A European technology company launches a SaaS platform in the United States and begins collecting user data across multiple states. Within months, it faces a patchwork of state-level privacy laws, federal sector regulations, and the looming question of whether its EU data practices satisfy American transfer mechanisms. The cost of getting this wrong – in fines, class actions, and reputational damage – can far exceed the cost of structured legal advice from the outset.
Data protection in the United States is governed by a layered system of federal sector-specific legislation and state-level privacy laws, with no single comprehensive federal privacy statute in force. International businesses operating in the US must comply with obligations arising from multiple regulatory regimes simultaneously, including requirements imposed by states such as California, Virginia, Colorado, and Connecticut. Compliance timelines vary by jurisdiction and business size, but proactive legal structuring – particularly around data controller and data processor relationships – is the most effective way to manage exposure.
This page explains the regulatory system, key compliance instruments, common pitfalls for international clients, cross-border considerations involving the EU and Brazil, and a self-assessment checklist to help businesses evaluate their current position.
The regulatory environment for data protection in the United States
Unlike the European Union's unified approach under the General Data Protection Regulation, the United States operates under a fragmented system. Federal law addresses specific sectors – financial services, healthcare, children's data, and telecommunications – while comprehensive consumer privacy rights have developed at the state level.
At the federal level, the most prominent regulator is the Federal Trade Commission, which enforces data protection obligations under its authority to prohibit unfair or deceptive practices. The Securities and Exchange Commission (SEC) has also entered this space, issuing rules requiring public companies to disclose material cybersecurity incidents and describe their risk management programmes. Sector-specific federal legislation covers health information, financial records, and the data of children under thirteen.
State-level legislation has moved far more quickly. California's framework, which includes a comprehensive consumer privacy statute and its subsequent amendments, grants consumers rights to access, delete, and opt out of the sale of their personal data. Virginia, Colorado, Connecticut, Texas, and a growing number of additional states have enacted broadly similar laws. Each imposes its own thresholds for applicability, definitions of sensitive data, and enforcement mechanisms. For an international business expanding into the US market, the cumulative compliance burden is significant.
Businesses structured as a Delaware LLC (Delaware limited liability company) or any US corporate entity collecting personal data should conduct a regulatory mapping exercise before beginning commercial operations. This means identifying which state laws apply, which federal sectoral rules are triggered, and what obligations arise from the role of the entity as a data controller or data processor in any given processing activity.
Under US data protection law. The distinction between a data controller. the entity that determines the purposes and means of processing. and a data processor. the entity that processes data on behalf of the controller – carries direct legal consequences. Processors typically must operate under a written contract with the controller. That contract must specify the scope, nature, purpose, and duration of processing. Many international businesses misclassify these relationships, exposing themselves to regulatory scrutiny.
Key compliance instruments and procedures
Effective data protection compliance in the United States relies on a combination of documented policies, contractual mechanisms, technical controls, and ongoing governance. Each element serves a distinct legal function.
Privacy notices and consent mechanisms are the first line of regulatory contact with consumers. California's framework requires a clear, accessible privacy notice that discloses the categories of personal data collected, the purposes of processing, and consumer rights. The notice must be updated whenever material changes occur. A consent mechanism is required for certain categories of sensitive data, including precise geolocation, racial or ethnic origin, health information, and biometric data. Businesses that rely on implicit or pre-ticked consent will not satisfy the requirement under state laws that mandate affirmative opt-in for sensitive categories.
In practice, many international businesses apply a GDPR compliance standard to their US operations as a baseline. This is a reasonable starting point, but it does not eliminate the need for US-specific legal review. The GDPR definition of consent – freely given, specific, informed, and unambiguous – is stricter in some respects than US requirements. In others, US law imposes obligations that have no GDPR equivalent, such as the right to opt out of the sale or sharing of personal data for cross-context behavioural advertising.
Data processing agreements between controllers and processors are mandatory under the California regime and are best practice under all other state frameworks. These agreements should address the processor's obligations, the controller's audit rights, requirements around sub-processors, data breach notification timelines, and data deletion or return upon termination. The US District Court system has seen a growing number of contractual disputes arising from inadequate processor agreements – particularly where breach notification timelines were not clearly defined.
Data transfer mechanisms occupy a distinct space in US compliance. When personal data flows from the European Union to the United States, the transfer must be justified under EU law. The EU-US Data Privacy Framework currently provides a certification mechanism for eligible US organisations. Businesses that process EU personal data and transfer it to the US without a valid transfer mechanism. such as standard contractual clauses or the Data Privacy Framework. face enforcement risk from European data protection authorities (DPAs), not from US regulators. However, US counsel should be involved in structuring these arrangements, particularly where the entity receiving EU data is a US subsidiary.
For an international business managing data transfers between the US and Brazil, the analysis shifts again. Brazil's comprehensive privacy legislation imposes its own transfer mechanism requirements, and Brazilian regulators have demonstrated increasing willingness to enforce. Our dedicated page on data protection services in Brazil sets out the applicable Brazilian regime and the specific transfer instruments available.
For businesses at the intersection of data protection and artificial intelligence, the regulatory picture is evolving rapidly. State-level AI transparency laws and automated decision-making provisions are now embedded in several privacy statutes. Our analysis of AI law in the United States addresses how these obligations interact with data protection requirements.
To receive an expert assessment of your data protection obligations in the United States, contact us at info@ferrazwhitmore.com.
Common pitfalls for international clients
International businesses entering the US market repeatedly encounter the same structural errors. Understanding these pitfalls before they materialise is materially less expensive than addressing them after regulatory scrutiny begins.
Misreading applicability thresholds. Each state privacy law applies based on a combination of annual revenue, volume of consumers whose data is processed, and percentage of revenue derived from selling data. Many international businesses assume they are below threshold because their US consumer base is small. In practice, the California framework applies to businesses meeting certain revenue thresholds globally – not just in California. A mid-sized European business with US operations may fall within scope without realising it.
Treating privacy notices as a one-time exercise. US regulators, particularly the Federal Trade Commission, have taken enforcement action against businesses whose privacy practices did not match their stated policies. The gap between the notice and the reality of data handling is a leading source of enforcement risk. Regular audits of data flows against the published notice are not optional for a business serious about compliance.
Overlooking vendor and sub-processor chains. A data controller is responsible for ensuring that its processors – and their sub-processors – comply with applicable obligations. International businesses frequently rely on cloud infrastructure, analytics platforms, and marketing tools without assessing whether those vendors' data practices are consistent with the controller's privacy commitments. The regulatory consequence falls on the controller, not the vendor.
Ignoring data breach notification timelines. Most US states impose breach notification obligations with timelines ranging from 30 to 72 hours under certain sector-specific rules, or between 30 and 90 days under state consumer notification statutes. Federal sector rules – particularly in healthcare and financial services – impose their own timelines. An international business that applies only its home-country timeline may miss US notification deadlines, triggering separate regulatory exposure.
Structuring dispute resolution without considering jurisdiction. Data protection disputes in the US can arise in the US District Court system, through state attorney general enforcement, or through private rights of action where state law permits. Some businesses rely on arbitration clauses – whether under JAMS or AAA arbitration rules – to manage litigation risk. The enforceability of such clauses in the data protection context has been contested in US courts, and the strategic choice between litigation and arbitration should be made with US counsel.
Cross-border strategy: EU, Brazil, and the US compliance triangle
For a business operating between the European Union, the United States, and Brazil, data protection is not three separate compliance exercises. It is a single integrated system that must be designed to function coherently across all three regimes.
The EU's approach to data protection. anchored in the principles of purpose limitation, data minimisation. Additionally. Accountability. treats GDPR compliance as the global standard for any business touching EU data subjects, regardless of where the business is established. A US entity receiving EU personal data must satisfy EU transfer requirements. Failure to do so exposes the EU-side entity – typically the data controller – to enforcement by the relevant national DPA and, in serious cases, to fines calibrated as a percentage of global annual turnover.
The US, by contrast, does not operate a single comprehensive regime. It applies sectoral federal rules and state consumer rights frameworks. There is no single US regulator equivalent to the European Data Protection Board. This means that a business compliant with GDPR is not automatically compliant with US law – and vice versa. The gap requires careful mapping of obligations in each direction.
Brazil's privacy legislation was modelled closely on the GDPR but diverges in important respects, including its legal bases for processing and its transfer mechanism rules. A business handling Brazilian personal data and transferring it to the US must assess compliance with Brazilian rules independently, not by proxy through its EU compliance programme. The interaction between all three regimes is particularly relevant for technology businesses with a pan-Atlantic user base.
Strategically, the most effective approach for a cross-border business is to build its data governance system around the most stringent applicable standard – typically the GDPR – while layering in US-specific and Brazilian-specific obligations. This avoids the cost of maintaining parallel systems. It also creates a defensible compliance position if any single regulator initiates an inquiry.
For detailed guidance on company formation in the US and the corporate structuring decisions that interact with data protection obligations, see our guide to company formation in the United States.
For a tailored strategy on cross-border data protection compliance for your US operations, reach out to info@ferrazwhitmore.com.
Self-assessment checklist for US data protection compliance
This checklist is applicable to international businesses with US operations, US-facing digital products, or data flows involving US personal data. It is a preliminary diagnostic tool, not a substitute for legal advice tailored to your specific circumstances.
Applicability: confirm before proceeding
- The business collects, processes, or stores personal data of US residents in any state
- The business meets revenue, data volume, or data-selling thresholds under at least one state privacy law
- The business operates in a sector subject to federal data protection legislation (health, finance, telecommunications, or children's services)
- The business transfers personal data from the EU or Brazil to the US
- The business uses third-party processors or vendors that access personal data of US residents
Before initiating a compliance programme, verify the following:
- A data inventory or record of processing activities has been completed and maps all personal data by category, source, purpose, and recipient
- Privacy notices are accurate, current, and accessible – and reflect actual data practices
- Consent mechanisms for sensitive data categories are in place and auditable
- Data processing agreements with all processors and material sub-processors are signed and up to date
- A data breach response plan exists, with notification timelines mapped to each applicable jurisdiction
- The business has assessed whether its dispute resolution clauses – including any JAMS or AAA arbitration provisions – are enforceable in the data protection context
- EU-to-US data transfer mechanisms are in place and documented, whether through the Data Privacy Framework, standard contractual clauses, or another valid instrument
Decision path by business scenario:
If the business collects only employee data in the US and has no consumer-facing product, state consumer privacy statutes may not apply. Federal employment-related data rules and state biometric laws are still relevant. If the business operates a consumer-facing digital product, one or more state privacy laws will almost certainly apply. If the business transfers EU personal data to a US subsidiary, EU transfer requirements apply independently of US law. All three scenarios require separate legal analysis before the compliance programme is designed.
Frequently asked questions
- How long does it take to achieve baseline data protection compliance for a new US operation?
- A baseline compliance programme. covering privacy notices, data processing agreements, internal policies. Additionally. A data inventory. typically takes between six and twelve weeks to implement for a business with a defined and limited data processing scope. Businesses with complex vendor chains, sensitive data categories, or cross-border transfer obligations should allow additional time for full documentation and testing. The Federal Trade Commission expects compliance to be operational before commercial data collection begins, not as a post-launch remediation exercise.
- Is GDPR compliance sufficient to satisfy US data protection requirements?
- No. GDPR compliance establishes strong baseline practices, but it does not satisfy US-specific obligations. State privacy laws impose distinct rights – such as the right to opt out of the sale of personal data – that have no direct GDPR equivalent. Sector-specific federal rules, including those in healthcare and financial services, impose obligations not addressed by the GDPR. Engaging a lawyer in the United States with cross-border experience is the most reliable way to identify the gaps between your existing EU compliance programme and US requirements.
- What happens if a business misses a state data breach notification deadline?
- Missing a notification deadline can trigger enforcement action by the relevant state attorney general, civil penalties, and – in states with private rights of action – class litigation. The consequences compound when the same breach triggers notification obligations in multiple states with different timelines. The majority of enforcement actions in this area involve businesses that had a notification policy in place but failed to apply it correctly to a specific incident. Practitioners in the US consistently note that having a tested incident response plan – not just a written policy – is the critical differentiator in managing post-breach exposure.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection practice supports international businesses, institutional investors, and in-house legal teams navigating the US regulatory system alongside EU and Brazilian compliance obligations. We combine Portuguese civil law expertise with English common law tradition to deliver integrated cross-border data protection strategies. covering data controller and data processor structuring, transfer mechanisms. Regulatory investigations. Additionally, dispute resolution before US District Court, through JAMS arbitration. Alternatively, in proceedings before European and Brazilian data protection authorities. Our team has advised on data protection matters across both civil law and common law systems. Additionally. Our Lisbon base provides direct access to EU regulatory frameworks while our common law expertise supports enforcement and arbitration strategies in US jurisdictions. As an international law firm advising clients on data protection in the United States and beyond, Ferraz & Whitmore covers 15 practice areas across the Americas, Europe, and the Asia-Pacific region. To discuss your data protection strategy in the United States, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.