AI-generated (Gemini Pro)
I'm Based in the US — Does GDPR Apply to Me?
I'm Based in the US — Does GDPR Apply to Me?
Yes — if your website collects data from visitors physically located in the EU or EEA, GDPR likely applies to you, regardless of where your company is incorporated. Under GDPR Article 3(2), the regulation's territorial scope is determined by the location of the data subject, not the location of the company. A US SaaS, e-commerce store, or marketing site with EU visitors is within scope.
This article is for educational purposes and does not constitute legal advice. For compliance decisions, consult a qualified legal or privacy professional. Scope: EU/EEA GDPR. UK GDPR contains equivalent provisions under the UK Data Protection Act 2018.
The short answer: GDPR follows the person, not the company
GDPR Article 3(2) establishes what the European Data Protection Board (EDPB) calls the targeting criterion: a non-EU company is subject to GDPR when it offers goods or services to individuals in the EU, or monitors the behavior of individuals in the EU.
Your company's legal incorporation in Delaware, Texas, or California is irrelevant to this analysis. What matters is whether EU residents land on your site, and what you do with their data when they do.
The EDPB has confirmed this interpretation in Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), adopted 12 November 2019. These guidelines remain the authoritative reference for assessing extraterritorial scope.
When GDPR applies to a US company: the two-part test
Under GDPR Article 3(2), your US business is within scope if either of the following is true:
1. You offer goods or services to EU residents (Article 3(2)(a))
You don't need to actively market to the EU, and no payment is required. Indicators of intent to target EU users include:
- Pricing shown in EUR (€)
- Language options in French, German, Spanish, Italian, or other EU languages
- EU-specific shipping options or delivery addresses
- References to EU users or EU-specific regulations in your terms of service
- EU country options in a signup form
A website that is merely accessible in the EU does not automatically trigger scope. But a website that displays EUR pricing, has an EU language toggle, or accepts EU delivery addresses does demonstrate targeting intent — per EDPB Guidelines 3/2018, Section 3.2.
2. You monitor the behavior of EU residents (Article 3(2)(b))
Behavioral monitoring under GDPR means tracking individuals across time or sessions to analyze or predict behavior. This includes:
- Running Google Analytics, Meta Pixel, Hotjar, or any behavioral analytics tool on your site
- Retargeting EU visitors via advertising networks
- A/B testing or personalization based on browsing behavior
- Session recording tools that capture EU user interactions
If an EU resident visits your US company's website and your tracking scripts execute, you are processing personal data (IP address, device identifiers, behavioral data) and engaging in behavioral monitoring — which brings you within GDPR's scope under Article 3(2)(b).
What GDPR requires of a US company within scope
If GDPR applies to you, the core obligations are the same regardless of where your company is based:
| Obligation | What it means in practice |
|---|---|
| Lawful basis for processing | Analytics and marketing require consent (GDPR Article 6). Contract performance and legitimate interest apply in narrower contexts. |
| Consent before tracking | Non-essential scripts (analytics, ads, pixels) must not execute until the user gives valid consent. |
| Privacy policy | Must describe what data you collect, why, how long you keep it, and user rights (access, deletion, portability). |
| Data subject rights | EU users can request access to, deletion of, or restriction of their personal data (Articles 15–22). |
| EU Representative | If you have no EU establishment, GDPR Article 27 requires you to appoint a representative in the EU or EEA. |
| Data Processing Agreements | If you use processors (AWS, Stripe, analytics providers) that handle EU data, Article 28 DPAs are required. |
| International transfers | Transferring EU personal data to US servers requires a legal transfer mechanism under GDPR Chapter V — typically Standard Contractual Clauses (SCCs). |
The practical trigger: your tracking stack
The most common reason US companies find themselves in GDPR scope — and in violation of it — is the tracking stack embedded in their website.
Google Analytics loads on page view. Meta Pixel fires before consent. Intercom captures session data on first visit. These scripts execute on EU visitors regardless of where your company is incorporated, which means:
- You are processing EU personal data (IP addresses, device identifiers, behavioral data)
- You are doing so without a lawful basis if consent has not been collected first
- You are within GDPR's scope under Article 3(2)(b)
The technical gap is consistent across company sizes and geographies: a US startup with a marketing site running GA4 and HubSpot is within scope the moment an EU visitor lands on the page, because both tools collect personal data and engage in behavioral monitoring.
See also: How trackers bypass cookie consent
Enforcement against US companies: what the EDPB says
The EDPB commissioned a dedicated report on this question, published in April 2024: Report on the extraterritorial enforcement of the GDPR. The report examines the legal mechanisms EU Data Protection Authorities (DPAs) have available to investigate and act against entities outside the EU.
Key conclusions from the report:
- DPAs have authority to investigate non-EU entities that fall within GDPR's territorial scope
- Enforcement is complex but possible — particularly where a company has EU customers, EU revenue, or uses EU-based service providers
- The Dutch DPA (Autoriteit Persoonsgegevens) requested the report, reflecting active DPA interest in cross-border enforcement capability
US companies often assume physical distance from EU regulators provides de facto protection. The April 2024 EDPB report documents that this assumption is increasingly incorrect, particularly for companies with EU market presence.
The Dutch DPA's €290 million fine against Uber Technologies in 2024 — for unlawful transfer of EU drivers' personal data to the US — is a concrete example of enforcement against a US-headquartered company. (Source: Dutch DPA press release)
The GDPR-privacy law intersection: US state laws don't substitute
GDPR compliance is separate from US state privacy laws (CCPA, VCDPA, CPA). Having a CCPA-compliant cookie banner does not satisfy GDPR. The consent requirements differ in a material way:
| Requirement | CCPA (California) | GDPR (EU/EEA) |
|---|---|---|
| Consent model | Opt-out (for sale of data) | Opt-in (for non-essential processing) |
| Consent before tracking | Not required | Required |
| Consent banner required | Not universally required | Required for non-essential cookies |
| Legitimate interest | N/A | Available but does not override consent for analytics |
A "Do Not Sell My Personal Information" banner satisfies CCPA. It does not satisfy GDPR. EU visitors require an affirmative opt-in before analytics or tracking scripts execute.
See also: The real consequences of GDPR violations for your website
Three practical steps for US companies
Step 1: Determine if you are in scope
Answer these questions:
- Do EU residents visit your website? (Check Google Analytics or server logs for EU country traffic)
- Do your tracking scripts execute on first page load, before any user interaction?
- Do you show EUR pricing, EU language options, or accept EU delivery addresses?
If yes to any of the above, treat yourself as within GDPR scope.
Step 2: Audit what your site actually does
A privacy policy and a cookie banner are not sufficient evidence of compliance. What matters is technical behavior: do your tracking scripts actually block before consent, or do they execute on page load?
Run a runtime behavioral audit of your site — open your site in a fresh browser session with no cookies, reject all consent, and monitor the Network tab to see what fires. Any tracking request that executes before consent is a compliance risk under GDPR Article 7.
For a systematic check: How to audit your website for GDPR compliance
Want to know how your site reads against EU law right now? Enter your domain for a free runtime scan — no signup, no email required. You'll see which trackers fire before consent, which scripts are in scope, and where the risks are.
Step 3: Implement consent-gated tracking
If you are in scope:
- Implement a CMP (Consent Management Platform) that technically blocks non-essential scripts until consent is granted — not just visually displays a banner
- Configure Google Analytics, Meta Pixel, and any behavioral tools to fire only after consent
- Appoint an EU representative under GDPR Article 27 if you have no EU establishment
- Execute a Data Processing Agreement with each processor handling EU data
- Implement Standard Contractual Clauses for data transfers to the US
Fact basis and sources
| Claim | Source |
|---|---|
| GDPR Article 3(2) targeting criterion | GDPR Article 3, full text |
| Targeting indicators | EDPB Guidelines 3/2018 on territorial scope, Section 3.2 |
| Extraterritorial enforcement | EDPB Report on extraterritorial enforcement, April 2024 |
| Uber €290M fine | Dutch DPA press release, 2024 |
| EU Representative requirement | GDPR Article 27 |
| International transfers | GDPR Chapter V |
Frequently asked questions
Does GDPR apply if I have no EU office or EU employees?
Yes. GDPR Article 3(2) applies based on where your users are located and what your website does with their data, not where your company is incorporated or staffed.
My US lawyer said I don't need to worry about GDPR — is that right?
US-qualified attorneys may not have expertise in EU data protection law. GDPR is enforced by EU Data Protection Authorities, not US courts. Whether your attorney is correct depends on whether your site targets EU users and what your tracking stack does. The EDPB's 2024 extraterritorial enforcement report documents DPA authority to act against non-EU entities.
Do I need a cookie banner if my company is in the US?
If EU residents visit your site and you use non-essential tracking scripts (analytics, advertising, behavioral tools), yes — a consent mechanism that technically blocks those scripts before consent is obtained is required under GDPR Article 7 and the ePrivacy Directive.
What happens if I ignore GDPR as a US company?
GDPR Article 83 provides for fines up to €20 million or 4% of global annual turnover, whichever is higher. DPAs can also issue orders to stop processing EU personal data. The EDPB's 2024 enforcement report documents the legal tools available to DPAs for cross-border enforcement.
How is GDPR consent different from my CCPA cookie banner?
CCPA uses an opt-out model — users must be given the ability to opt out of data sale. GDPR uses an opt-in model — non-essential tracking must not run until the user affirmatively consents. A CCPA banner does not satisfy GDPR requirements.
Related Articles
