Martech: Martech is Marketing Logo
  • Topics
    Digital Transformation
    Marketing Operations
    Data
    Customer & Digital Experience
    Performance Marketing
    Marketing Management
    Special Reports
    All Topics
  • Conference
  • Webinars
  • Intelligence Reports
  • White Papers
  • What is MarTech

Processing...Please wait.

MarTech » Marketing Operations » Questions remain about GDPR enforcement in the US as the compliance deadline inches closer

Questions remain about GDPR enforcement in the US as the compliance deadline inches closer

The European law provides for regulatory oversight for its member states, but it's unclear about who will enforce it outside the EU.

Robin Kurzer on May 16, 2018 at 4:01 pm | Reading time: 4 minutes

If you read these pages regularly, you know that the General Data Protection Regulation (GDPR), a European law that governs the handling of European Union (EU) members’ data, will come into full force on May 25. But even with all the coverage — and there’s a lot — we’re still unclear as to how the law will be enforced in the United States.

I spoke with Kristina Podnar, a digital policy consultant who is a GDPR advisor to Third Door Media, to see if we could get some clarity. We got — well, some. Here’s what we learned.

Who regulates GDPR compliance for US companies?

Who regulates US companies depends on your definition of “US company.” If a US company is a multinational with local legal market presence in the EU (i.e., they are a company’s local business entity), then the EU Data Protection Act (DPA) regulations prevail and the company is subject to the local member state system.

If you are talking about a US company that does business in the EU but is not a multinational, then the Federal Trade Commission (FTC) regulates US companies. The FTC has made itself the de facto DPA under Section 5 of the FTC Act (invoking unfair or deceptive trade practices, they have been able to make proclamations such as [if] a company failed to adopt reasonable security measures). This FTC concept of a DPA has been challenged, of course (TJX, Google, etc.), but the FTC is looked to from an EU perspective for enforcement because of the tradition that was created pre-GDPR in the ePrivacy Directive era.

Who do US companies notify in case there’s a breach?

GDPR requires businesses to report a breach within 72 hours. Podnar says that companies need only notify data subjects if the breach is likely to result in high risk to the rights and freedoms of the individuals.

In terms of the company reporting, it depends on what data is breached and again, where the organization is operating in terms of its status. If it is a multinational, the organization ought to report the breach to the supervisory authority of the relevant EU member state (or multiple states, as the case may be). In the US, we now have data breach reporting requirements for all 50 states as well; the lowest thresholds are in California. Therefore, the US company would also need to comply with those requirements separately from GDPR obligations and report the breach domestically (FBI and FTC are notified as an extension of the state AG).

Who does a consumer report a data handling issue to?

Podnar said that if a consumer (or data subject) has an issue with a data processor or a controller, they should address the situation first with the controller.

The [European] member state DPA is the escalation point to report issues to with a controller or even with a processor who is unresponsive to the request made to the controller.

So, for example, if I live in London and make a request to a controller for data correction of an error, but the processor continues to retain the incorrect data, I could report the issue to the ICO for correction.

Getting enforcement of such on a US company with no regional legal business entity may be challenging, but … the arm of international business law is long and there are established protocols for enforcement of foreign judgements in the US (albeit they might be lengthy and impractical!).

So there you have it. What we know for certain is that on May 25, companies that handle EU residents’ data are legally required to be compliant with GDPR. If they aren’t compliant? Well, that’s anybody’s guess.

Questions about GDPR? Download our free guide, The General Data Protection Regulation: GDPR — A Guide for Marketers.


New on MarTech

    Only 38% of marketers very confident in their customer data and analytics systems
    Does your email copy persuade or sell?
    The latest jobs in martech
    74% of B2B marketers expect budgets to increase next year
    How Cherry Bombe uses email to make customers smile

About The Author

Robin Kurzer
Robin Kurzer started her career as a daily newspaper reporter in Milford, Connecticut. She then made her mark on the advertising and marketing world in Chicago at agencies such as Tribal DDB and Razorfish, creating award-winning work for many major brands. For the past seven years, she’s worked as a freelance writer and communications professional across a variety of business sectors.

Related Topics

DataMarketing Operations

Get the daily newsletter digital marketers rely on.

Processing...Please wait.

See terms.

ATTEND OUR EVENTS The MarTech Conference logo.

September 28-29, 2022: Fall

Start Training Now: Master Classes

Start Discovering Now: Spring



The SMX Conference logo.

Start Training Now:: SMX Advanced

November 14-15, 2022: SMX Next

March 8-9, 2022: Master Classes

Webinars

SEO Recon: The What, Why, and How for Building Amazing Links

Unlock the Cutting-Edge Potential of QR Codes

Why Finding the Right Platform is the Key to Winning in Email Marketing

See More Webinars
Intelligence Reports

Enterprise Marketing Performance Management Platforms: A Marketer’s Guide

Enterprise Customer Journey Orchestration Platforms: A Marketer’s Guide

Enterprise Account-Based Marketing Platforms: A Marketer’s Guide

See More Intelligence Reports
Featured White Paper

The Definitive Buyer’s Guide to Collaborative Work Management for Marketers

See More Whitepapers
Search Our Site

Receive daily marketing news & analysis.

Processing...Please wait.

Topics

  • Transformation
  • Operations
  • Data
  • Experience
  • Performance
  • Management
  • All Topics
  • Home

Our Events

  • MarTech
  • Search Marketing Expo - SMX

About

  • What is MarTech
  • Contact
  • Privacy
  • Terms Of Use
  • Marketing Opportunities
  • Staff

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • Newsletters
  • RSS

© 2022 Third Door Media, Inc. All rights reserved.