All of a sudden, Americans have found themselves deluged by so many emails promising updated privacy practices that these notices have reached meme status—and yet for many people, the underlying cause of this sudden hullabaloo has been a mystery.
For Americans, this regulation understandably flew mostly under the radar, since after all, it’s European. However, most American companies were all too aware of the fact that they had to comply regardless, if they had any personal information on EU citizens.
In fact, any company, anywhere on the world with such information—say, any organization with an email mailing list that has someone from Europe on it—must comply with GDPR or face draconian fines and other enforcement measures.
Doesn’t the US already have regulations like GDPR?
The US is not without its own privacy regulations as well, of course. In fact, anti-spam legislation provides for some of the same controls that GDPR does—giving email recipients the right to opt out, for example.
Email, however, is only the tip of the GDPR iceberg. The regulation goes well beyond email, covering everything a company might do with personal information: collecting it, storing it, using it, and disseminating it.
In large part, GDPR regulations are stricter than the American equivalents—although this rule is not universal, as in some cases, US laws are even tougher than Europe’s.
For US firms who must comply with both GDPR and US laws, the question thus becomes one of consistency: what set of activities must a company undergo in order to be sufficiently compliant overall?