What Startups and Small Businesses in the US Need to Do to Comply with the GDPR


The first question is: does your startup collect data from, store information of, sell products to, or monitor the behavior of anyone in the European Union?

If the answer is no, which means you’re certain your users aren’t using your services while traveling in the EU, you can stop reading.

If the answer is yes, then you have some work to do.

If your business collects names, email addresses, uses cookies on, or gets IP addresses from anyone located in the European Union (and almost all companies do), there’s a new law that’s going to apply to you on May 25, 2018. It’s called the General Data Protection Regulation, or GDPR. And it applies to you whether your business is domiciled in Copenhagen, Paris, Delaware, Colorado, or Timbuktu.

The bad news is that compliance requires some focused effort, requiring both technical and legal information to assure your company does not run afoul of these new regulations.

The really bad news is that the penalties are significant: up to 4% of global revenue for offenders.[1]

The good news is that this will be a wake-up call for many startups that are long overdue for a health and sanity check when it comes to what they do with their data. The truth is, many companies post privacy policies they found online and never give them a second thought. Not only do many such companies not actually comply with their own privacy policies, they’re not sure what’s in them.

That wasn’t a good practice before. And under the regime of the GDPR, there are serious consequences for that behavior.

Unfortunately, it is not possible to draft a one-sized-fits-all privacy policy that works for all organizations, because different organizations collect, manage, store, and use information and data in different ways. The only way to comply with the GDPR is:

(1) to have a clear understanding of how your organization collects, manages, stores, and uses data

(2) to inform your users about that data strategy

(3) to receive affirmative consent from your users about those details—for instance, by requiring users to push a consent button (simply posting a privacy policy on your site isn’t good enough anymore–users must affirmatively consent)

(4) to comply with your policy in a consistent way

To do this right, you’ll have to work with your technical personnel and put real time into this policy and its implementation.

This is now the reality of doing international business in 2018.

For more details about how our firm can help you comply with the GDPR, contact us at Info@mccarthylg.com

[1] We are not trying to scare you. The exact extent to which the EU will be actively enforcing this new regulation on American companies without a physical location in Europe is unknown. It is certainly—and I say this with the deep affection of a dual citizen of the US and Ireland—the most horrific, sprawling mess of a regulation that I have ever seen. But as we read this new regulation, it will apply to most US companies—and impose potential liability, including fines, on those that do not comply. Thus, we are helping our US companies do their best to comply with it.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.