{"id":20503,"date":"2026-03-12T12:04:34","date_gmt":"2026-03-12T11:04:34","guid":{"rendered":"https:\/\/www.cookiebot.com\/en\/?p=20503"},"modified":"2026-04-08T12:53:43","modified_gmt":"2026-04-08T10:53:43","slug":"does-gdpr-apply-in-the-us","status":"publish","type":"post","link":"https:\/\/www.cookiebot.com\/en\/does-gdpr-apply-in-the-us\/","title":{"rendered":"Does GDPR Apply in the U.S.? What American Companies Need to Know"},"content":{"rendered":"\n<p>If your company operates in the United States, you may wonder whether European privacy law affect your business. The <a href=\"https:\/\/www.cookiebot.com\/en\/gdpr\/\">General Data Protection Regulation (GDPR)<\/a> can apply to U.S. companies that collect or process personal data from individuals located in the European Union (EU) or the European Economic Area (EEA), regardless of where the company itself is based.<\/p>\n\n\n\n<p>This extraterritorial scope means that even if your organization has no physical presence in Europe, your website, app, or digital service may still fall under GDPR requirements.<\/p>\n\n\n\n<p>The stakes can be significant. GDPR enforcement operates on a two-tier penalty structure. Less serious violations may result in fines of up to EUR 10 million or two percent of global annual revenue, whichever is higher. The most serious violations \u2014 such as unlawful processing or insufficient security measures \u2014 can result in fines of up to EUR 20 million or four percent of global gross annual revenue.<\/p>\n\n\n\n<p>Understanding whether GDPR applies to your U.S. business is not only about avoiding penalties. It also affects how you design your website, deploy tracking technologies, structure marketing campaigns, and handle customer data.<\/p>\n\n\n\n<p>This guide explains when GDPR applies to American companies, the obligations it creates, and how organizations can prepare for privacy compliance.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Key takeaways<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>GDPR can apply to U.S. companies even if they have no physical presence in Europe.<\/li>\n\n\n\n<li>The regulation focuses on where individuals are located, not where the business operates.<\/li>\n\n\n\n<li>U.S. businesses must follow GDPR when they offer goods or services to EU individuals or monitor their behavior.<\/li>\n\n\n\n<li>Privacy compliance obligations include lawful processing, transparent privacy notices, consent management, and honoring data subject rights.<\/li>\n\n\n\n<li>Non-compliance may lead to financial penalties, reputational damage, and operational restrictions.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-when-does-gdpr-apply-to-u-s-companies\">When does GDPR apply to U.S. companies?<\/h2>\n\n\n\n<p>GDPR may apply to U.S. companies when they either offer goods or services to individuals in the EU or monitor the behavior of EU data subjects.<\/p>\n\n\n\n<p>Importantly, a physical office or legal entity in Europe is not required. The regulation focuses on where the data subjects are located rather than where the organization is headquartered.<\/p>\n\n\n\n<p>Several situations can trigger GDPR applicability.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-offering-goods-or-services-to-eu-residents\">Offering goods or services to EU residents<\/h3>\n\n\n\n<p>The first trigger occurs when a business offers goods or services to individuals in the EU.<\/p>\n\n\n\n<p>Indicators that a company is targeting EU customers may include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>accepting payment in euros<\/li>\n\n\n\n<li>shipping products to EU Member States<\/li>\n\n\n\n<li>offering localized EU language versions of a website<\/li>\n\n\n\n<li>referencing EU customers in marketing materials<\/li>\n\n\n\n<li>allowing EU account registration or subscriptions<\/li>\n<\/ul>\n\n\n\n<p>Even free services \u2014 such as newsletter sign-ups, downloadable resources, or account creation \u2014 can fall under GDPR if they target EU individuals.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-monitoring-the-behavior-of-eu-data-subjects\">Monitoring the behavior of EU data subjects<\/h3>\n\n\n\n<p>The second trigger relates to tracking or monitoring the behavior of EU individuals.<\/p>\n\n\n\n<p>This often occurs through digital tracking technologies, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>website analytics tools<\/li>\n\n\n\n<li>Advertising pixels<\/li>\n\n\n\n<li>retargeting technologies<\/li>\n\n\n\n<li>User behavior profiling<\/li>\n<\/ul>\n\n\n\n<p>For example, analytics platforms, advertising trackers, or cookie-based profiling systems may monitor the behavior of EU visitors.<\/p>\n\n\n\n<p>When these tools collect personal data from EU users, GDPR obligations may apply.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-processing-personal-data-from-eu-residents\">Processing personal data from EU residents<\/h3>\n\n\n\n<p>The third factor involves processing <a href=\"https:\/\/www.cookiebot.com\/en\/common-pii-questions-faq-cookiebot\/\">personal data<\/a> belonging to EU residents, even if that processing occurs entirely in the United States.<\/p>\n\n\n\n<p>Under GDPR, personal data includes any information that can identify a person directly or indirectly, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>names and email addresses<\/li>\n\n\n\n<li>IP addresses<\/li>\n\n\n\n<li>cookie identifiers<\/li>\n\n\n\n<li>device fingerprints<\/li>\n\n\n\n<li>location data<\/li>\n\n\n\n<li>pseudonymous identifiers linked to individuals<\/li>\n<\/ul>\n\n\n\n<p>If a U.S. organization stores or processes such data about EU individuals, it may fall within GDPR\u2019s scope.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-which-u-s-businesses-are-subject-to-gdpr\">Which U.S. businesses are subject to GDPR?<\/h2>\n\n\n\n<p>Many types of U.S. companies may fall under GDPR, often without realizing it initially. The regulation applies across industries whenever personal data from EU individuals is involved.<\/p>\n\n\n\n<p>Several common business models frequently encounter GDPR obligations.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-e-commerce-companies\">E-commerce companies<\/h3>\n\n\n\n<p>E-commerce businesses that sell products internationally often process EU personal data when they ship to EU addresses or accept EU customers.<\/p>\n\n\n\n<p>Even if marketing efforts do not explicitly target Europe, offering shipping to EU countries or enabling EU payment methods may indicate that the company offers services to EU individuals.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-saas-and-technology-platforms\">SaaS and technology platforms<\/h3>\n\n\n\n<p>Software-as-a-Service (SaaS) companies frequently process EU personal data through customer accounts, analytics data, or user-generated content.<\/p>\n\n\n\n<p>Examples include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>project management platforms<\/li>\n\n\n\n<li>CRM systems<\/li>\n\n\n\n<li>collaboration tools<\/li>\n\n\n\n<li>email marketing software<\/li>\n<\/ul>\n\n\n\n<p>When EU individuals or businesses use these services, the provider processes EU personal data under GDPR.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-digital-publishers-and-content-platforms\">Digital publishers and content platforms<\/h3>\n\n\n\n<p>Websites with global audiences may collect personal data through analytics, advertising technologies, or newsletter registrations.<\/p>\n\n\n\n<p>If EU visitors access a site and personal data is collected \u2014 especially through cookies \u2014 GDPR <a href=\"https:\/\/www.cookiebot.com\/en\/cookie-consent\/\">consent requirements<\/a> may apply.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-marketing-agencies-and-ad-tech-companies\">Marketing agencies and ad tech companies<\/h3>\n\n\n\n<p>Organizations that manage data-driven marketing campaigns often process personal data from multiple jurisdictions.<\/p>\n\n\n\n<p>This can include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>lead generation platforms<\/li>\n\n\n\n<li>analytics services<\/li>\n\n\n\n<li>advertising platforms<\/li>\n\n\n\n<li>customer segmentation tools<\/li>\n<\/ul>\n\n\n\n<p>Depending on the processing activity, these companies may act as either data controllers or data processors under GDPR.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-are-the-gdpr-requirements-for-u-s-companies\">What are the GDPR requirements for U.S. Companies?<\/h2>\n\n\n\n<p>GDPR compliance begins with identifying a lawful basis for processing personal data. Organizations must determine the legal justification before collecting or processing data.<\/p>\n\n\n\n<p>Common legal bases include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>consent<\/li>\n\n\n\n<li>contractual necessity<\/li>\n\n\n\n<li>legal obligations<\/li>\n\n\n\n<li>legitimate interests<\/li>\n<\/ul>\n\n\n\n<p>For many digital businesses, consent and legitimate interest are the most relevant bases.<\/p>\n\n\n\n<p>Consent must be freely given, specific, informed, and unambiguous. Pre-checked boxes, bundled consent requests, or implied consent typically do not meet GDPR standards.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-consent-management-and-cookies\">Consent management and cookies<\/h3>\n\n\n\n<p>If a website uses cookies or trackers beyond strictly necessary functionality, organizations must obtain consent before those technologies activate.<\/p>\n\n\n\n<p>A compliant consent solution should:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Block non-essential cookies before consent<\/li>\n\n\n\n<li>Provide clear explanations of cookie purposes<\/li>\n\n\n\n<li>Allow granular consent choices<\/li>\n\n\n\n<li>Enable easy withdrawal of consent<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-data-subject-rights\">Data subject rights<\/h3>\n\n\n\n<p>GDPR grants individuals several rights regarding their personal data.<\/p>\n\n\n\n<p>These rights include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The right of access to personal data<\/li>\n\n\n\n<li>The right to rectification of inaccurate data<\/li>\n\n\n\n<li>The right to erasure (\u201cright to be forgotten\u201d)<\/li>\n\n\n\n<li>The right to restrict processing<\/li>\n\n\n\n<li>The right to data portability<\/li>\n\n\n\n<li>The right to object to certain processing activities<\/li>\n<\/ul>\n\n\n\n<p>Organizations must have procedures in place to verify requests and respond within 30 days.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-transparency-and-privacy-notices\">Transparency and privacy notices<\/h3>\n\n\n\n<p>GDPR requires clear privacy notices explaining how personal data is processed.<\/p>\n\n\n\n<p>A compliant privacy policy should describe:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>What data is collected<\/li>\n\n\n\n<li>Why it is collected<\/li>\n\n\n\n<li>The legal basis for processing<\/li>\n\n\n\n<li>Data retention periods<\/li>\n\n\n\n<li>Third-party data sharing<\/li>\n\n\n\n<li>Data subject rights<\/li>\n<\/ul>\n\n\n\n<p>The language must be clear and accessible rather than overly technical or legalistic.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-data-breach-notification\">Data breach notification<\/h3>\n\n\n\n<p>GDPR requires organizations to notify the relevant supervisory authority within 72 hours after becoming aware of certain data breaches.<\/p>\n\n\n\n<p>If a breach poses a high risk to individuals, affected individuals must also be notified without undue delay.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-does-gdpr-compare-to-u-s-privacy-laws\">How does GDPR compare to U.S. privacy laws?<\/h2>\n\n\n\n<p>GDPR differs significantly from most U.S. privacy laws in structure and enforcement.<\/p>\n\n\n\n<p>While U.S. privacy laws are often sector-specific or state-based, GDPR establishes a comprehensive framework for personal data protection.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-gdpr-vs-california-privacy-laws\">GDPR vs. California privacy laws<\/h3>\n\n\n\n<p>The <a href=\"https:\/\/www.cookiebot.com\/en\/what-is-ccpa\/\">California Consumer Privacy Act (CCPA)<\/a> and <a href=\"https:\/\/www.cookiebot.com\/en\/ccpa-vs-cpra-differences-guide\/\">California Privacy Rights Act (CPRA) <\/a>are the closest U.S. equivalents to GDPR. However, several key differences remain.<\/p>\n\n\n\n<figure class=\"wp-block-table enabled-responsive\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Category<\/strong><\/td><td><strong>GDPR<\/strong><\/td><td><strong>California privacy laws<\/strong><\/td><\/tr><tr><td>Scope<\/td><td>Applies based on location of data subjects<\/td><td>Applies based on business thresholds<\/td><\/tr><tr><td>Consent model<\/td><td>Primarily opt-in<\/td><td>Primarily opt-out<\/td><\/tr><tr><td>Geographic reach<\/td><td>Extraterritorial<\/td><td>Primarily state-focused<\/td><\/tr><tr><td>Penalties<\/td><td>Up to four percent of global revenue<\/td><td>Lower statutory penalties<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-data-subject-rights-0\">Data subject rights<\/h3>\n\n\n\n<p>GDPR provides broader rights than most U.S. frameworks.<\/p>\n\n\n\n<p>In addition to access and deletion rights, GDPR also provides:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data portability rights<\/li>\n\n\n\n<li>Processing restriction rights<\/li>\n\n\n\n<li>Objection rights for certain data uses<\/li>\n<\/ul>\n\n\n\n<p>These expanded protections require organizations to maintain strong data governance practices.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-happens-if-u-s-companies-don-t-comply-with-gdpr\">What happens If U.S. companies don\u2019t comply with GDPR?<\/h2>\n\n\n\n<p>European regulators have demonstrated a willingness to enforce GDPR against companies worldwide, including U.S. organizations.<\/p>\n\n\n\n<p>Major technology companies have received significant penalties, highlighting the regulation\u2019s enforcement reach.<\/p>\n\n\n\n<p>Beyond fines, non-compliance may also result in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Regulatory investigations<\/li>\n\n\n\n<li>Orders to stop certain data processing activities<\/li>\n\n\n\n<li>Suspension of data transfers<\/li>\n\n\n\n<li>reputational damage<\/li>\n\n\n\n<li>loss of business opportunities<\/li>\n<\/ul>\n\n\n\n<p>Many European organizations now require vendors to demonstrate GDPR compliance before entering contracts. This makes privacy compliance not only a legal issue but also a commercial one.<\/p>\n\n\n<div class=\"cta-block cta-block--size-s cta-block--only-buttons cb-ctx--blue\">\n        <div class=\"cta-block__glass\">\n        <div class=\"cta-block__inner\">\n            <div class=\"cta-block__left-column\">\n                                                    <h2 class=\"cta-block__title no-default-margin like-h4\">\n                        Not sure which privacy laws apply to you?                     <\/h2>\n                                                    <div class=\"cta-block__description like-text-md\">\n                        <p><span style=\"font-weight: 400;\">With regulations varying by country and state, keeping track of your obligations can be overwhelming. Cookiebot's interactive regulations finder shows you exactly which laws apply to your organization and what they require for tracking technologies.<\/span><\/p>\n                    <\/div>\n                                                                                                                                                        <\/div>\n                            <div class=\"cta-block__right-column\">\n                                                                <div class=\"cta-block__buttons\">\n                                                    <div class=\"cta-block__buttons__button-wp\">\n                                <a id=\"e19fde67-e863-423e-ab0f-ac156dfaeac0\" class=\"cb-button cb-button-size-l cb-button-contained  no-default-link-decoration cb-button-icon-right cta-block__buttons__button\" href=\"\/en\/regulations-finder\/\" target=\"_blank\">\n<span>Find Your Requirements<\/span><\/a>\n                                                            <\/div>\n                                                                        <\/div>\n                                                        <\/div>\n                    <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-can-u-s-companies-achieve-gdpr-compliance\">How can U.S. companies achieve GDPR compliance?<\/h2>\n\n\n\n<p>Achieving GDPR compliance requires a structured approach to data governance and privacy management.<\/p>\n\n\n\n<p>Organizations should begin by understanding their data flows and identifying where EU personal data enters their systems.<\/p>\n\n\n\n<p>Several practical steps can support GDPR compliance.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-implement-a-compliant-consent-solution\">Implement a compliant consent solution<\/h3>\n\n\n\n<p>A <a href=\"https:\/\/www.cookiebot.com\/en\/cookie-consent-solution\/\">consent management platform (CMP)<\/a> helps organizations manage cookie consent and user preferences.<\/p>\n\n\n\n<p>These tools typically:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Scan websites for tracking technologies<\/li>\n\n\n\n<li>Block non-essential cookies until consent is obtained<\/li>\n\n\n\n<li>Generate compliant consent banners<\/li>\n\n\n\n<li>Store records of consent<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-update-privacy-policies\">Update privacy policies<\/h3>\n\n\n\n<p>Privacy policies should explain processing activities clearly and transparently.<\/p>\n\n\n\n<p>This includes describing legal bases for processing, retention periods, and procedures for exercising data subject rights.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-establish-data-handling-procedures\">Establish data handling procedures<\/h3>\n\n\n\n<p>Organizations should develop documented procedures for managing personal data throughout its lifecycle.<\/p>\n\n\n\n<p>This includes processes for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Locating personal data across systems<\/li>\n\n\n\n<li>Responding to access requests<\/li>\n\n\n\n<li>Deleting or anonymizing data<\/li>\n\n\n\n<li>Documenting privacy compliance actions<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-review-vendor-relationships\">Review vendor relationships<\/h3>\n\n\n\n<p>If third-party vendors process personal data, organizations must implement Data Processing Agreements (DPAs).<\/p>\n\n\n\n<p>These agreements outline responsibilities regarding security, processing scope, and breach notification.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-strengthen-data-security\">Strengthen data security<\/h3>\n\n\n\n<p>Appropriate security measures help protect personal data and reduce breach risks.<\/p>\n\n\n\n<p>Examples include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>encryption<\/li>\n\n\n\n<li>access controls<\/li>\n\n\n\n<li>vulnerability assessments<\/li>\n\n\n\n<li>employee privacy training<\/li>\n\n\n\n<li>incident response planning<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-appoint-an-eu-representative\">Appoint an EU representative<\/h3>\n\n\n\n<p>Many non-EU organizations subject to GDPR must appoint a representative within the EU.<\/p>\n\n\n\n<p>The representative acts as a contact point for supervisory authorities and data subjects regarding GDPR matters.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-checklist-for-u-s-companies-subject-to-gdpr\">Checklist for U.S. companies subject to GDPR<\/h2>\n\n\n\n<p>Organizations subject to GDPR should take several foundational steps to support privacy compliance:<\/p>\n\n\n\n<div class=\"cb-article-list-timeline cb-article-list-timeline--empty-header cb-article-list-timeline--no-image cb-ctx--base\" style=\"\" data-manual-enabling=\"false\" style=\"--items-count: 14\">\n        <div class=\"cb-article-list-timeline__list\">\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Conduct a data inventory identifying EU personal data processing                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                                            <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Document legal bases for processing activities                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                                            <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Implement a consent management platform                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                                            <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Update privacy notices with GDPR-required information                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                                            <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Establish procedures for data subject requests                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                                            <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Execute Data Processing Agreements with vendors                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                                            <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Implement appropriate security safeguards                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                                            <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Create a breach notification process                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                                            <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Appoint an EU representative if required                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                                            <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Train employees on data protection practices                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                                            <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Conduct Data Protection Impact Assessments when necessary                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                                            <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Maintain records of processing activities                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                                            <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Track consent records for audit purposes                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                                            <\/div>\n                <\/div>\n            <\/div>\n                    <div class=\"cb-article-list-timeline__item cb-article-list-timeline__item--last\" >\n                <div class=\"cb-article-list-timeline__item-graphics \">\n                    <div class=\"cb-article-list-timeline__item-bullet cb-article-list-timeline__item-bullet--icon\">\n                        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M9.63335 17.838L3.93335 12.138L5.35835 10.713L9.63335 14.988L18.8084 5.81299L20.2334 7.23799L9.63335 17.838Z\" fill=\"black\"\/>\n<\/svg>\n                    <\/div>\n                <\/div>\n\n                <div class=\"cb-article-list-timeline__item-content\">\n                                            <h3 class=\"cb-article-list-timeline__item-title\">                        Review international data transfer mechanisms                        <\/h3>                                        <div class=\"cb-article-list-timeline__item-description\">\n                                            <\/div>\n                <\/div>\n            <\/div>\n                    <\/div>\n<\/div>\n\n\n<div class=\"cta-block cta-block--size-s cta-block--only-buttons cb-ctx--blue\">\n        <div class=\"cta-block__glass\">\n        <div class=\"cta-block__inner\">\n            <div class=\"cta-block__left-column\">\n                                                    <h2 class=\"cta-block__title no-default-margin like-h4\">\n                        Scan Your Website For Cookies                    <\/h2>\n                                                    <div class=\"cta-block__description like-text-md\">\n                        <p>Identify cookies and trackers on your website and understand where user consent may be required.<\/p>\n                    <\/div>\n                                                                                                                                                        <\/div>\n                            <div class=\"cta-block__right-column\">\n                                                                <div class=\"cta-block__buttons\">\n                                                    <div class=\"cta-block__buttons__button-wp\">\n                                <a id=\"763cbec4-2cac-4a9d-859f-457d8d5d43c7\" class=\"cb-button cb-button-size-l cb-button-contained  no-default-link-decoration cb-button-icon-right cta-block__buttons__button\" href=\"\/en\/compliance-test\/\" target=\"_blank\">\n<span>SCAN YOUR WEBSITE FREE<\/span><\/a>\n                                                            <\/div>\n                                                                        <\/div>\n                                                        <\/div>\n                    <\/div>\n    <\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>If your company operates in the United States, you may wonder whether European privacy law affect your business. The General Data Protection Regulation (GDPR) can apply to U.S. companies that collect or process personal data from individuals located in the European Union (EU) or the European Economic Area (EEA), regardless of where the company itself [&hellip;]<\/p>\n","protected":false},"author":35,"featured_media":20504,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":true,"editor_notices":[],"footnotes":""},"categories":[1],"tags":[],"class_list":["post-20503","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"acf":[],"thumbnail_status":false,"thumbnail_url":"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2026\/03\/Does-GDPR-Apply-in-the-U.S.-What-American-Companies-Need-to-Know-_1200x630_ffffff.png","_links":{"self":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts\/20503","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/users\/35"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/comments?post=20503"}],"version-history":[{"count":0,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts\/20503\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/media\/20504"}],"wp:attachment":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/media?parent=20503"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/categories?post=20503"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/tags?post=20503"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}