Does GDPR Apply to US Companies? When American Businesses Must Comply

Does GDPR apply to US companies? Yes, if you target or track EU visitors. See the Article 3 triggers, EU rep rules, and real fine amounts.


by Riad Us Salehin • 4 July 2026


Yes, GDPR can apply to a US company even with no EU office, because it follows the data, not the company's location. It applies when a US business offers goods or services to, or monitors the behavior of, people in the EU or EEA.

Does GDPR Apply to US Companies? (The Short Answer)

GDPR protects "data subjects," people located in the EU or EEA, regardless of nationality. A US citizen visiting Berlin is covered. A German citizen visiting New York is not, because the law tracks physical location at the time of processing, not passport. If you need the basics first, start with what GDPR is and what it covers.

This is also why "we only sell to Americans" is not a safe assumption. A US SaaS founder asked this exact question on r/SaaS. His seven-person team was entirely US-based until a lead from London asked whether they were GDPR compliant. The trigger is not your customer base today. It is whether EU visitors reach your site and whether you process their personal data at all, including through cookies and analytics.

How GDPR Reaches US Businesses: Extraterritorial Scope (Article 3)

GDPR has extraterritorial scope under Article 3, meaning it follows the data rather than the company's location. EU lawmakers built the rule this way so that a person's data protection travels with them, no matter which country processes it.

Article 3(2) binds a controller or processor "not established in the Union" when it offers goods or services to people in the EU. The same rule applies when it monitors their behavior. Neither trigger requires a European office. Neither requires a European bank account or a single EU employee.

This is a deliberate design choice, not a loophole. Article 3(2) exists precisely to stop companies from escaping EU privacy law by incorporating outside Europe while still selling to or tracking EU residents. A Delaware LLC with a founder in Ohio and zero EU staff can be a GDPR-covered controller the moment it meets either trigger below.

What Triggers GDPR for a US Company?

A US company falls under GDPR if any one of these three conditions is true.

  • Offering goods or services to people in the EU, even for free
  • Monitoring the behavior of people in the EU, such as through cookies or analytics
  • Having an EU establishment, such as an office, subsidiary, or staff physically working in an EU country

The third trigger is straightforward: if you have EU-based employees or a registered EU entity, GDPR applies regardless of anything else. The first two triggers are where most US website owners actually get caught, and they deserve a closer look.

Offering Goods or Services to People in the EU

This trigger fires when you direct your offering at people in the EU, even with no payment involved and no EU office. Regulators look for signals that a company intentionally targeted EU customers rather than merely being reachable from Europe.

Under Recital 23 of the regulation, mere accessibility is not enough. A US site is not automatically in scope just because someone in France can technically load the page. What matters is targeting. Recital 23 names the signals directly. Two examples it gives are "the use of a language or a currency generally used" in a Member State. Another is "the mentioning of customers or users who are in the Union."

A concrete example makes the line clear. A US store that prices in euros, ships to Germany, and advertises to French shoppers is targeting the EU under Article 3(2)(a). A California bakery that sells cookies only to US addresses is not, even if a tourist from Rome browses the site. It takes no active step to reach EU customers.

Monitoring the Behavior of People in the EU

This trigger fires when you track or profile the online behavior of people in the EU, for example through cookies, analytics, or behavioral advertising. It does not require a sale.

The website-owner translation is direct. Run Google Analytics, ad pixels, or other trackers on EU visitors, and you are "monitoring" their behavior under GDPR. This holds whether or not you ever ship them a product. It is the trigger that catches purely US-facing businesses that never intended to serve EU customers but still run standard analytics and marketing scripts. Meeting this trigger creates a specific obligation: what the GDPR requires for cookies governs exactly what your banner must do before those trackers can fire.

When GDPR Does NOT Apply to a US Company

GDPR does not automatically apply to every US business just because it has a website. Three genuine boundaries limit its reach.

Three genuine boundaries keep a US business outside GDPR's reach:

  • No targeting and no monitoring. A purely US-facing company that does not target EU residents and does not track EU visitors generally sits outside scope. That holds even if a few Europeans occasionally stumble onto the site.
  • Purely personal or household activity. GDPR only covers "professional or commercial activity." A hobby blog collecting friends' email addresses for a side project is not commercial processing under the law.
  • The under-250-employee relief. Smaller organizations get a partial break, but only on record-keeping. They are not exempt from the core rules, only from some of the paperwork that documents processing activities.

This resolves the most common US-founder question directly. The r/SaaS thread cited above captures it exactly. A company with an all-US customer base worried after one London-based lead asked about compliance. The test is not who your customers are today. It is whether EU visitors actually reach your site and whether you target or track them once they do. A practitioner on a related r/gdpr thread put the filter well. Targeting the EU tends to look like euro pricing, EU-directed ads, or translated content. Absent those signals, he concluded, a US site should generally be fine.

What US Companies Must Do to Comply with GDPR

If GDPR applies to you, these are the core obligations:

  • Establish a lawful basis for every processing activity under Article 6
  • Get valid opt-in consent, including prior consent before non-essential cookies load
  • Publish a transparent privacy policy explaining what data you collect and why
  • Honor data subject rights, including access, correction, and deletion requests within 30 days
  • Secure the data you collect against unauthorized access or loss
  • Keep records of processing activities (unless the under-250-employee relief applies)
  • Report qualifying breaches to the relevant supervisory authority within 72 hours
  • Appoint an EU representative if you have no EU establishment and the exemption does not apply
  • Use Standard Contractual Clauses or the Data Privacy Framework for EU-to-US data transfers

Each of these is a real, auditable requirement, not a checkbox exercise. For the step-by-step version of this list, with implementation detail for each item, see how to become GDPR compliant. The consent and cookie-blocking obligation specifically gets its own full breakdown earlier in this guide.

Do US Companies Need an EU Representative? (Article 27)

Many US companies in scope of GDPR must appoint an EU representative under Article 27. This is a contact based in an EU member state who acts as the point of contact for regulators and individuals on the company's behalf.

The requirement applies to a non-EU controller or processor that is in scope of GDPR and has no establishment in the EU. Article 27 carries one narrow exemption. Processing must be occasional, and it must not involve large-scale special-category data or criminal-conviction data. Most commercial websites running ongoing analytics or marketing do not qualify for this exemption.

An EU representative is separate from a Data Protection Officer (DPO). The representative is a required point of contact in the EU. A DPO is an internal or contracted role that oversees the company's data protection compliance. A company can need one, both, or neither, depending on its processing activities and scale.

Transferring EU Data to the US: the EU-US Data Privacy Framework

When a US company moves EU personal data to the US, GDPR restricts the transfer. The company must rely on a valid transfer mechanism for hosting, processing, or support use cases.

Two main routes exist. A US organization can self-certify under the EU-US Data Privacy Framework (DPF), a program administered by the US Department of Commerce's International Trade Administration. Joining is voluntary, but once a company commits publicly to the DPF Principles, compliance becomes enforceable under US law. The alternative route is Standard Contractual Clauses (SCCs), a contractual mechanism agreed directly with the EU-based data exporter that does not require government certification.

Both routes achieve the same legal outcome: data protection consistent with EU law follows the data across the Atlantic. Most SaaS companies choose whichever mechanism their EU customers or vendors already require in contract negotiations. For the mechanics of each route, see the guide to EU-US data transfers.

What Are the Penalties for a US Company That Ignores GDPR?

GDPR fines run up to €20 million or 4% of global annual turnover, whichever is higher, for the most serious violations. A lower tier caps at €10 million or 2% of global annual turnover for less severe breaches. These figures come straight from Article 83 of the regulation.

Fine tierMaximum amountApplies to
Lower tier€10 million or 2% of global annual turnover, whichever is higherBreaches of controller/processor obligations, certification body rules, monitoring body rules
Upper tier€20 million or 4% of global annual turnover, whichever is higherBreaches of core processing principles, consent conditions, data subject rights, international transfer rules, non-compliance with a supervisory authority order

The realistic enforcement picture for a US firm runs deeper than the headline number. For a fuller breakdown of the tiers and the biggest penalties to date, see the guide to GDPR fines. Direct cross-border enforcement against a company with zero EU presence is genuinely hard for a European regulator to execute. Exposure instead tends to run through EU-market access and partner or customer due diligence. It also runs through liability attached to any EU representative or EU-based processor in the company's stack. One r/gdpr practitioner described the mechanism directly. Regulators, he noted, "usually" go "after EU-based processors in your stack" rather than the pure-US entity. Keeping documentation such as consent logs in order is what lets a company demonstrate compliance.

How Is GDPR Different from US Privacy Laws Like the CCPA?

GDPR is an EU regulation requiring opt-in consent before processing and applying wherever the data subject is located. The US has no single federal equivalent. Instead, it relies on a state-by-state patchwork like California's CCPA, which is largely opt-out and applies only above specific revenue and data-volume thresholds.

AttributeGDPRCCPA
JurisdictionApplies wherever the data subject is located, regardless of company locationApplies to California residents; covers for-profit businesses meeting revenue or data-volume thresholds
Consent modelOpt-in: affirmative consent required before processingOpt-out: data collected by default, with a right to opt out of sale/sharing
Revenue thresholdNone; applies by data-subject location and processing activityGenerally $25 million or more in annual gross revenue, among other qualifying tests
Maximum penalty€20 million or 4% of global annual turnover, whichever is higher$2,500 per unintentional violation, $7,500 per intentional violation

The US instead relies on a patchwork of US data privacy laws at the state level rather than one federal standard. For the fuller side-by-side breakdown of consent mechanics, rights, and compliance steps, compare GDPR vs CCPA directly.

How Consently Helps US Companies Meet GDPR's Cookie Consent Rules

Consently handles the cookie-consent slice of a US company's GDPR duty: the opt-in banner, the pre-consent blocking, and the audit trail that proves it happened.

If your US site draws EU visitors and runs cookies, analytics, or ad pixels on them, you are monitoring their behavior under Article 3(2). That means valid opt-in consent has to happen before those trackers fire, not after. Consently's GDPR Opt-In cookie banner template is built for exactly that opt-in requirement, and it ships alongside a matching CCPA/US opt-out template for domestic visitors.

Two other features close the gap between knowing you are in scope and actually being compliant. Automatic cookie scanning with auto-blocking finds every cookie and tracker on your site. It stops non-essential ones from loading until a visitor consents. Consent logs record each visitor's choice with a timestamp. That gives you the documentation trail that matters if a partner, customer, or regulator ever asks how your consent process works. Automatic geotargeting decides which template a visitor sees: opt-in for EU/EEA visitors, opt-out for US visitors. You never build that logic yourself.

Consently covers this cookie-consent layer of GDPR. It does not handle DSARs, records of processing, EU representative appointment, or Standard Contractual Clauses. Treat it as one piece of a broader compliance program, not a complete GDPR solution. Try Consently free and add a GDPR-ready opt-in banner in minutes.

FAQs

Does GDPR apply to US companies?

Yes. GDPR applies to a US company whenever it offers goods or services to people in the EU, or monitors their online behavior. This holds regardless of where the company is based: location of the data, not the company's address, decides scope.

Does GDPR apply if all my customers are in the US?

Not necessarily, but do not assume you are automatically exempt. If your site does not target EU residents and does not track EU visitors through cookies or analytics, GDPR generally does not reach you. Targeting signals include euro pricing, EU-directed ads, and translated content. If your analytics or ad scripts run on any EU visitor, the monitoring trigger can apply even without a single EU sale.

Does GDPR apply to non-EU companies?

Yes. GDPR applies to non-EU companies, including US ones, that offer goods or services to people in the EU or monitor their behavior. Article 3(2) extends the regulation to any controller or processor outside the Union that meets either trigger, with no EU office required.

Does the US have a GDPR equivalent?

No single federal law. The closest equivalents are state laws, most notably California's CCPA, which grants residents rights over their data. CCPA uses an opt-out model and applies only to qualifying businesses, unlike GDPR's opt-in, location-based scope.

Can a US company actually be fined under GDPR?

Yes, in principle, up to €20 million or 4% of global annual turnover for the most serious violations. In practice, direct enforcement against a US company with no EU presence is difficult for European regulators to execute. Exposure often runs through EU-based processors, partners, or an EU representative instead of a direct cross-border fine.

Do US companies need an EU representative?

Many do. Article 27 requires a US controller or processor in scope of GDPR with no EU establishment to appoint an EU-based representative. The exemption is narrow: occasional processing that skips large-scale special-category or criminal-conviction data.

Does GDPR apply to US citizens or people physically in the EU?

GDPR protects people by physical location, not nationality. A US citizen traveling in Berlin is covered while there. A German citizen living in New York is not covered for that US-based activity, because GDPR tracks where the data subject is when processing happens.

Is a cookie banner required for GDPR in the US?

If your US site monitors EU visitors, then yes. You need a compliant opt-in banner that blocks non-essential cookies until a visitor consents. It must match the specific requirements covered earlier in this guide.

Is GDPR mandatory for small US businesses?

Size alone does not exempt a business from GDPR's core rules. The only size-based relief is a partial record-keeping exception for organizations with fewer than 250 employees. Even that exception does not excuse a business from lawful processing, consent, or data subject rights.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.