Abstract
In May of 2018, the General Data Protection Regulation (GDPR) will take effect in the EU. The GDPR has extraterritorial applicability and will change the personal data breach notification requirements for companies doing business in the EU regardless of where the companies themselves are located. Consequently, US companies, including many technology companies located in Silicon Valley, will have to abide by these new laws. This paper addresses the similarities and differences between the personal data breach notification laws in the EU and California, as well as how any conflicts might be handled by the EU, in order to facilitate US companies’ understanding of what the new EU laws will require.