When GDPR took effect in 2018, many US companies responded by blocking European IP addresses and hoping the problem would go away. That approach is no longer viable — and for many organizations, it was never adequate to begin with.
The US privacy landscape has changed dramatically. A patchwork of state privacy laws now covers a significant majority of the US population, and GDPR enforcement against US companies has produced material penalties.
GDPR: Still Relevant for US Companies
The General Data Protection Regulation applies to any organization that processes personal data of EU residents — regardless of where the organization is located. If you have European customers, website visitors from the EU, or employees in Europe, GDPR applies to some aspect of your data processing.
Key GDPR principles that drive US business obligations:
Lawful basis for processing. You must have a legal basis for processing personal data — consent, contract performance, legitimate interest, legal obligation, etc. Ad hoc data collection without a documented legal basis is a violation.
Data subject rights. EU residents have rights: access to their data, correction of inaccurate data, deletion (the "right to be forgotten"), portability, and the right to object to certain processing. You need processes to respond to these requests.
Data breach notification. Breaches affecting EU residents must be notified to the relevant supervisory authority within 72 hours of discovery. If the breach creates high risk to individuals, they must be notified too.
Data processing agreements. Sharing EU personal data with vendors requires data processing agreements (DPAs). Sound familiar? Similar concept to HIPAA's BAAs.
Enforcement has been real: Meta has faced multi-billion dollar fines. Significant penalties have hit companies across industries, including US companies.
CCPA and the State Privacy Law Patchwork
California's CCPA (enhanced by CPRA) was the first comprehensive US state privacy law. It's now joined by Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Florida, Oregon, and growing. By 2025, a significant majority of US consumers are covered by at least one state privacy law.
These laws share core concepts — rights to access, delete, and opt out of the sale of personal data — but differ in scope, thresholds, and enforcement mechanisms.
Who's covered: Thresholds vary. CCPA covers businesses that (a) have revenue over $25M, (b) annually process data of 100,000+ consumers, or (c) derive 50%+ of revenue from selling personal data. Other states have similar but different thresholds. Check each state's specific scope.
Consumer rights: Access requests (what data do you have about me?), deletion requests, and opt-out of sale are standard. Some states add correction rights and opt-in requirements for sensitive data categories.
Enforcement: CCPA allows private rights of action for certain data security breaches ($100–$750 per consumer per incident). Regulatory enforcement from state AGs and (in California) the CPPA is active.
Building a Privacy Program
Treating each privacy law as a separate compliance project is unsustainable. The organizations managing this well have built foundational privacy capabilities that address multiple regulations simultaneously:
Data inventory. Know what personal data you have, where it lives, how it's processed, and who it's shared with. This is foundational to every privacy framework.
Privacy notices. Clear disclosure of what data you collect, how you use it, with whom you share it, and what rights individuals have.
Rights management process. A repeatable process for receiving, verifying, and responding to access, deletion, and opt-out requests within required timeframes.
Vendor management. DPAs with vendors who process personal data on your behalf.
Security-privacy alignment. Data security is a component of privacy compliance. GDPR specifically requires "appropriate technical and organizational measures" — a security program that addresses this requirement.
The Trend Is Toward More Regulation
The US federal privacy law conversation has been ongoing for years without legislation. In the meantime, states continue to legislate. The trajectory is clear: privacy compliance requirements will expand, not contract. Building foundational privacy capabilities now is a better investment than reactive compliance with each new law.