Does GDPR Apply in the U.S.? What American Companies Need to Know

If your company operates in the United States, you may wonder whether European privacy law affect your business. The General Data Protection Regulation (GDPR) can apply to U.S. companies that collect or process personal data from individuals located in the European Union (EU) or the European Economic Area (EEA), regardless of where the company itself is based.

This extraterritorial scope means that even if your organization has no physical presence in Europe, your website, app, or digital service may still fall under GDPR requirements.

The stakes can be significant. GDPR enforcement operates on a two-tier penalty structure. Less serious violations may result in fines of up to EUR 10 million or two percent of global annual revenue, whichever is higher. The most serious violations — such as unlawful processing or insufficient security measures — can result in fines of up to EUR 20 million or four percent of global gross annual revenue.

Understanding whether GDPR applies to your U.S. business is not only about avoiding penalties. It also affects how you design your website, deploy tracking technologies, structure marketing campaigns, and handle customer data.

This guide explains when GDPR applies to American companies, the obligations it creates, and how organizations can prepare for privacy compliance.

Key takeaways

• GDPR can apply to U.S. companies even if they have no physical presence in Europe.
• The regulation focuses on where individuals are located, not where the business operates.
• U.S. businesses must follow GDPR when they offer goods or services to EU individuals or monitor their behavior.
• Privacy compliance obligations include lawful processing, transparent privacy notices, consent management, and honoring data subject rights.
• Non-compliance may lead to financial penalties, reputational damage, and operational restrictions.
• When Does GDPR Apply to U.S. Companies?

GDPR may apply to U.S. companies when they either offer goods or services to individuals in the EU or monitor the behavior of EU data subjects.

Importantly, a physical office or legal entity in Europe is not required. The regulation focuses on where the data subjects are located rather than where the organization is headquartered.

Several situations can trigger GDPR applicability.

Offering goods or services to EU residents

The first trigger occurs when a business offers goods or services to individuals in the EU.

Indicators that a company is targeting EU customers may include:

• accepting payment in euros
• shipping products to EU Member States
• offering localized EU language versions of a website
• referencing EU customers in marketing materials
• allowing EU account registration or subscriptions

Even free services — such as newsletter sign-ups, downloadable resources, or account creation — can fall under GDPR if they target EU individuals.

Monitoring the behavior of EU data subjects

The second trigger relates to tracking or monitoring the behavior of EU individuals.

This often occurs through digital tracking technologies, including:

• website analytics tools
• Advertising pixels
• retargeting technologies
• User behavior profiling

For example, analytics platforms, advertising trackers, or cookie-based profiling systems may monitor the behavior of EU visitors.

When these tools collect personal data from EU users, GDPR obligations may apply.

Processing personal data from EU residents

The third factor involves processing personal data belonging to EU residents, even if that processing occurs entirely in the United States.

Under GDPR, personal data includes any information that can identify a person directly or indirectly, including:

• names and email addresses
• IP addresses
• cookie identifiers
• device fingerprints
• location data
• pseudonymous identifiers linked to individuals

If a U.S. organization stores or processes such data about EU individuals, it may fall within GDPR’s scope.

Which U.S. Businesses Are Subject to GDPR?

Many types of U.S. companies may fall under GDPR, often without realizing it initially. The regulation applies across industries whenever personal data from EU individuals is involved.

Several common business models frequently encounter GDPR obligations.

E-commerce companies

E-commerce businesses that sell products internationally often process EU personal data when they ship to EU addresses or accept EU customers.

Even if marketing efforts do not explicitly target Europe, offering shipping to EU countries or enabling EU payment methods may indicate that the company offers services to EU individuals.

SaaS and technology platforms

Software-as-a-Service (SaaS) companies frequently process EU personal data through customer accounts, analytics data, or user-generated content.

Examples include:

• project management platforms
• CRM systems
• collaboration tools
• email marketing software

When EU individuals or businesses use these services, the provider processes EU personal data under GDPR.

Digital publishers and content platforms

Websites with global audiences may collect personal data through analytics, advertising technologies, or newsletter registrations.

If EU visitors access a site and personal data is collected — especially through cookies — GDPR consent requirements may apply.

Marketing agencies and ad tech companies

Organizations that manage data-driven marketing campaigns often process personal data from multiple jurisdictions.

This can include:

• lead generation platforms
• analytics services
• advertising platforms
• customer segmentation tools

Depending on the processing activity, these companies may act as either data controllers or data processors under GDPR.

What Are the GDPR Requirements for U.S. Companies?

GDPR compliance begins with identifying a lawful basis for processing personal data. Organizations must determine the legal justification before collecting or processing data.

Common legal bases include:

• consent
• contractual necessity
• legal obligations
• legitimate interests

For many digital businesses, consent and legitimate interest are the most relevant bases.

Consent must be freely given, specific, informed, and unambiguous. Pre-checked boxes, bundled consent requests, or implied consent typically do not meet GDPR standards.

Consent management and cookies

If a website uses cookies or trackers beyond strictly necessary functionality, organizations must obtain consent before those technologies activate.

A compliant consent solution should:

• Block non-essential cookies before consent
• Provide clear explanations of cookie purposes
• Allow granular consent choices
• Enable easy withdrawal of consent

Data subject rights

GDPR grants individuals several rights regarding their personal data.

These rights include:

• The right of access to personal data
• The right to rectification of inaccurate data
• The right to erasure (“right to be forgotten”)
• The right to restrict processing
• The right to data portability
• The right to object to certain processing activities

Organizations must have procedures in place to verify requests and respond within 30 days.

Transparency and privacy notices

GDPR requires clear privacy notices explaining how personal data is processed.

A compliant privacy policy should describe:

• What data is collected
• Why it is collected
• The legal basis for processing
• Data retention periods
• Third-party data sharing
• Data subject rights

The language must be clear and accessible rather than overly technical or legalistic.

Data breach notification

GDPR requires organizations to notify the relevant supervisory authority within 72 hours after becoming aware of certain data breaches.

If a breach poses a high risk to individuals, affected individuals must also be notified without undue delay.

How Does GDPR Compare to U.S. Privacy Laws?

GDPR differs significantly from most U.S. privacy laws in structure and enforcement.

While U.S. privacy laws are often sector-specific or state-based, GDPR establishes a comprehensive framework for personal data protection.

GDPR vs. California privacy laws

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) are the closest U.S. equivalents to GDPR. However, several key differences remain.

Data subject rights

GDPR provides broader rights than most U.S. frameworks.

In addition to access and deletion rights, GDPR also provides:

• Data portability rights
• Processing restriction rights
• Objection rights for certain data uses

These expanded protections require organizations to maintain strong data governance practices.

What Happens If U.S. Companies Don’t Comply with GDPR?

European regulators have demonstrated a willingness to enforce GDPR against companies worldwide, including U.S. organizations.

Major technology companies have received significant penalties, highlighting the regulation’s enforcement reach.

Beyond fines, non-compliance may also result in:

• Regulatory investigations
• Orders to stop certain data processing activities
• Suspension of data transfers
• reputational damage
• loss of business opportunities

Many European organizations now require vendors to demonstrate GDPR compliance before entering contracts. This makes privacy compliance not only a legal issue but also a commercial one.

How Can U.S. Companies Achieve GDPR Compliance?

Achieving GDPR compliance requires a structured approach to data governance and privacy management.

Organizations should begin by understanding their data flows and identifying where EU personal data enters their systems.

Several practical steps can support GDPR compliance.

Implement a compliant consent solution

A consent management platform (CMP) helps organizations manage cookie consent and user preferences.

These tools typically:

• Scan websites for tracking technologies
• Block non-essential cookies until consent is obtained
• Generate compliant consent banners
• Store records of consent

Update privacy policies

Privacy policies should explain processing activities clearly and transparently.

This includes describing legal bases for processing, retention periods, and procedures for exercising data subject rights.

Establish data handling procedures

Organizations should develop documented procedures for managing personal data throughout its lifecycle.

This includes processes for:

• Locating personal data across systems
• Responding to access requests
• Deleting or anonymizing data
• Documenting privacy compliance actions

Review vendor relationships

If third-party vendors process personal data, organizations must implement Data Processing Agreements (DPAs).

These agreements outline responsibilities regarding security, processing scope, and breach notification.

Strengthen data security

Appropriate security measures help protect personal data and reduce breach risks.

Examples include:

• encryption
• access controls
• vulnerability assessments
• employee privacy training
• incident response planning

Appoint an EU representative

Many non-EU organizations subject to GDPR must appoint a representative within the EU.

The representative acts as a contact point for supervisory authorities and data subjects regarding GDPR matters.

Checklist for U.S. Companies Subject to GDPR

Organizations subject to GDPR should take several foundational steps to support privacy compliance:

Scan Your Website For Cookies

Identify cookies and trackers on your website and understand where user consent may be required.

SCAN YOUR WEBSITE FREE