How GDPR Impacts U.S. Businesses


What is GDPR?

As a marketer or business owner, you might be hearing this term being thrown around a lot lately. It is changing the way businesses collect, process, and handle information.

The GDPR is the European Union’s new “General Data Protection Regulation.” It just came into effect on May 25, 2018 with intentions to modernize and harmonize old laws across the EU. It provides citizens of the EU with greater control over their personal data and assures that their information is being securely protected, regardless of whether the data processing takes place in the EU or another country.

The last data protection rules were established back in 1995, when the internet was in its infancy. A lot has changed since then. And with the convenience of technology and the ability to record any/everything, Big Data has almost gotten out of control.

With GDPR, EU consumers now have control of their information again. They can control who can use their data and for what purpose. The internet doesn’t have to be so scary, as they post, click, and browse their way through websites anymore.

If you have noticed websites like Facebook asking you to review your privacy settings, it’s because of GDPR. GDPR is also the drive behind companies sending out emails asking if you’d like to unsubscribe from their mailing lists.

It’s all about protecting the consumer.

The GDPR lists eight rights with which businesses must comply.

  1. The right to access personal data – With the GDPR, people located in the EU are now able to ask companies for a copy of the information they hold on them (called a subject access request) and ask how it is used. Businesses are required to provide it to them within a month for free. Before, companies charged up to £10, or $13.96, for this. Consumers can also let companies know if any data is inaccurate, and companies are required to correct it.
  2. The right to be forgotten – EU Consumers have the right to have their information deleted, if they are no longer customers, or if they withdraw their consent from a company to use their personal data. Businesses must delete all information, even that on backup discs, within 24 hours.
  3. The right to data portability – EU Consumers can now request to have their data transferred from one company or service provider to another.
  4. The right to be informed –  Individuals in the EU must be informed (and must give their consent) before their information can be gathered. And if the processing of their data has multiple purposes, they must know about each purpose. For instance, if you use cookies for affiliate links and a Facebook Pixel, you will need to ask for explicit consent for each. You will also need separate check boxes for things like consenting to your email list and consenting to have personal data stored for communication about purchases, promotions, or sales. They are allowed to consent or decline each purpose separately. Additionally, companies must acquire parental consent before collecting personal data of anyone under age 16 in the EU. Companies must keep records of what all EU clients opted into, and how.
  5. The right to have information corrected – This ensures that individuals in the EU can have their information updated or corrected as needed.
  6. The right to restrict processing – EU Consumers can ask for their information to be “restricted,” meaning that companies can store their data but not use it. Any records can remain in place, but they may not be used.
  7. The right to object –  Individuals in the EU have the right to stop the processing of their data for direct marketing. They can object to how their data is used. They can also object to profiling, if they think a company is making assumptions about them for marketing purposes. There are no exemptions to this rule, and any processing is required to stop as soon as the company receives the request.
  8. The right to be notified –  Last but not least, should a data breach occur where an individual of the EU’s data is compromised, they have the right to be informed within 72 hours of the company first becoming aware of the breach.

These updated privacy rules affect how the personal data of EU citizens can be collected, used, and stored. It forces businesses to be much more clear about the information they collect on people. For example, Apple has started using privacy icons that indicate when they are gathering user data.

Who has to comply to GDPR?

Even if a business in the United States has no direct EU operations, it may still need to comply.

GDPR is meant to protect EU citizens. However, many businesses outside of the EU must comply as well, no matter what continent they are doing business on. The GDPR applies to any business in the world that offers goods or services to citizens in the EU (regardless of whether any payment is required). GDPR always applies to any business in the world that collects, processes, or stores personal data on EU citizens. Businesses anywhere from global endeavors to small business are affected by EU’s GDPR.

According to the GDPR directive, personal data is any information related to a person that could be used to identify them (directly or indirectly), such as an IP address, cookies, location details, name, email address, photos, bank details, updates on social networking websites, or medical information. ( If you store any of this information, you must comply. And GDPR protects everyone residing in the EU, not just citizens.  The EU is serious about protecting consumer privacy…

It comes with big penalties…

Companies that fail to meet the requirements of GDPR can face massive penalties. Fines can be up to 4% of the company’s annual turnover, or 20 million euros ($24.4 million), whichever is higher. For huge tech companies like Facebook, that could mean over a billion dollars. And for small businesses… big fines could break the bank.

And people are watching!

There are privacy advocate groups out there just waiting to file GDPR complaints against major corporations. Google and Facebook actually faced complaints on the first day that GDPR went into force. Now, a broader group of US-based companies has also been targeted by a French organization, La Quadrature du Net.

There are seven complaints against Facebook, Google (Gmail, YouTube and Search), Apple, Amazon and LinkedIn, which the group collectively calls “GAFAM.” (“M” is for Microsoft.) 12,000 complaints were received from the public at large and later formalized by La Quadrature. La Quadrature has made these complaints (in French) available as templates and is allowing any entity in Europe to “reuse them” to “attack GAFAM or so many others.” La Quadrature also plans to file future complaints against companies like Skype, Outlook, Android, WhatsApp, and Instagram. (

Companies are mitigating risk

With GDPR going into force, some companies (like NY Daily News and the Chicago Tribune – the third-biggest US daily newspaper, as well as media and entertainment brand A+E, including A&E [Arts & Entertainment], Lifetime and History) have decided to altogether block people in the EU from even visiting their sites, using messages like “Sorry, this content isn’t available in your area.” This way, the companies have time to get everything in order and can’t be penalized for not being GDPR-compliant.

American public radio organization NPR has found another solution to GDPR. Any users who refuse to agree to cookies and the like for personalized content can view a plain-text site.

How to comply

Update your privacy policy to comply with GDPR. Be open, in clear language, about the information you collect and how you use it, as well as any third-party service providers you share information with. Include that consumers have the right to access their personal data, as well as the right to be forgotten.

Here is a great example of a clear, easy to read, updated privacy policy by Social Media Examiner that complies with GDPR:

Make sure that if you are using consumer data in any way, you have a good basic consent form to collect and use that data. Update your consent form if needed so that it clearly asks for consent. Consumers have to voluntarily give their consent that you can use their data. They have to physically and knowingly opt in to receive communications such as newsletters. And at the same time, it should always be just as easy for them to withdraw consent as it was for them to give it. They should always have the right to unsubscribe (at the bottom of every newsletter, for example).

Take the same actions with your employees; check your internal data processes and procedures.

Data mapping

Maybe you need to sit down and figure out where all your data is even coming from, and what you are doing with it; make a data map. Locate where your data is stored, examine what you collect and why you collect certain kinds of data, as well as how you acquire it. Determine who can access it and if there are any risks to the data. Remember that over time, you may have accumulated data in numerous places… Excel spreadsheets, accounting, your CRM system, emails, files, instant messaging.

Some common places that you may want to also look, if you work in the digital marketing space, are Google Analytics, where you may be gathering user ID/hashed personal data, IP addresses, cookies, or behaviors. In order to remain GDPR-compliant and still use Google Analytics, you need to either anonymize the data before you can store or process it, or, add an overlay to your website that informs users that you use cookies and ask for their permission.


If you use remarketing ads (such as the Facebook pixel), tell your website visitors immediately upon them entering your site, and ask for consent. Even if you don’t use tracking pixels or cookies yourself, but you publish sponsored content on your page, you need to ask your clients if they use pixels or cookies and why. If your client uses them for remarketing purposes or to capture any personal information, you need to inform your site visitors as soon as they enter.

In the digital marketing space, you will also want to look at your email opt-in procedure and your affiliate links. You need to get consent for cookie usage if you use affiliate links, and you need the user’s consent before they click on the link (as this will place a tracking pixel once they click). To be safe, just ask for consent upon their entering your website!

Data clean-up

Clean up your data by eliminating ROT (redundant, obsolete, and trivial data). This will help you organize your data, while cutting storage costs and liabilities. About 70 percent of data held by enterprises is ROT.

Data security

Put security measures in place to guard against data breaches, and if a breach does occur, take quick action to notify individuals and authorities.

You should also establish an internal, company-wide system for protecting personal data, and make sure it is understood by all staff members. Consider having a specific, comprehensive GDPR training program for your employees, so they can learn and have the opportunity to ask questions about data protection and consumer privacy.

If you work with any partners, ensure that they, too, are GDPR-compliant and have proper security measures in place. You are still liable, even if you outsource work, so make sure to check with your partners and suppliers.

It will probably help to specifically assign someone to keep an eye on your business’s privacy security practices. In some cases, companies are required to officially appoint a Data Protection Officer. This is required of 1) companies that regularly monitor sensitive personal information (such as race, genetic data, etc.), 2) companies that regularly monitor personal data on a large scale, and 3) public authorities. (

Compliancy tools

Here are a couple tools that will help you comply with GDPR (as recommended by Social Media Examiner):

  • GDPR is a WordPress plugin that is an all-in-one solution for GDPR-compliance. They have options for consent management, privacy policy configurations, fulfilling data export requests, and more.
  • Shariff Wrapper prevents the automatic transmission of data via sharing plugins.
  • GDPR Personal Data Reports generates personal data reports for users looking to take advantage of their Right of Access.
  • Wider Gravity Forms Stop Entries allows Gravity Forms users to stop sensitive information from being stored on their servers.
  • Delete Me allows users to delete their own accounts and profiles.

Here’s another great WordPress plugin that will help you comply with GDPR. It informs users that your site uses cookies and asks for consent: Cookie Notice


While these regulations are not required by the US Government, the writing is on the wall. We could very well see regulations like this passing in the near future.

It might be a bit of a process switching things over and getting everything in line with this regulation, but once you do, your consumers will thank you. Being GDPR-compliant will show your business’s honesty and transparency. In the long term, it will create trust, loyalty, and better customer experiences. It will help you stand out from your competitors, as it proves your company cares about consumers. Use this as an opportunity to clean up, reorganize, and reevaluate the information you collect on consumers. This can also help you be WAY ahead of the game should we see changes in the US. You might even gain some new insights into your business and marketing strategy.

Remember though… Complying with GDPR isn’t a “one and done” deal. It’s an ongoing process that requires constant monitoring. It’s a reminder to always protect your customers and their privacy.


Until next time…
Chill Digital Marketing


Leave a comment

Helping small business owners meet their digital marketing goals.

Contact Info

1800 30th Street
Boulder, CO 80301


Monday-Friday: 8:00 am - 5:00 pm

Copyright © 2019 Chill Digital Marketing All Rights Reserved