[arjie]

Not everywhere. Significantly it's not legal to be moving EU Personal Data out of the EU. And these guys are going to get hit hard (including personal liability for their privacy officers). It would be responsible of OP to report it to them but theirs no real obligation for him to do so. It's on them to protect it.

[samat]

It might be legal, google for "us eu safe harbor privacy framework".

But you need a consent to collect that data in the first place.

[arjie]

You were certainly right (and still are, depending on how you read your comment). I'm not a lawyer, but I believe that Safe Harbor is no longer safe to rely on (since a 2015 ruling). There's Privacy Shield and the soon to come into force GDPR, though, which have restrictions like the one you mention.

[jacquesm]

> including personal liability for their privacy officers

Hah, there's one big assumption you are making there...