The General Data Protection Regulation (GDPR), effective on May 25, 2018, exists in the penumbra of uncertainty for US businesses. In sum, most small US businesses focused only on domestic outreach should not be implicated by these new regulations. This is because the EU doesn’t intend to impact the standard US business outside of its borders: the law applies to consumers in the EU when the consumers’ data is collected—an EU citizen on a computer in the US will not trigger the GDPR. Moreover, generic marketing such as search engine optimization should not trigger the GDPR.
On the other hand, if the GDPR is triggered, it can involve some rather hefty fines: the greater of €10MM or 2% of global turnover for smaller offences. Indicia that your business is targeting consumers in the EU include explicit mention of customers from those various countries and offering information in the pertinent languages on the website. Certainly, offering the website entirely in various European languages could invoke the GDPR.
Uncertainty remains in how strictly and severely the EU will enforce these new regulations should a business relatively contained within the US inappropriately collects personal information from EU users. Unless your business has an international component, such as travel or the e-commerce of a multinational brand, the data protection of your website is likely sufficient. It’s always a good idea to contact your IT department to confirm compliance with best practices, though. Of course, you are welcome to call me anytime to discuss the specifics of your business, your online presence, and these new regulations.
As always, feel free to contact me at firstname.lastname@example.org if you have any questions.