In a nutshell “the GDPR is designed to protect EU citizens’ personal data from misuse.” Wikipedia asserts that “According to the European Commission personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Why would a U.S. company need to obey the GDPR?
The Internet is worldwide, and citizens of the EU may visit your website. If data is collected your company is required to follow the rules of the GDPR.
Similarly, California has passed its on privacy law, The California Consumer Privacy Act (CCPA). The CCPA went into effect January 1, 2020. The law allows consumers to opt out of the sale of their personal data. By opting out they may sue any company that has failed to implement “reasonable” security practices allowing consumer personal information to be sold or pirated.
There is a plethora of information on the Internet on both these laws. You can find check lists, sample privacy statements, and detailed information on both. You would be well advised to either get help from or run a draft by your attorney before posting it on your site.
More states have implemented their own privacy laws, so be vigilant.