The General Data Protection Regulation (GDPR) has been in effect in the European Union since May 2018. Enforcement only tends to make headlines when the penalties are in the billions. But that’s just the tip of the iceberg. Any organization that handles EU residents’ personal data needs to take GDPR compliance seriously.
GDPR compliance is relevant for businesses in the US that have customers or website visitors that reside in the EU. It applies for visitors you track on your website as much as for those making purchases, or when working with EU-based partners or customers.
But even if you don’t have an EU-based audience, understanding the regulation is still valuable for US companies.
Its requirements are among the most stringent, and align with other EU laws or partner platform policies that may also be relevant to your business.
Currently, it more than meets many state-level privacy law requirements. It positions companies to already be prepared as laws evolve. And it can help build trust by showing dedication to data privacy that goes “above and beyond.”
The GDPR’s requirements are also more in line with those of a number of highly regulated industries, like healthcare or finance, so compliance can go a long way in meeting those industry-related regulatory standards.
The following information will help clarify your company’s GDPR compliance requirements. You’ll understand the steps it takes to achieve and maintain compliance with this landmark data privacy law.
Key takeaways
- The GDPR applies extraterritorially, meaning US companies that handle the data of individuals residing in the EU must comply even if those companies are not based in Europe.
- GDPR requirements go beyond requirements of most US laws, with stricter rules on consent, legal bases for data processing, user rights, and mandatory roles like Data Protection Officers (DPOs).
- Adopting GDPR best practices prepares companies to comply with requirements with existing US laws, including federal ones like HIPAA or the GLBA, and the evolution of state-level privacy regulations.
- Common compliance mistakes include relying on US-style cookie notices, mishandling data transfers, and failing to meet the standards of EU-level data subject access requests (DSAR).
- Using a content management platform (CMP) streamlines consent management, reduces noncompliance risk, and helps build customer trust across jurisdictions.
The GDPR in the US: Does your company need to comply?
US-based companies do need to ask: “Does the GDPR apply to us?” If your business collects and processes the personal data of EU residents, then yes, you do need to achieve
In July 2023, the EU–U.S. Data Privacy Framework replaced the previous adequacy agreement between the two regions, which was struck down by the Schrems II decision in 2020. The data flows enabled by the Framework were upheld in September 2025 when the European General Court upheld the previous adequacy decision.
The EU–U.S. Data Privacy Framework does not apply the GDPR’s requirements to the US-based business operations, though it is a legal agreement and does apply to international data transfers between the two regions, and requires data protection standards comparable to the GDPR’s requirements to all parties making international data transfers.
The Framework outlines data subjects’ rights, as well as responsibilities and requirements certified companies must fulfill. It also covers redress mechanisms for complaints, and requirements and restrictions on US intelligence services.
GDPR compliance exemptions for US companies
Data processing activities are exempt from certain GDPR requirements if they fall into one of the following categories:
- Personal activity: You’re free to process data for private, household activities, like updating an address book or sharing a photo album.
- Small businesses: Companies with under 250 employees are exempt from keeping detailed data processing records, provided the processing is minimal, low-risk, and doesn’t involve sensitive information.
- Minimal data processing: You don’t need a Data Protection Officer (DPO) if you only infrequently process sensitive data from EU residents.
- Law enforcement or national security: The GDPR doesn’t apply to data processing activities used by authorities to prevent, detect, and prosecute criminal offences.
Understanding GDPR requirements for US companies: key concepts
Many of the GDPR’s requirements differ from data privacy regulations in the US, especially at the state level. Here are some of the most important differences to note.
Scope of jurisdiction
The US has state-level data privacy laws in 21 states as of late 2025. There is no overarching federal privacy law. As noted, however, other laws and frameworks, including federal ones, may also apply.
Among the states with privacy laws, there are many variations in data subject rights, business “friendliness”, and compliance thresholds.
In contrast, the same data subject rights and protections apply to all 30 GDPR countries, and compliance thresholds based on revenue or volume of data processing don’t apply.
Scope of protection
Many US state laws only protect in-state residents, and some don’t apply to employees or other specific groups. Even the California Consumer Privacy Act (CCPA), which is widely considered to be the most comprehensive US data privacy law, doesn’t protect nonresidents, and there are legal questions about how long you have to be in California to qualify as a resident.
The GDPR, on the other hand, covers anyone located within the EU at the time of data processing, regardless of their nationality or usual place of residence. So it would apply to anyone from Americans to Australians if they were in Europe when their data was processed.
Personal data
While the GDPR refers topersonal data, the term personally identifiable information (PII) is more common in the US.
The definition of personal data is also more broad than for PII. Art. 4 GDPR defines it as “any information relating to an identified or identifiable natural person.” This can include single data points, or multiple data points that enable identification if combined.
The PII definition is a bit more specific. The US Department of Labor defines it as: “Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.”
Opt in vs. opt out
Under the GDPR, individuals must provide explicit opt-in consent prior to having their personal data collected and processed.
The US uses an opt-out consent model in all state-level privacy laws passed to date. In many cases, you can collect and use data without obtaining prior consent. However, the common exception is that prior consent is required for access to children’s data or data categorized as sensitive. Generally, categories of sensitive data are those that pose greater personal risk if misused.
While prior consent is not often required, there are two other major requirements. One is to provide easily accessible and understandable information to users about data collection, processing, and sharing, as well as about users rights and exercising them.
The other is to provide a clear and easily accessible way to opt out of data collection or use at any time. The purposes for which users can opt out vary by state, but generally include actions like sharing, sale, use for targeted advertising, or profiling.
Data protection and regulation of children’s data
The federal Children’s Online Protection Act (COPPA) in the US sets the age limit for collecting data without parental consent at 13, while the GDPR sets it at 16.
But COPPA only applies to companies knowingly collecting data from minors, such as online children’s entertainment services. The GDPR expects all organizations to take reasonable steps to verify ages before processing data, via consent gates or pop-up notifications.
Most state-level US privacy laws do categorize any data belonging to children as sensitive, thus automatically applying restrictions and additional requirements on collection, security, and processing.
Dedicated data privacy roles
No US states currently require businesses to have a data protection officer (DPO). But it’s worth noting that many are in the process of updating legislation, so this may change. This appointment is required by some federal laws, like HIPAA.
The GDPR requires companies to appoint a DPO to oversee any large-scale or high-risk data processing activities. The DPO is not required to reside in the EU.
While the DPO may be a current team member, they must possess the expertise necessary to fulfil their duties. For instance, they must be well-versed in GDPR principles and understand how your business collects, manages, and stores personal information. They should also be competent in managing staff training programs about data privacy, or managing data breach responses.
✅ Build data privacy compliance into planning and processes. Implementing privacy by design helps you stay GDPR-compliant and limit compliance maintenance requirements.
✅ Document lawful bases for processing personal data. Make sure every processing activity is both justifiable and clearly recorded. If the lawful basis is consent, implement robust consent management.
✅ Set up clear procedures for data subject access requests (DSARs). Make it easy for individuals to access, correct, delete, or transfer their personal data within GDPR-prescribed timeframes.
✅ Maintain a record of processing activities (RoPA). Track what data you collect, where you store it, who can access it, and how long it will be retained — in addition to user consent records if needed.
✅ Anonymize, pseudonymize, and encrypt files. This will help you protect personal data and uphold GDPR data subject rights.
✅ Create an internal data security policy for employees and partners. It should cover all roles and responsibilities that involve handling data and be updated regularly.
✅ Establish a process to implement data protection impact assessments. This is required where data processing activities can result in a high risk to the rights and freedoms of individuals.
✅ Regularly audit vendors and processors. Verify that third-party service providers meet GDPR standards, and have them sign Data Processing Agreements (DPAs).
✅ Establish a process to notify authorities of data breaches. Notification must happen within 72 hours of a breach, per GDPR guidelines.
✅ Appoint a Data Protection Officer (DPO) if required. If your core activities involve large-scale monitoring or sensitive data, it’s mandatory to have a DPO.
GDPR compliance requirements: What US companies need to know
The GDPR is a comprehensive document, so we’ve summarized its requirements in the compliance checklist below. We’ve divided the sections into three key areas:
- Data subject rights
- Data processing operations
- Data controller responsibilities
1. Uphold data subjects’ privacy rights
It must be clear and easily accessible for any individuals accessing your services from the EU to:
✅ inquire about what personal data you collect and how you process it
✅ request access to and/or a copy of their data in an accessible and transferrable format
✅ request a correction or update to inaccurate or incomplete data
✅ request some or all personal data be deleted in a timely manner (with exceptions)
✅ limit how or for what purpose you process their data under certain circumstances
✅ withdraw previously granted consent and have you stop processing their data
✅ choose not be subject to decisions based solely on automated processing
2. Maintain privacy–compliant data processing operations
| GDPR requirement | Key actions | Details |
| ✅ Audit and map data processing activities | Conduct an information audit to learn and document:What data you collect and for what purposeWho has access to data (including third parties)How you process the dataHow and where you store dataWhat security measures are in placeHow long you retain data and how it’s anonymized, returned, or destroyed | Even where exemptions apply, all US companies can benefit from keeping current and detailed lists of their processing activities to show regulators upon request. |
| ✅Have a justifiable legal basis for data processing activities | Determine the legal basis for data processing and whether any conditions apply. Document this information. | Legal basis is determined based on the six conditions under Art. 6 GDPR, with additional provisions for children and special categories of personal data in Arts. 7–11 GDPR.Be aware of the additional obligations if consent is your required legal basis. |
| ✅ Appoint appropriate officers and representatives to manage data privacy and protection initiatives | Determine if your organization needs a DPO, and appoint one if required. In achieving and maintaining compliance, qualified legal counsel and/or a data privacy expert can also be valuable. | Your DPO must understand GDPR requirements, your ongoing compliance needs, and their responsibilities. A legal/privacy expert helps interpret GDPR requirements for your business and ensure required notifications and documentation meets standards. |
| ✅Create and use a data processing agreement (DPA) with third-party processors. | Any third parties that process data on your behalf must sign a DPA that outlines how they must handle data to protect user rights. Under the GDPR, data controllers are responsible for the data processing operations and privacy compliance of contracted third parties, so comprehensive contracts and clear expectations are critical. | Agreements can include email hosting, cloud services, advertising partnerships, analytics software, etc.Rights and responsibilities of both parties should be clear, as should timelines for required actions, like data breach notifications. |
3. Understand the obligations you have to data subjects
| Requirement | Key actions | Details |
| ✅ Provide required information | Notify users about the cookies and tracking tools your business uses, what data they collect, and how it’s used. Also ensure user rights and how to exercise them are clear.Include these details in a privacy notice or policy that’s easy to find, read, and understand.Review and update the policy at least annually, or as often as relevant changes to legal requirements, data processing operations, and technologies in use occur. | Include the following information in your privacy policy:Name and contact details of the data controllerPurpose of data processingCategories of people and personal data processedAny third parties you share data withHow long you retain dataSecurity measures |
| ✅ Obtain explicit user consent | Ensure consent meets the seven GDPR criteria to be valid before collecting or processing personal data. | Consent must be: Explicit: Users must make an affirmative action, like ticking a box or clicking a button.Informed: Explain data use and users’ rights and responsibilities in clear language.Documented: Record who consented, when, and to what (the information presented to them and their specific choices) so you’re audit-ready.In advance: Don’t collect data before opt-in. Block trackers before you receive consent.Granular: Enable consent for each activity or purpose separately. Only offering “Accept All” is not compliant.Freely given: Don’t hide or remove consent options or withhold access in exchange for consent.Easy to withdraw: Give users clear processes to change or revoke their preferences. |
| ✅Manage cookies | Only enable cookies when valid consent is obtained. | Loading: Cookies, trackers, and other tags should not be loaded until consent is received and signaled.User refusal: If someone rejects cookies or other processing functions, only enable essential tracking tools. |
| ✅ Maintain comprehensive consent records | Keep detailed consent logs for each unique user. | In the case of an audit: You will need to supply all documentation to authorities or data subjects upon request and in a timely manner. |
| ✅ Make it easy to opt out | Make it as easy to decline or withdraw consent as it is to provide it. | After opt-out: Cease data processing as soon as consent is withdrawn and record that you have stopped in your log. |
Common GDPR compliance mistakes US companies make (and how to avoid them)
Differences in US and EU laws can lead to confusion and GDPR violations. Here are some common mistakes companies make and what strategies you can implement to avoid them.
Overreliance on US cookie consent practices
Using the same notifications everywhere to simplify workflows can have negative consequences. The GDPR has different consent requirements than most US laws, so this shortcut leads to compliance gaps for EU users and overly restrictive settings for US-based customers.
Dynamic cookie banners powered by geotargeting functionality enable you to adjust notification settings based on the visitor’s location (and present information in their preferred language.)
Tools like Usercentrics’ Consent Management Platform (CMP) detects where users are visiting your website from and automatically adjusts messaging and consent options accordingly.
Unlawful data transfers
Transferring data out of the EU without proper safeguards violates GDPR rules. And the consequences can be serious. In 2024, Uber incurred a EUR 290 million penalty just for storing details about drivers on US servers without Standard Contractual Clauses (SCCs).
Incorporate Transfer Impact Assessments (TIAs) into your standard operating procedures ahead of any data transmission. These are mandatory under the GDPR and help you either meet EU–U.S. Data Privacy Framework requirements or have other adequate mechanisms in place to protect user rights.
Failing to account for new technology
The GDPR’s broad terms mean that most new technology is subject to its requirements. For example, AI tools process data, so businesses that use them are obligated to notify users and obtain opt-in consent from day one of their use. These general rules have brought major US tech companies like OpenAI into legal disputes with EU data protection authorities.
The EU’s AI Act is also coming into effect, and adds additional complexity for data processing and consent.
It’s a best practice to take a proactive approach to privacy compliance and get ahead of regulatory changes early. In the long run, it saves time and resources and makes a better impression with customers to go the extra mile regarding data privacy and protection compared to doing the minimum.
Regularly audit your data processing practices, the tools you’re using (including third-party platforms), and the legal landscape.
Inadequate mechanisms for users to exercise their rights
If you’re used to responding to Data Subject Access Requests (DSARs) in the US, you may underestimate what’s required for EU users. However, the GDPR has much stricter rules than most US states. Per the GDPR, you must:
- Respond in writing within one month
- Communicate in a clear and understandable manner
- Document the request
- Provide the first response for free
Before you allow EU users to access your services, rebuild your DSAR workflow to align with GDPR standards. It should be reliable and easy to follow so your team can handle a large volume of requests within the GDPR’s time limit. Automation can be valuable here.
How to obtain consent that’s GDPR-compliant: expert tips and examples
Consent for data processing must meet all seven GDPR criteria to be compliant. Here are some practical steps you can take to comply:
- Use plain language to notify users: Informed consent means users must understand their options. Use simple language on banners and explain any complicated terms like “data processor.” Remember that English may not be the first language of your audience.
- Avoid default opt-ins: Users must take affirmative action, so you must block cookies and tags from activating before consent is obtained, and leave consent options neutral or defaulting to “decline.”
- Pay attention to design: Present all consent options so they are equally accessible and prominent, and no design elements like text or layout obscure features or options.
Let’s look at a GDPR-compliant consent example to see how this works in practice.
Imagine you expand your online store with European operations and marketing and implement a CMP to collect opt-in consent via dynamic banners on regional versions of your site.
Your CMP keeps the banner design consistent to maintain a strong brand image but automatically adjusts settings so that you always obtain valid prior consent when interacting with EU-based visitors.
Caption: The consent banner on our website clearly explains our cookie use and makes the “Accept” and “Deny” buttons equally prominent and accessible.
Automate consent management to kickstart GDPR compliance
As a US-based company, you may have a lot of state-level data privacy requirements to keep in mind. When you add GDPR requirements to the list, privacy compliance becomes daunting. But not when you use a tool like Usercentrics CMP to automate privacy compliance.
Our CMP automatically updates and displays the correct consent banner depending on where your website visitors are located, whether they’re in California or Czechia.
What’s more, we stay up to date on evolving GDPR requirements and adjust our services alongside regulatory changes. Usercentrics seamlessly integrates into your existing website and with your martech stack so you can start collecting and signaling GDPR-compliant consent, avoid fines and penalties, and build trust with your customers.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
