Data protection in the US vs Europe: what businesses need to know


Data protection laws differ between countries and continents. Here’s what you need to know about data protection in the US vs Europe.

Every business handles data, and there are countless laws and regulations around protecting that data. This is a good thing for consumer privacy, but these regulations are often confusing for businesses to navigate – particularly if you deal with customers, clients, employees and/or vendors in different countries.

So this week, we’ve tried to break down the different data protection rules and regulations so you can make sure you’re compliant across jurisdictions. Of course, this is just a guide; you should always seek legal advice before making any decisions about how you process, handle or store data.

Here’s what you need to know about the differences for data protection in the US vs Europe.

1. Data protection laws in the EU and UK

In Europe, data has long been about fundamental human rights to privacy and protection. Currently, the EU is working under the Data Protection Directive that applies to all business and sectors.

But as of 25th May 2018, the General Data Protection Regulation will take full effect. And yes, despite Brexit muddying the waters at that time, the GDPR applies to all businesses in the UK. This redefined and stringent regulation is about taking the existing law a giant step further, delivering even greater transparency and trust around data collection, privacy and sharing personal data for the individual. Read about how you can prepare your business for the GDPR here.

2. Data protection laws in the US

By contrast, the US doesn’t apply the same ‘citizen first’ approach to data handling and protection. But, there are two key federal laws which prevent ‘unfair and deceptive practices’ and make sure childrens’ data (see additional reference here) is protected properly.

There are also some fragmented, sector or state-oriented approaches to data privacy in the United States. The key approaches relate mostly to healthcare companies and financial institutions. The state of California (click on California Law – Online Privacy) has its own separate data protection act, too.

Clearly, US laws aren’t non-existent. If anything, they’re wide-ranging, complex and vague. But while it’s expansive, some say that US data protection laws aren’t as stringent as those in the EU.

New Call-to-action

3. What if I’m in the US, and have customers in the EU? Or we’re planning an overseas expansion?

Doing business in the EU offers huge opportunity for businesses to increase their market share and revenue. But, if you’re setting up an international office or transferring data across the Atlantic, you need to make sure you keep it lawfully protected.


Here are the current US-EU privacy agreements:

The PwC have a Global Privacy and Security Enforcement Tracker exploring key privacy issues, trends and enforcement actins for 36 countries across the world. Their Privacy Reset piece addresses the ECG environmental, social and governance standards for company operations.

4. What if we use digital marketing tools, website cookies, or automated emails?

The digital world means business marketers are likely to be collecting the data of customers from the US and the EU – and indeed, all over the world.

In the US, data that needs to be protected is classed as ‘Personally Identifiable Information’ (PII) – this includes things like names, addresses, telephone numbers etc. Any information used for marketing purposes works on an ‘opt-out’ basis for privacy (aptly named CAN SPAM (See the FTD Compliance Guide).

In the EU, businesses are required to protect all ‘personal data,’ including cookies and IP addresses. Currently, tick-box consent, or a simple ‘okay, I get it’ button on your site is sufficient for the use of data.

With GDPR, you need to give unambiguous consent about data usage, including explicit cookie tracking consent. You’ll need to get a double opt-in for all marketing communications too.

5. The GDPR is likely to go global, but it’s not all bad

Although there are definitely advantages to the relaxed data stance in the US, ultimately it’s a problem because consumers in the US don’t trust companies with their data.

Not only this; unclear laws are complex for businesses to follow, meaning you can be caught out for accidental misuse easily – maybe even fined.

Due to its simplicity, the GDPR is a model student for data protection. It’s the simpler narrative, and it’s very likely to eventually go global. So, any future-driven company that’s not in the EU should be looking to comply anyway. 

6. The really good news: the GDPR regulations have proven to be beneficial for  digital marketing

The stricter GDPR regulations imposed to ensure businesses were following data rules, have delivered some great business benefits. They’ve led to greater innovation, better communications, more relevant information and more loyal contact lists.

The GDPR actually fortified the era of inbound and permission marketing, as opposed to spam and one-way communications.

If you use marketing automation tools, many are working towards being pre-configured with data protection standards, so you’ll probably just need to tweak a few settings to get your digital marketing under control.

HubSpot, for example, is already compliant with Privacy Shield, and is ahead of the game with GDPR. Here’s how to switch on double opt-in.

Need more help with compliant data protection?

help ensure you maintain compliance with the GDPR and other data protection laws. If you’re expanding into the EU, we specialise in helping companies set up an office overseas, too.

Do you need a Data Protection Officer under GDPR?
Cyber security training for SMBs: 8 free resources