The General Data Protection Regulation is a European law, but its reach is global. If your American business collects data from anyone physically located in the EU - even a US tourist browsing your site from a hotel room in Barcelona - GDPR obligations apply to that data. No office in Europe required. A single visitor from the EU whose IP address hits your analytics is enough to bring your website within scope.
That extraterritorial reach catches many US companies off guard. As of early 2025, EU data protection authorities had issued roughly 5.88 billion euros in GDPR fines since May 2018, with US companies accounting for about 83% of that total.
When GDPR Applies to a US Company
Article 3 of the GDPR defines the regulation's territorial scope through two tests. Meet either one, and your business is subject to the full weight of EU data protection law.
The establishment test applies if your company has any form of presence in the EU - an office, a subsidiary, even a single employee conducting business activities within a member state. Data processing connected to that establishment falls under GDPR, regardless of where the actual servers sit.
The targeting test is broader. It applies when a company outside the EU either offers goods or services to individuals located in the EU, or monitors their behaviour within EU territory. Accepting euros on your checkout page, offering delivery to EU addresses, or running Google Analytics that captures EU visitor data can all trigger it.
Crucially, GDPR protects people based on their location, not their citizenship. A US citizen visiting Berlin gets GDPR protection for data processed during that visit. An EU citizen living in New York does not get GDPR protection for data collected while they are stateside. Where the person is at the moment of processing determines which law applies.
What GDPR Compliance Actually Requires
Once GDPR applies, the obligations are identical to those facing EU-based businesses. There is no lighter version for non-EU companies.
| Requirement | What It Means in Practice |
|---|---|
| Lawful basis (Article 6) | Every data processing activity needs a documented legal ground: consent, contract performance, legal obligation, vital interests, public task, or legitimate interest |
| Cookie consent | Non-essential cookies require informed, specific, freely given consent before they fire - not a "by continuing to browse" notice |
| Privacy notice | Clear disclosure of what data you collect, why, who receives it, and how long you keep it |
| Data subject rights | You must handle access requests, deletion requests, and portability requests within one month |
| Data Protection Impact Assessments | Required for high-risk processing - profiling, large-scale tracking, or processing special category data |
| Breach notification | Report qualifying breaches to the relevant supervisory authority within 72 hours |
| EU representative | Article 27 requires non-EU companies subject to GDPR to appoint a representative based in an EU member state |
The EU representative requirement trips up many US businesses. If you have no establishment in the EU but GDPR applies to your processing activities, you need a designated contact point within the EU for data protection authorities and data subjects to reach. Failing to appoint one is itself a compliance violation.
How EU Authorities Enforce GDPR Against US Companies
Enforcement comes from EU data protection authorities (DPAs), not US regulators. Each EU member state has its own DPA - the CNIL in France, the DPC in Ireland, the ICO in the UK (under UK GDPR). These bodies have full investigative and sanctioning powers over any company processing EU personal data, regardless of where it is headquartered.
The fines have been substantial. Meta received a record 1.2 billion euro fine from the Irish DPC in May 2023 for transferring EU personal data to the US without adequate safeguards. The Dutch DPA fined Uber 290 million euros in 2024 for improper data transfers, and LinkedIn Ireland received a 310 million euro penalty that same year for behavioural advertising violations. TikTok was hit with a 530 million euro fine in 2025.
Smaller US companies should not assume they are beneath the radar. Unlike the CCPA, which includes revenue and data volume thresholds, GDPR has no size exemption. A five-person SaaS startup processing EU user data faces the same legal obligations as a Fortune 500 company.
The EU-US Data Privacy Framework: Cross-Border Transfers
One of the thorniest issues for US companies has been transferring personal data from the EU to US servers. The GDPR restricts such transfers unless the receiving country provides an adequate level of data protection - and the US, with its patchwork of sector-specific laws and government surveillance programmes, has historically failed that test.
Two previous frameworks - Safe Harbour and Privacy Shield - were struck down by the Court of Justice of the EU in the Schrems I (2015) and Schrems II (2020) decisions. The current mechanism, the EU-US Data Privacy Framework (DPF), was adopted in July 2023 following Executive Order 14086, which introduced new safeguards around US intelligence activities.
In September 2025, the EU General Court upheld the DPF against a legal challenge brought by French MP Philippe Latombe, confirming that US safeguards met the threshold of essential equivalence. Over 3,400 US companies now rely on the DPF to receive EU personal data.
The stability of the DPF remains uncertain, though. Latombe appealed to the Court of Justice of the EU in October 2025, and questions linger about the status of the Privacy and Civil Liberties Oversight Board under the current US administration. Companies relying solely on the DPF should maintain Standard Contractual Clauses as a backup transfer mechanism.
GDPR vs US Privacy Laws: Key Differences
The US has no federal equivalent to GDPR. Privacy protection comes from sector-specific federal laws (HIPAA, COPPA, GLBA) and a growing list of state-level comprehensive privacy laws.
As of early 2026, 19 US states have enacted comprehensive consumer privacy laws, with Kentucky, Indiana, and Rhode Island joining the list on 1 January 2026. California's CPRA remains the most expansive, but even it differs from GDPR in fundamental ways.
| Feature | GDPR | US State Laws (e.g. CCPA/CPRA) |
|---|---|---|
| Scope | All organisations processing EU personal data, no size threshold | Varies by state; most have revenue or data volume thresholds |
| Consent model | Opt-in for non-essential cookies and most data processing | Primarily opt-out; consumers must request deletion or object to sale |
| Cookie rules | Prior consent required under ePrivacy Directive + GDPR | No specific cookie consent law at federal or most state levels |
| Maximum penalties | Up to 20 million euros or 4% of global annual revenue | Varies; CCPA allows up to $7,500 per intentional violation |
| Private right of action | Limited; enforcement mainly through DPAs | CCPA allows limited private action for data breaches |
| Data transfers | Restricted to adequate countries or with safeguards | Generally no restrictions on international transfers |
The opt-in versus opt-out distinction is the single biggest practical difference. Under GDPR, your website cannot set analytics or marketing cookies until a visitor actively clicks "Accept" in a compliant consent banner. Under most US state laws, cookies can fire by default and users must opt out after the fact.
Practical Steps for US Companies
Start with a data audit: map every piece of personal data your systems collect from individuals who might be in the EU. That includes IP addresses captured by web servers, cookies set by analytics platforms, email addresses from sign-up forms, and any behavioural data from tracking pixels.
Run a cookie scan on your website to identify every cookie and tracker firing on your pages. Many US websites set dozens of third-party cookies that begin collecting data the moment a page loads. Under GDPR, every one of those non-essential cookies needs prior consent.
Implement a consent management platform that gives EU visitors a genuine choice. The banner must let users accept or reject cookie categories with equal ease - no dark patterns, no pre-ticked boxes. Google Consent Mode v2 integration ensures your analytics and ad tags respect those choices.
Update your privacy notice to include GDPR-required disclosures: legal bases for each processing activity, data retention periods, details of international transfers, and instructions for exercising data subject rights. If you have no EU establishment, appoint an EU representative and list their contact details in the notice.
Frequently Asked Questions
Does GDPR apply to a US company with no European office?
Yes. Under Article 3(2), GDPR applies to any organisation that offers goods or services to people in the EU or monitors their behaviour within EU territory, regardless of where the company is based. If your website collects data from EU visitors through cookies or analytics, GDPR likely applies.
Can EU data protection authorities actually enforce fines against US businesses?
EU DPAs have issued billions of euros in fines against US companies including Meta, Uber, and LinkedIn. While cross-border enforcement can be complex, companies with EU customers, bank accounts, or commercial interests face real financial and operational consequences for non-compliance.
Does GDPR protect EU citizens living in the United States?
Generally no. GDPR protects individuals based on their physical location at the time of data processing, not their citizenship. An EU citizen residing in the US falls under US privacy laws for data collected while they are on American soil.
Is there a US federal law equivalent to GDPR?
No. The US has no comprehensive federal privacy law. Proposals like the American Privacy Rights Act (2024) have not been enacted. Instead, privacy is governed by sector-specific federal laws (HIPAA, COPPA, GLBA) and a growing patchwork of state laws, with 19 states having comprehensive privacy legislation as of early 2026.
What is the EU-US Data Privacy Framework and does it replace GDPR compliance?
The DPF is a mechanism for transferring personal data from the EU to certified US organisations. It does not replace GDPR compliance. US companies still need to meet all GDPR requirements for processing EU personal data - the DPF only addresses the legality of the cross-border transfer itself.
Do small US businesses need to comply with GDPR?
GDPR has no revenue or size thresholds. If a small US business processes personal data of individuals in the EU - even through a basic website with analytics cookies - it falls within GDPR's scope. The obligations are identical regardless of company size.
What cookies on my US website require GDPR consent from EU visitors?
All non-essential cookies require prior opt-in consent from EU visitors. This includes analytics cookies (such as Google Analytics), advertising and remarketing cookies, social media tracking pixels, and any third-party cookies. Only strictly necessary cookies - those essential for basic site functionality - are exempt.
Get Your Website Ready for EU Visitors
If your website attracts traffic from the EU and sets cookies beyond what is strictly necessary, GDPR applies to those visitors. Kukie.io scans your site for every cookie and tracker, categorises them automatically, and presents EU visitors with a compliant consent banner - with geo-detection to apply the right rules to the right audience.
