data subject -- The individual whose personal data is being processed
  • Data controller -- The entity that determines the purposes and means of processing personal data (typically your business)
  • Data processor -- An entity that processes personal data on behalf of the controller (such as your email service provider, analytics platform, or hosting company)
  • Processing -- Any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, or deletion
  • Lawful basis -- A legal justification for processing personal data. The GDPR requires that every processing activity has one of six lawful bases.

The Six Lawful Bases for Processing

Under Article 6 of the GDPR, you must have one of these lawful bases to process personal data:

  1. Consent -- The individual has given clear, affirmative consent for a specific purpose
  2. Contract -- Processing is necessary to perform a contract with the individual or to take pre-contractual steps at their request
  3. Legal obligation -- Processing is necessary to comply with a legal obligation
  4. Vital interests -- Processing is necessary to protect someone's life
  5. Public task -- Processing is necessary to perform a task in the public interest or exercise official authority
  6. Legitimate interests -- Processing is necessary for legitimate interests of the controller or a third party, unless overridden by the individual's rights

For most business websites, consent and legitimate interests are the most commonly relied upon bases. Marketing emails generally require consent. Analytics may rely on legitimate interests, depending on the type of data collected and how it is used, though cookie-based tracking typically requires consent under the ePrivacy Directive.

Consent Requirements

When consent is the lawful basis, the GDPR sets a high standard for what constitutes valid consent:

  • Freely given -- The person must have a genuine choice and must not be penalized for refusing consent
  • Specific -- Consent must be given for specific, clearly stated purposes
  • Informed -- The person must be told who is collecting their data, what it will be used for, and their rights
  • Unambiguous -- Consent requires a clear affirmative action (such as checking an unchecked box). Pre-checked boxes, silence, or inactivity do not count as consent.
  • Withdrawable -- People must be able to withdraw consent as easily as they gave it

Individual Rights Under GDPR

The GDPR gives individuals specific rights regarding their personal data:

  • Right of access -- Individuals can request a copy of the personal data you hold about them
  • Right to rectification -- Individuals can request correction of inaccurate personal data
  • Right to erasure ("right to be forgotten") -- Individuals can request deletion of their personal data under certain circumstances
  • Right to restrict processing -- Individuals can request that you limit how you use their data
  • Right to data portability -- Individuals can request their data in a structured, machine-readable format
  • Right to object -- Individuals can object to processing based on legitimate interests or for direct marketing

Penalties for Non-Compliance

The GDPR has a two-tier penalty structure:

  • Lower tier -- Up to 10 million euros or 2% of the organization's annual global revenue (whichever is higher) for violations related to technical and organizational measures, record-keeping, or data protection impact assessments
  • Upper tier -- Up to 20 million euros or 4% of the organization's annual global revenue (whichever is higher) for violations related to the principles of processing, lawful basis, consent, data subject rights, or international data transfers

While the largest fines have been imposed on major technology companies, smaller businesses have also been fined. EU data protection authorities consider factors like the nature of the violation, the number of individuals affected, the degree of cooperation, and any steps taken to mitigate damage when determining penalties.

Practical Steps for Website Owners

  1. Implement a cookie consent banner -- Before setting non-essential cookies (analytics, advertising, etc.), obtain affirmative consent from EU visitors. Do not use pre-checked boxes or cookie walls that deny access unless cookies are accepted.
  2. Write a clear privacy policy -- Include who you are, what data you collect, why you collect it, what lawful basis you rely on, how long you retain data, and how individuals can exercise their rights
  3. Audit your data collection -- Identify every place your website collects personal data (contact forms, newsletter signups, analytics, payment processing) and document the purpose and lawful basis for each
  4. Review third-party services -- Ensure any service that processes personal data on your behalf (analytics, email marketing, hosting) offers GDPR-compliant data processing agreements
  5. Enable data subject rights -- Have a process for responding to access, deletion, and other rights requests within one month
  6. Minimize data collection -- Only collect personal data you actually need and delete it when it is no longer needed
  7. Secure personal data -- Implement appropriate security measures including encryption, access controls, and regular security reviews

For related privacy topics, see our guide on the Electronic Communications Privacy Act, which covers U.S. electronic communications privacy law.

Need a privacy-compliant website?

We build websites with data privacy in mind, including GDPR-compliant cookie consent, clear privacy policies, and minimal data collection practices.

View Our Services Contact Us