The General Data Protection Regulation (GDPR) changed how businesses handle personal data when it came into effect in May 2018. This European law doesn’t stop at EU borders, however, which is where many US companies get confused.
If your US company processes personal information from individuals in the EU, you likely need to comply with the GDPR. The regulation has extraterritorial reach, so it protects EU residents and requires compliance from organizations that process their personal data, regardless of where in the world those organizations are located.
When you understand how the GDPR applies to your business, you won’t just avoid hefty fines. You’ll also build genuine trust with your customers and create better data practices that promote international growth.
Let’s break down when and how the GDPR affects US companies.
What data does the GDPR protect?
The EU’s General Data Protection Regulation (GDPR) in the US protects the personal data of EU-based individuals. That refers to any information (often accessible online) that can identify a living person. It’s a definition that’s much broader than most people realize.
Personal data includes obvious things like names, email addresses, and phone numbers. But it also covers IP addresses, device identifiers, location data, and online identifiers from tech like cookies.
Your customers’ financial information, employment records, photos, and videos all count as personal data under the GDPR. Personal data includes single data points that identify a person — like a name — or types that require aggregation with other data points to do so.
Some information gets extra protection under the regulation. For example, sensitive personal data includes health and medical information, political opinions, religious beliefs, trade union membership, genetic and biometric data, and details about sexual orientation.
Processing this type of data requires additional safeguards and is the type of information that often requires explicit prior consent for processing under US laws as well as European ones.
The people whose personal data you process are called data subjects under the GDPR. These individuals have specific rights over their information, regardless of what organization wants to collect it or what they want to use it for.
Here’s the major takeaway: GDPR jurisdiction applies based on where data subjects are located when their data is processed, not their nationality or citizenship, or where your business is located.
Does the GDPR apply to US companies?
The short answer is yes, the GDPR can apply to US companies.
Article 3 of the regulation establishes its territorial scope and makes it clear that the location of one’s company doesn’t determine applicability.
The GDPR is applicable in the US if you collect data on people in the EU by offering goods or services to them, even if those services are free. It also applies if you monitor the behavior or process the personal data of people located in the EU as part of your business activities, e.g. via website tracking.
In other words, you don’t need offices, employees, or any physical presence in Europe for the GDPR to apply to your business. The size of your business and the amount of data you process also doesn’t matter. The regulation focuses on your relationship with EU data subjects, even if you don’t actively target them in your business operations or marketing campaigns.
For example, if you’re a US ecommerce site that ships products to customers in Germany, you must comply with the GDPR. Alternatively, a US software company offering free trials to users in France, or a consultant with newsletter subscribers in Spain, also needs to comply with the GDPR.
As companies expand internationally, GDPR compliance grows more important for US companies, and must become a strategic priority.
On the plus side, achieving and maintaining GDPR compliance can mean that you’ll also be compliant with other data privacy laws around the world, or at least have a fair bit less work to do to achieve and maintain compliance with them.
Does the GDPR apply to US citizens and residents?
GDPR protection depends entirely on the location of the data subject, not citizenship or residence status. This distinction can be confusing, but it’s fundamental to understanding how the regulation works.
US citizens are protected by the GDPR when they’re physically located in the EU and their data is being processed in connection with the offering of goods or services or the monitoring of their behavior within the EU.
In this context, it applies whether they’re tourists visiting Paris, students studying in Berlin, or business travelers working in Amsterdam. Their citizenship doesn’t matter; their location does.
There isn’t a length of time requirement, either, so a person is covered by the GDPR if they visit Barcelona for a week or if they’ve resided in Prague for five years.
This differs from some US data privacy laws, such as the CCPA in California, which is meant to protect state residents, not “temporary or transitory” visitors, like tourists on vacation.
US citizens don’t get GDPR protection when they’re located in the United States or other non-EU countries. A US citizen in New York has no GDPR protection when shopping online or using social media.
An EU resident also doesn’t get GDPR protection while in the US, like if they’re on vacation in Los Angeles. European residents are, of course, covered when they are at home in EU Member States.
Does the GDPR apply to the US government?
The short answer is: yes, the GDPR applies to the US government.
Federal and state agencies generally must comply with the relevant provisions of the regulation when processing the personal information of individuals in the EU because the GDPR doesn’t make blanket exceptions for governmental or public agencies.
That means if the US government targets or processes the personal data of EU/EEA-based users, it’s expected to comply with the GDPR, as are all non-EU/EEA public agencies.
However, Art. 2 GDPR excuses certain government agencies from complying with specific provisions as long as the processing is for reasons beneficial to the public interest, like preventing, investigating, and prosecuting criminal offenses or threats to public safety.
However, because the US is not an EU member state, these exemptions don’t apply. In other words, the US government generally must meet all obligations outlined in the GDPR when processing the personal data of EU residents.
Does the GDPR apply to EU citizens living in the US?
Because the GDPR is location-based, EU citizens don’t automatically keep their GDPR protection when they travel or move to the United States.
Generally, EU citizens who move to the US lose GDPR protection for their day-to-day activities. They become subject to US privacy laws instead, though there is no consistent coverage of data privacy protection across the US. However, there can be specific cross-border situations in which the GDPR still applies.
Jurisdiction becomes complex in some cases. For example:
- an EU citizen in the US uses services from EU-based companies
- US companies with EU operations process the data of EU residents
- data transfers occur between US and EU entities
Each situation requires individual assessment based on the specific circumstances.
The European Court of Justice and national data protection authorities provide guidance on these complicated scenarios, but there’s no simple rule that covers every situation. Most EU citizens permanently residing in the US are protected by US privacy laws rather than the GDPR.
The US does not have a single comprehensive federal privacy law, but rather some states have passed state-level laws. There are also more targeted sector-based federal laws that protect data privacy, such as HIPAA for healthcare and the GLBA for financial institutions.
Are any US entities exempt from the GDPR?
Some US entities may be exempt from the GDPR, but these exemptions are limited and often misunderstood.
Examples include:
- Very small businesses with minimal EU data processing might qualify for certain exemptions
- Entities processing data purely for personal use are generally exempt
- Some government activities may fall outside of the GDPR’s scope, though this area is legally complex
Size alone doesn’t guarantee exemption from GDPR requirements. A one-person consulting business, a blog that uses tracking cookies, or a small startup that offers services to EU clients still needs to comply.
The safest approach is to assume the GDPR applies if you process any personal data from people located in the EU. If you’re unsure about your specific situation, consult with qualified legal counsel or a data privacy expert.
Key GDPR compliance requirements for US companies
US companies subject to the GDPR must meet the same requirements as businesses in the EU.
GDPR compliance in the United States, as in the EU, requires you to have a lawful basis for processing personal data.
The regulation provides six possible lawful bases: consent, contract performance, legal obligation, vital interests, public task, and legitimate interest. You need to identify which basis applies to each of your data processing activities.
Data subjects have extensive rights under GDPR:
- To access the personal data an organization has about them and get a copy of it
- To require corrections to incorrect information or request the deletion of their data (with exceptions)
- To restrict how you process their data or object to the processing of it (with exceptions)
- To not be subjected to important decisions made solely by automated processes or profiling (automated decision-making)
If your processing activities are high risk, you need to conduct Data Protection Impact Assessments (DPIAs). These assessments evaluate privacy risks and explain how you’ll mitigate them.
You may also need to appoint a Data Protection Officer (DPO) if your core activities involve large-scale monitoring or processing of sensitive data.
You must also maintain detailed records of your processing activities. These records document what personal data you process, why you process it, who you share it with, and how long you keep it, among other requirements.
Your organization needs procedures for handling data breaches, including notification requirements for authorities and affected individuals.
Lastly, privacy by design and by default are also fundamental GDPR principles. They require building privacy protection into your systems and processes from the start, not adding it as an afterthought.
GDPR compliance tips for US companies
Starting your GDPR compliance journey can feel overwhelming, but there are a few easy steps you can follow to kickstart the process.
Assess your GDPR applicability
Begin by determining whether the GDPR actually applies to your business.
Map your data flows to identify any EU personal data you’re processing. Review your customer base, website visitors, newsletter subscribers, etc., as well as your website analytics to better understand your EU audience. Analyze your marketing activities, tracking technologies in use on websites or apps, and any behavioral monitoring you conduct.
Remember that data controllers are also responsible for the GDPR compliance of processors. That means you need to ensure that any third-party partners or vendors you contract with also meet GDPR requirements in their data processing operations.
Document everything you find during this assessment phase, since it serves as the foundation for your next steps.
Conduct extensive data mapping
Once you’ve confirmed that the GDPR applies to you, build on your assessment by conducting a more detailed data mapping exercise. Identify what personal data you collect, why you collect it, how it’s processed, where it’s stored, and who has access to it. Note your data retention timelines and deletion practices.
This process can uncover previously overlooked processing activities, so it’s a crucial part of your compliance framework.
Update your privacy policies and notices
Now that you have a clear understanding of your data practices, it’s time to update your privacy policies to meet GDPR standards.
Use straightforward, plain language to explain your data processing activities. Clearly state your lawful basis for each type of processing and outline the rights of data subjects. Include information about how they can exercise those rights (and make sure you can respond to rights requests in a timely manner).
Make sure to include contact details for privacy-related inquiries or complaints.
Implement proper consent mechanisms
If your data processing relies on user consent, you must have mechanisms in place that align with GDPR standards. Consent must be freely given, specific, informed, and unambiguous.
Make it as easy for users to withdraw consent as it is to provide it, or to change their preferences over time. Maintain detailed records of consent and regularly review them to verify that they’re still valid. If your company is audited or there’s a complaint, you will need to provide Data Protection Authorities with this information.
To simplify this process, consider using a consent management platform (CMP). These solutions help automate the collection, storage, and management of user consent across your digital properties. A good CMP can keep your consent flows GDPR-compliant while improving user trust and transparency.
Prepare for international data transfers
Many US companies need to transfer personal data across borders. Identify when these transfers occur and implement safeguards such as Standard Contractual Clauses.
In addition, check to see if the destination country has an adequacy decision and document your transfer practices carefully. These steps are vital for maintaining GDPR compliance during international data movement.
Establish data subject request procedures
Finally, put clear and effective procedures in place for handling data subject requests. These include requests for data access, deletion, and other GDPR rights.
Implement identity verification processes and train your team on how to respond appropriately. Establish response timelines that meet GDPR requirements and be prepared to respond to requests in a compliant and timely manner.
Industry-specific GDPR considerations for US companies
Different industries face unique GDPR compliance challenges. Understanding these sector-specific requirements helps US companies develop more effective compliance strategies.
Technology companies
Tech companies often process large volumes of personal data across various products and services. GDPR compliance in this sector requires close attention to data flows, user consent management, and international data transfers.
For Software-as-a-Service (SaaS) providers, it’s especially important to establish robust data processing agreements with customers to define responsibilities and provide transparency.
Ecommerce and retail
Ecommerce businesses face complex GDPR requirements related to customer data, targeted marketing, and payment processing. For US retailers selling to European customers, compliance should cover the entire customer journey, from website tracking and cookie consent to checkout and order fulfillment.
Healthcare organizations
Healthcare providers handling EU patient data must reconcile the GDPR with US-specific privacy laws like the HIPAA.
Since health data is classified as a special sensitive category under the GDPR, it demands stricter safeguards, enhanced consent mechanisms, and clear protocols for data subject rights.
Financial services
US-based financial institutions that serve European clients or process EU payment data must integrate the GDPR into their existing compliance programs. This often means layering GDPR obligations on top of existing US financial privacy regulations, like the Right to Financial Privacy Act (RFPA), paying particular attention to transparency, lawful bases, and cross-border data handling.
Marketing and advertising agencies
Agencies involved in behavioral tracking, ad targeting, or third-party data processing can face heightened GDPR scrutiny. These activities require explicit consent, detailed documentation, and well-defined contracts with all parties involved, especially if there are any data transfers outside the EU.
Small businesses
Small businesses may lack the resources or in-house legal expertise of larger enterprises, but the GDPR still applies to small businesses in the US.
US-based small businesses need practical, affordable compliance tools that minimize resource demands while still meeting core GDPR obligations. Beyond legal penalties, privacy missteps can erode customer trust and cause long-term damage to brand reputation.
Who enforces the GDPR in the US?
GDPR enforcement in the US comes from EU Data Protection Authorities (DPAs), rather than US regulators. This might seem counterintuitive, but it’s how the regulation is designed to work across borders.
EU Data Protection Authorities have full jurisdiction over US companies that process EU personal data. Each EU Member State has its own DPA to handle investigations and enforcement in that country.
They can investigate your business, impose fines, and take enforcement action regardless of where your company is located. They coordinate through the European Data Protection Board (EDPB) to maintain consistent enforcement across all EU Member States.
These authorities use cross-border cooperation mechanisms to enforce the GDPR globally. The one-stop shop mechanism applies to companies with EU operations. Mutual assistance agreements enable DPAs to work together on complex cases, while joint enforcement actions coordinate responses to major violations.
Real enforcement examples prove that geographic distance doesn’t prevent action. EU DPAs have imposed significant fines on major US technology companies like Google and Meta for GDPR violations.
These cases demonstrate that European authorities have both the willingness and the tools to enforce GDPR penalties against US businesses.
US companies cannot simply ignore GDPR enforcement. EU authorities can collect fines through various mechanisms and can restrict or ban services to EU users.
What are the penalties for GDPR noncompliance for US companies?
GDPR penalties for US companies are identical to those for EU businesses.
Administrative fines can reach up to EUR 10 million or two percent of annual global turnover, whichever is higher, for first-tier violations, like first-time or less severe issues.
More severe or repeat violations are subject to second-tier penalties of up to EUR 20 million or up to four percent of your company’s annual global turnover, whichever amount is higher.
The penalty amount depends on several factors. Authorities consider:
- The nature and severity of the violation
- Whether the violation was intentional or negligent
- What actions were taken to mitigate damage, including timely notifications
- How well the organization cooperates with the investigation
- Whether there have been previous violations
If your company is found in violation, you may also face temporary or permanent processing bans, requirements to delete data, orders to comply with data subject requests or audits, public warnings and reprimands, or suspension of privacy certifications. These non-financial penalties can be just as damaging to your business as fines.
Reputational damage from violating the GDPR often exceeds the direct financial cost of penalties. Privacy violations can destroy customer trust and create long-lasting brand damage that affects your business for years, including scaring off potential partners, investors, or advertisers.
How Usercentrics can help US companies comply with the GDPR
Navigating the GDPR in the US can feel complex and overwhelming, especially with evolving standards, cross-border data transfers, and strict consent rules. Usercentrics can help.
Usercentrics CMP is a robust consent management solution that helps US companies comply with the GDPR by:
- Automating privacy policy generation to reflect GDPR requirements for US companies, including lawful bases for data processing and user rights
- Customizing and maintaining privacy policies to reflect your actual data practices, lawful bases, and user rights
- Documenting and securely storing consent information over time to demonstrate compliance in case of regulatory inquiries
- Supporting international data transfers with features aligned with Standard Contractual Clauses and legal guidance
Whether you’re just starting to work toward GDPR compliance or optimizing your Privacy-Led Marketing, Usercentrics delivers scalable, easy-to-implement solutions that help you comply with GDPR requirements confidently, without compromising user experience or business growth.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.