GDPR implications on marketing activities of a US company

of one

General Data Privacy Regulation (GDPR)

As the General Data Privacy Regulation (GDPR) will be coming into effect in Europe soon, many articles have been published to try to tackle what this might mean for United States companies who market to or do business within Europe. We have searched through numerous sources and were able to find many that should be of help in interpreting how this new regulation might impact marketing of U.S. firms that have members or some of their operations within Europe.

1. Herrick offers an extensive look into the ten key provisions of the GDPR that will affect U.S. businesses and their ability to market to or do business with EU residents. It also offers background information on the current U.S. Privacy Shield framework that U.S. companies already need to comply with when doing business with EU residents, and explains how the GDPR differs and is likely to be even more cumbersome for small to medium-sized businesses to adjust to in particular. Also, U.S. companies who utilize 3rd party data processors based in the EU may find their transfer of data shut down if EU regulators believe that the businesses are in breach of the GDPR.

2. Clickz

According to, the GDPR will help to initiate a new era of privacy awareness for consumers and businesses, and will help create long-needed reforms within U.S. organizations who have marketing or physical presence in Europe. Many multi-national U.S. companies have already set aside over a million dollars each to re-assess their data storage processes to ensure they are in compliance with the GDPR, initiating complete overhauls of how data professionals and all others within their companies will comply with the new regulations.

3. Loyalty360

This article on discusses the difficulties these new regulations will cause for marketers in particular since they will now require proof of explicit consent to store consumer data, and all stored data must be verified as protected. The specialist in this article suggests three key ways to help companies ensure that they can gain EU consumer consent: "Ask for less" so customers are more likely to agree to give data; once you have the data, store it all in one place to ensure compliance; finally, be careful to use the personal data only in a way that complies with the regulations.

4. The DMA

The Data and Marketing Association's GDPR compliance experts explain how the regulations will affect emailing and loyalty programs of U.S. companies doing business in the EU, with companies now having to ensure that consumers opt-in to being marketed to, rather than simply needing an opt-out option on all marketing emails. Consent must be made clear, and be requested in plain language rather than in fine print or the terms and conditions. The GDPR will now especially affect marketing to youth under 16 years of age who will need parental consent to authorize the use of the children's data.

5. WorkPlace Privacy Report

The Workplace Privacy, Data Management & Security Report cautions that the GDPR may affect some U.S. organizations even if no financial transactions have taken place. Generic online marketing that isn't specifically targeting EU residents likely will not be affected by the GDPR, however if a "website pursues EU residents, accepts the currency of an EU country, has a domain suffix for an EU country, offers shipping services to an EU country, provides translation in the language of an EU country, or markets in the language of an EU country," the business will need to comply with the GDPR.

6. Skyword focuses on the difficulties U.S. businesses will face in using "programmatic ad strategies" in their marketing to EU consumers. As businesses will now have to receive explicit consent to all data use, and programmatic ad strategies utilize many data points in order to personalize the date for the consumer, it is unlikely that consumers will opt-in to enough data points to receive accurately targeted ads.

7. JDSupra highlights key areas U.S. companies should focus on while making sure their marketing and business practices comply with GDPR standards. These key areas are their privacy policies, vendor management, and how they obtain consent. This article also offers some steps to help U.S. businesses get started in becoming GDPR compliant.

8. highlights several key areas of the GDPR that will affect U.S. businesses who wish to market to or do business with European consumers. These key areas are clear consent, swift notification of data breaches within 72 hours, and the right of EU consumers to be forgotten on request. However, encourages U.S. businesses to see this as an opportunity to gain a competitive advantage, as consumers may choose to do business with GDPR compliant companies who they see as valuing their right to privacy and safe storage of private information.

9. Mayerbrown focuses specifically on U.S. e-commerce businesses and how they will be affected by the GDPR. The key areas of focus are the territorial scope of these regulations, the need for a legal basis to process and store private information, and the issue of retention periods as private information is meant to be deleted as soon as possible under the GDPR, rather than the information being kept for future marketing promotions. Also, U.S. companies will need to ensure they have clear privacy notices, allow consumers control and access to their own private information, and create contracts with third parties to ensure that they are also in compliance with the GDPR rules.


While the General Data Privacy Regulation will add in some complexity for U.S. companies who market to the EU or have some operations there, it is generally seen as a very positive addition for consumers. With preparation, U.S. companies will still be able to market to and email EU customers, but they will have to be much more careful with storing information and with gaining consent to contact. As well, using third parties in contact with the private information can be risky and will require extra contracts and precautions to protect both the U.S. companies and the consumer data.