In my experience, many U.S.-based companies operating online have customers from the European Union (EU) or other parts of the European Economic Area (EEA).
If you own one of those sites and it interacts with those customers, then your business is subject to the EU’s General Data Protection Regulation (GDPR).
The GDPR is a comprehensive data privacy regulation that affects many U.S. entities due to its extraterritorial scope.
Join me as I cover the requirements for GDPR compliance in the U.S., explain why your business might fall under its legal purview, and offer easy solutions to implement that will help you meet all necessary business obligations.
Does the GDPR Apply to the US?
The short answer is yes; the GDPR applies to the U.S. in several ways.
You can find a description of the GDPR’s extraterritorial scope in Article 3 of the text.
U.S. companies fall under the jurisdiction of the GDPR as either data controllers or data processors. In short, data controllers are entities that decide how specific data is used, and data processors are entities that use, store, or transfer that data in some way.
If your website provides goods or services to EU or EEA citizens and/or collects personal information about them, then you must meet all of the GDPR’s business requirements.
Additionally, the GDPR protects citizens of the U.S. as data subjects, but only when they’re visiting the EU or other EEA countries. The protection only applies while they are using the internet in those territories.
In the following sections, I’ll dive deeper into how the GDPR applies to U.S. companies, citizens, and more.
Does the GDPR Apply to US Companies?
Yes, the GDPR applies to any U.S. company that processes personal information and meets either of the following requirements:
- Provides goods or services accessible to consumers in the EU or EEA, even if no monetary transaction is required
- Monitors the behavior of users in the EU or EEA, which means collecting, using, or analyzing information about those users
The GDPR doesn’t impose a size or revenue threshold on companies like some U.S. state data privacy laws, namely the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (CDPA).
Instead, a U.S.-based company of any size may qualify as a data controller under the GDPR, which Article 4 defines as:
“… the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…”
Simply put, a data controller is an entity that decides why and how personal information is used.
Alternatively, companies in the U.S. can qualify as a data processor, which is defined in Article 4 to mean:
“… a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
Data processing under the GDPR refers to the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available sets of personal data.
To clarify when the GDPR applies, below are some hypothetical examples of how different U.S. businesses are affected.
|Does It Fall Under the GDPR?
|#1: The ecommerce website of a New York-based clothing store that ships orders to several major European cities, like Paris and Berlin.
|✅ GDPR Applies
|This business sells goods to consumers in the EU and EEA and monitors the behaviors of data subjects in those regions.
|#2: The portfolio website of a Los Angeles-based freelance travel writer who writes in French and accepts commissions from publications in France.
|✅ GDPR Applies
|This business targets French citizens and monitors their behaviors while they’re in the EU/EEA.
|#3: A Chicago-based coffee shop that accepts online orders for deliveries within a 3-mile radius.
|❌ GDPR Does Not Apply
|This business doesn’t serve or target EU or EEA consumers and doesn’t monitor the behavior of consumers in those regions.
|#4: A website that facilitates language exchange meetups in Houston, Texas.
|❌ GDPR Does Not Apply
|This business targets Houston-area residents, not EU or EEA consumers. It also only monitors the behavior of consumers in the US.
Does the GDPR Apply to US Citizens?
Yes, the GDPR applies to U.S. citizens physically located in a protected EU or EEA country.
The GDPR uses the term data subjects in Article 3 when referring to the people whose data gets processed, but it doesn’t mention citizenship or nationality. This omission means that the scope of the GDPR is not nationality-based but rather location-based, so we need to consider where the data subject is located when their information is processed.
In the table below, I created hypothetical examples of when the GDPR does and doesn’t protect U.S. citizens.
|Does the GDPR Apply?
|A U.S. tourist visits France on vacation and uses food delivery apps during their visit.
|✅ GDPR Applies
|This individual was in a GDPR-protected region at the time they used the food delivery services that are based in the EU.
|A man from New York stays in Spain on a year-long work permit and signs up for Netflix while living there.
|✅ GDPR Applies
|This individual was in a GDPR-protected country at the time of signing up for Netflix, a company that collects personal information from users.
|A person from Boston visits Iceland, which is in the EEA, and uploads content to their TikTok when they return home.
|❌ GDPR Does Not Apply
|Even though the videos used for the TikToks were recorded in Iceland, the data itself is uploaded while the subject is back in the US, which is not a GDPR-protected country.
Does the GDPR Apply to EU Citizens in the US?
Now here’s where things get interesting — because of the location-based scope, if an EU citizen is in the U.S., the GDPR no longer applies to them.
The data subject’s location takes precedence over their citizenship when determining the applicability of the GDPR, so the regulation doesn’t protect EU citizens who are traveling or living in the US.
Although the GDPR might not apply, other U.S. state privacy laws may similarly protect their data, such as:
- California Online Privacy Protection Act (CalOPPA)
- Children’s Online Privacy Protection Act (COPPA)
- California Consumer Privacy Act (CCPA)
- Virginia Consumer Data Protection Act (CDPA)
Does the GDPR Apply to the US Government?
Yes, the GDPR applies to the U.S. Government, meaning that federal and state agencies must follow the directives of the regulation because the GDPR doesn’t make blanket exceptions to governmental or public agencies.
Thus, if the U.S. government targets or processes the personal data of EU/EEA-based users, it’s expected to comply with the GDPR, as is the case for all non-EU/EEA public agencies.
However, Article 2 excuses government agencies from complying with specific provisions of the regulation as long as the processing of personal data is for reasons beneficial to the public interest, like preventing, investigating, and prosecuting criminal offenses or threats to public safety.
But, because the U.S. is not an EU member state, these exemptions don’t apply. In other words, the U.S. Government must still meet all obligations outlined in the GDPR.
GDPR Requirements for US Companies
Now that you know that your U.S. business falls under the jurisdiction of the GDPR, you might be wondering how to meet all of its requirements.
Let me break this down into seven simple steps.
Step 1: Perform a Privacy Audit
To adequately follow all GDPR requirements, I recommend performing a privacy audit to determine every bit of personal information that your website collects from users.
- Keep track of the specific types of data collected, such as IP addresses, names, email addresses, etc.
- Don’t forget to include cookies and trackers, which you can find by running your site through a website cookie scanner.
- Note any special categories of information you might gather, like sensitive personal data.
While this step is not a legal requirement by the GDPR, it will help make it easier for your business to ensure full compliance.
Step 2: Determine Your Legal Basis for Processing Information
Now that you know what data your website collects from users, establish your legal basis for the data processing, as outlined in Chapter 2, Article 6 of the regulation.
The six legal bases outlined by the GDPR include:
- Legitimate Interest
- Consent of the data subject
- Contractual necessity
- Vital interest of the user or another person
- Legal obligation
- Public interest or by the directive of the data controller
According to Chapter 3, Article 13 of the regulation, you must inform data subjects about the details of your data processing practices when you obtain the information from them.
- What personal information you collect from data subjects
- How you collect the personal information
- The legal basis for why you collect the personal information
- What categories of personal information you collect (sensitive, non-sensitive, or criminal)
- How long you store the personal information for
- Who you share the personal information with
- An explanation of the rights data subjects have over their personal information
Step 4: Obtain, Track, and Log User Consent
If consent is one of the legal bases you use for processing personal information, you’ll need to obtain, track, and log the consent choices of your data subjects to comply with the GDPR as outlined in Chapter 2, Article 7.
You’ll need to maintain an accurate log of their consent choices for as long as you use their data.
You may be able to do all of this on your own, but I recommend you use an automated solution, like our Cookie Consent Manager, to simplify the entire process.
Step 5: Use Compliant Data Processing Agreements
If you plan on working with any third-party entities that have access to or process your user’s data, you’ll need to create and sign contracts that meet specific GDPR requirements outlined in Chapter 4, Article 28.
These contracts, also called Data Processing Agreements, are entered into by the data controller and the data processor.
A DPA obligates a data processor to:
- Agree to only process data on the written instructions of the data controller.
- Maintain confidentiality over the personal information involved in the processing.
- List all measures guaranteeing the security of the personal information.
- Receive consent from the controller to outsource any delegated functionality.
- Assist the controller in complying with the GDPR regarding the rights of the data subjects and with duties outlined in Articles 32 and 36 of the regulation relating to the security of processing and prior consultation.
- Delete all personal information collected on behalf of the controller after the termination of the contract.
- Be audited by the data controller as necessary.
Both parties must agree to the specific terms of the DPA and sign it.
Step 6: Follow the Data Security and Storage Guidelines
US businesses considered a controller or a processor under the GDPR must also follow data security and storage guidelines to ensure that users’ personal information is kept safe from breaches or leaks.
In Article 32, the regulation suggests the following security measures::
- Pseudonymize and encrypt data
- Ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services
- Provide the ability to restore the availability and access to data promptly in the event of an incident
- Implement a process of testing, assessing, and evaluating the effectiveness of the technical and organizational measures
The controller and processor are responsible for implementing the appropriate controls and security measures to protect data subject rights.
Step 7: Abide by All International Data Transfer Requirements
Currently, EU leaders have not approved a legal framework allowing for the international transfer of personal data from the EU/EEA to the U.S. without prior authorization — this means U.S. companies must follow the guidelines written in Chapter 5, Article 46 of the GDPR.
Your business must ensure that you’re providing all adequate measures outlined by the regulation and provide data subjects with a way to adequately and effectively exercise their privacy rights. This means fulfilling and documenting Steps 1-6 in such a way that your business can prove appropriate safety for your data subjects.
European Union and American leaders are currently debating over the EU-US Data Privacy Framework, which, if passed, would act as an effective adequacy decision under the GDPR.
GDPR Enforcement in the US
In the U.S. and the rest of the world, different supervisory authorities from the various EU member states enforce the GDPR. These individuals are called Data Protection Authorities.
U.S. businesses — or any other entity — that commit a GDPR infraction are subject to fines of up to €10 million ($12 million) or 2% of your gross annual revenue from the previous fiscal year, whichever is higher.
Additionally, if your company has any presence or assets in the EU/EEA, such as bank accounts, real estate, or servers, it could get seized for GDPR noncompliance.
If you don’t have any assets in the EU/EEA, you must appoint a representative who is physically based in the EU to act as your liaison. This individual is called a Data Protection Officer. If a GDPR violation occurs involving your U.S.-based business, they become the channel through which the fines are levied.
GDPR Fines for US Companies
Companies from the U.S. have received countless fines for GDPR noncompliance since the regulation came into force years ago.
The national enforcement agencies of various EU/EEA member states have the legal means to enforce noncompliance fines and penalties on companies outside their territory.
In the table below, I highlight a few of the biggest GDPR fines levied against U.S. companies in recent years.
Headquartered in California
|€60 million ($66 million)
Headquartered in California
|€60 million ($66 million)
Headquartered in California
|€405 million ($403 million)
|Irish Data Protection Commissioner
|Violating rules relating to the processing of children’s data without a legal basis.
|€20 million ($22 million)
|Italian Privacy Regulator
|Processing biometric and geolocation data without an appropriate legal basis.
Some businesses — like many U.S. news sites — actively block their websites from EU users to avoid fines, but they risk losing customers permanently (Reuters).
One thing’s certain, GDPR non-compliance can be expensive for American businesses operating in the EU/EEA.
Are Any US Entities Exempt From the GDPR?
Some U.S. entities are fully exempt from the GDPR and don’t have to worry about complying with the different facets of this regulation.
Specifically, U.S. entities that don’t provide goods or services to EU or EEA consumers or monitor their behaviors don’t have to follow the regulation.
In other words, if your website doesn’t interact with anyone from the EU or EEA, you don’t have to worry about following the GDPR.
According to Article 30, Part 5 of the text, businesses employing less than 250 people don’t have to follow some of the record-keeping requirements outlined by the law. However, this is not a total exemption and does not release small companies from the steps outlined above.
How Can Termly Help US Companies Comply?
Termly’s full suite of data privacy solutions can help U.S. companies fully comply with the GDPR. My favorite part? You can conveniently manage everything all in one place directly from your Termly dashboard.
We also provide a Consent Management Platform (CMP) that you can use to meet all GDPR consent requirements, like obtaining and logging consent choices from your EU and EEA users.
Below, see one example of how to configure our consent banner for GDPR compliance, which you can set up based on the regional location of your users.
Termly’s Director of Global Privacy, Masha Komnenic, helps ensure our legal team and data privacy experts vet our policy generators, templates, and tools. We update them regularly so that you can keep up with new and changing data privacy laws.
FAQs About GDPR Compliance in the US
Below I took the time to answer some of the most frequently asked questions we get about the GDPR in the US.
How does the GDPR affect US companies?
The GDPR affects U.S. companies because it applies to any website that collects personal information and has consumers from the EU or EEA, regardless of the location of the business.
US websites that offer goods to EU and EEA residents or those who monitor the behavior of users in those regional territories must follow all obligations outlined by the GDPR, or they could potentially face significant fines for violating the regulation.
When do US companies need to comply with the GDPR?
US companies need to comply with the GDPR when they offer goods or services to consumers in the EU or EEA or monitor their online behavior.
The GDPR explains its territorial scope in Article 3 of the text.
What is the US equivalent of the GDPR?
The US equivalent of the GDPR is the CCPA. The CCPA (or California Consumer Privacy Act) was inspired by the GDPR, and both laws were created to protect the personal data of online consumers.
The GDPR applies to businesses that collect data from users in the EEA (European Economic Area), while the CCPA applies to businesses that collect data from California residents.
Does the GDPR apply to US websites?
Yes, the GDPR does apply to US websites that collect the personal data of EEA residents. Personal data includes any identifying information, such as names, contact information, and device details. Non-compliance with the GDPR could lead to fines and legal penalties, even for US websites.
What is personal data in the US according to the GDPR?
The GDPR defines personal data as any information that can identify an individual, either directly or indirectly, like names, identification numbers, location data, or online identifiers. This definition applies to businesses in the U.S. and other parts of the world.
What happens if US companies don’t comply with the GDPR?
If U.S. companies don’t comply with the GDPR and the infringement is unintentional, they could receive a fine of up to €10 million ($12 million) or 2% of their gross annual incomes from the previous year, whichever is higher. Intentional violations are subject to fines of up to €20 million or 4% of their yearly income.
You must also stop the data collection practices that didn’t comply with the GDPR and remedy the situation.
Which organization can penalize US companies for noncompliance?
The supervisory authorities in the different EU Member States enforce the GDPR in the U.S. If you violate the regulation, you may need a physical representative in the EU or EEA who acts as your liaison.
Now you know with certainty that, despite being a European-based regulation, the GDPR affects U.S. companies, citizens, and federal and state governments.
Because the regulation protects data subjects based on their location when the information processing occurs, it applies to anyone within an EU or EEA country regardless of their nationality or citizenship status.
Likewise, businesses in the U.S. and around the globe fall under the jurisdiction of the GDPR if they process personal information about an individual within those protected territories.
Any U.S. company that serves customers in the EU or EEA — or tracks their behaviors — must fully comply with the GDPR, or they may suffer financial consequences.