.svg){kind=logo}
Most US companies believe GDPR is Europe's problem. Then they get a letter from the Irish Data Protection Commission.
That's how it usually goes. A US-based SaaS company, headquartered in Austin or New York, with no EU office, starts seeing traffic from Germany and France. They add a cookie banner, write a privacy policy, and assume they're fine. Then a data subject complaint lands. Or an enterprise buyer in Munich asks for a GDPR compliance statement before signing a contract. Or worse, an enforcement action starts.
The reality is simpler and harder than most US companies expect: GDPR doesn't care where your office is. It cares where your users are.
Under Article 3 of the regulation, two triggers determine whether GDPR applies to you. You don't need an EU address for either one. This guide walks through gdpr compliance for US companies, triggers, then covers the nine core obligations, the EU-US data transfer rules, real enforcement examples, and a step-by-step compliance checklist built specifically for US companies.
Not sure if GDPR applies to your US company? Get a free compliance assessment from ComplyJet in minutes.
Does GDPR Apply to US Companies?
The short answer is yes for most companies that have EU website visitors, EU customers, or EU employees.
The longer answer requires examining exactly how GDPR defines its own scope. And that's where most US companies get it wrong. They read "European Union regulation" and stop there. But the regulation itself says something different.
Article 3 - The Two Legal Triggers
GDPR lays out its scope in Article 3. There are two separate ways the regulation can apply to your organization. Either one is enough.
Trigger 1 - Establishment (Article 3(1))
If you have a "stable arrangement" in the EU, you're caught. This doesn't mean a full subsidiary or registered office. A single employee based in the UK who handles sales for EU clients qualifies. A branch office in the Netherlands qualifies. A contracted sales rep in France with authority to act on your behalf can qualify.
Example: A US SaaS company with a London-based sales rep who manages EU accounts is likely caught under Article 3(1), even with no other EU presence. The processing of EU customer data by that representative connects the company to EU jurisdiction.
Trigger 2 - Targeting (Article 3(2))
Even with zero EU presence, GDPR applies if you're offering goods or services to EU individuals, or monitoring their behavior. This is what catches most US companies off guard.
"Monitoring behavior" includes tracking website visitors with cookies, pixels, analytics tools, and retargeting ads. If you run GA4 on a site visited by people in Germany, you are monitoring their behavior under GDPR's definition.
What Counts as Targeting EU Users?
The European Data Protection Board has been clear on this: merely having a website accessible from the EU is not enough. But most US businesses go well beyond that. Here's a practical decision table:
The pattern is clear. If you've made any deliberate effort to serve, reach, or understand EU users, you're targeting them. That triggers GDPR.
Does GDPR Apply to EU Citizens?
This one trips up a lot of people. GDPR protects residents, not citizens.
A French citizen living in New York is not protected by GDPR when interacting with US services in the US. An American tourist visiting Paris is protected while they're there. Residency and physical location at the time of processing determine applicability, not passport.
This matters practically. If you're processing data of someone you know who is an EU resident, or if you're tracking behavior on your EU-targeted site, GDPR applies. If a French expat uses your US-only service from New York, it likely doesn't.
What Does it Mean to Have GDPR Compliance for US Companies?
Once you've confirmed GDPR applies, the next question is what it actually requires. And here's where the gap between US law and GDPR becomes very real.
Personal Data Under GDPR vs. US Law
US data breach laws define personal data narrowly. They focus on combinations like name plus Social Security number, financial account details, or medical record numbers. GDPR's definition is much broader.
The takeaway here is significant: if you run Google Analytics, use Facebook Pixel, or track any behavioral data about EU visitors, you are already processing personal data under GDPR. Most US companies are unknowingly out of compliance before they've even looked at a privacy policy.
Controller vs. Processor: Which One Are You?
This distinction matters because your obligations differ depending on your role.
A controller decides why and how personal data is processed. That's most US businesses. You decide to collect email addresses for a newsletter. You decide to use GA4 to track user behavior. You are the controller.
A processor handles data on a controller's behalf. Mailchimp processes your email list. AWS stores your customer data. Stripe processes payment information. HubSpot manages your CRM. All of these are processors, and under Article 28, you need a signed Data Processing Agreement (DPA) with every single one of them before they touch EU personal data.
Joint controllers exist, too. If you run a co-marketing campaign with a partner and you both have access to the same EU lead data, you may be joint controllers. That creates shared liability.
The practical implication: you are responsible for ensuring your processors comply. Their data breach is your GDPR problem too.
How Does GDPR Affect US Companies? The 9 Core Requirements
For US companies handling EU customer or employee data, cross-border transfers are one of the most heavily scrutinized areas of GDPR compliance. The challenge is not just where the data is stored, but whether EU personal data remains protected once it becomes accessible under US jurisdiction.
1. Data Mapping and Audit - Article 30
Before you can comply with anything, you need to know what data you have and where it lives.
Article 30 requires most organizations to maintain a Record of Processing Activities (ROPA). The exemption for organizations with fewer than 250 employees only applies if processing is "occasional" and doesn't involve special category data or high risk, which rules out almost every SaaS, e-commerce, or marketing company, regardless of size.
Your ROPA should document: who you are as a controller, the purposes of each processing activity, what categories of data are involved, who you share data with, where data is transferred (including US-EU flows), how long you keep it, and what security measures are in place.
The practical starting point: list every tool that touches EU visitor or customer data. For most companies, that's GA4, HubSpot, Salesforce, Stripe, Zendesk, Intercom, and your cloud hosting provider.
2. Legal Basis for Processing (Article 6)
Under GDPR, you cannot process personal data unless you have a documented legal reason. This is fundamentally different from US law, where the default is that you can use data unless something prohibits it. GDPR flips that.
There are six lawful bases:
Two things US companies consistently get wrong here. First, they assume consent is the answer for everything. It isn't, and consent is actually the hardest basis to maintain correctly. Second, they use Legitimate Interest without doing a proper Legitimate Interests Assessment (LIA). Regulators scrutinize this heavily. If you claim it, document why.
One more thing: pre-ticked boxes, bundled consent, and consent tied to service access are all invalid under GDPR.
3. Privacy Policy Requirements (Articles 13 & 14)
A US-style privacy policy typically covers what data you collect and how to contact you. That falls well short of GDPR's transparency requirements.
Under Articles 13 and 14, your privacy notice must also include: the legal basis for each processing activity, your Legitimate Interests rationale (if applicable), what transfer mechanisms you use for EU-US data flows, the right to lodge a complaint with a supervisory authority, details on any automated decision-making or profiling, and retention periods per data category.
The "plain language" requirement is real. Regulators have fined companies specifically for privacy notices that are too complex for ordinary users to understand. Legal jargon doesn't pass the standard.
4. Cookie Consent and Consent Management
This is the most visible compliance gap for US companies, and the one most likely to generate complaints from EU users.
Non-essential cookies, analytics, advertising, and personalization cannot fire until a user actively opts in. Not on page load. Not with a pre-ticked box. After an explicit, informed opt-in.
A compliant Consent Management Platform (CMP) must:
- Present clearly labeled cookie categories
- Give the Accept and Reject options equal visual prominence.
- Contain no dark patterns (no hiding the reject button, no guilt language like "No thanks, I hate savings").
- Fire no non-essential scripts until consent is granted. This must be technically verified, not just stated in the banner.
- Log every consent decision with a timestamp, the version of the notice shown, and a user identifier.
- Allow easy withdrawal of consent at any time.
That last point about logging is often missed. If a regulator asks you to prove that user X gave valid consent on a specific date, you need to produce that record. No log means no proof. No proof means no valid consent.
5. Data Subject Rights (Articles 15-22)
EU residents have eight enforceable rights over their data. You need a documented process to handle each one. Requests can come in any format, such as email, phone call, web form, or even verbally. You must be able to recognize them and respond.
Your DSAR (Data Subject Access Request) workflow needs four stages: receive the request, verify the requester's identity, fulfill the request across all systems where their data exists, and log the outcome.
You can extend the one-month deadline by two additional months for complex requests, but you must notify the person within the first month that you're doing so and why.
6. EU-US Data Transfers (Chapter V)
This is a separate, critical area covered in detail in the dedicated section below. The short version: transferring EU personal data to US servers requires a specific legal mechanism. "Our servers are secure" is not a mechanism.
7. Data Processing Agreements (Article 28)
Every third-party vendor that processes EU personal data on your behalf must have a signed DPA before you send them data.
A compliant DPA must specify: the subject matter and duration of processing, the nature and purpose of processing, the categories of personal data and data subjects, and a clear set of obligations on the processor, including following your instructions, maintaining confidentiality, implementing appropriate security, helping you respond to data subject requests, deleting or returning data when the contract ends, and cooperating with audits.
The good news: AWS, Google Cloud, Stripe, HubSpot, Salesforce, and most enterprise vendors publish standard GDPR DPAs. Most are available without a sales call. If a vendor can't provide one, that's a red flag.
8. Data Breach Notification (Articles 33 & 34)
GDPR's breach notification requirement has two tiers.
Tier 1: Notify the supervisory authority within 72 hours of becoming aware of a breach that is "likely to result in a risk to the rights and freedoms of natural persons." You notify the lead supervisory authority, the one in the EU country where your EU establishment or representative is located. The notification must include: the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures you've taken or plan to take.
Tier 2: Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms. High risk means potential identity theft, financial loss, discrimination, or significant psychological harm.
For US companies, the 72-hour window is a significant operational challenge. Most US state breach notification laws allow 30-60 days. GDPR gives you three days from awareness, not from completion of a forensic investigation. You notify with what you know and update as you learn more.
9. EU Representative (Article 27)
If GDPR applies to you under Article 3(2), the targeting trigger, and you have no EU establishment, you must appoint an EU representative.
Exceptions exist for organizations that process data only occasionally, don't handle special category data, and are unlikely to pose a risk to individuals' rights. In practice, any US company with regular EU traffic, active EU customers, or any form of EU-targeted marketing does not qualify for this exception.
Your EU representative must be named in your privacy policy. They act as the point of contact for EU supervisory authorities and data subjects. Critically, appointing a representative does not reduce your liability as the controller; it just gives regulators and individuals a local contact to reach.
Specialist EU representative services are available for US companies. This is typically a low-cost compliance step that many companies delay unnecessarily.
EU-US data transfers are one of the most enforced areas of GDPR. See if your vendor DPAs and transfer mechanisms are actually compliant. Get a free transfer mechanism review.
EU-US Data Transfers: The Technical Rules
Cross-border data transfers sit at the center of GDPR enforcement, especially when EU personal data moves into US-controlled systems or services.
For organizations using global cloud infrastructure, SaaS platforms, or distributed teams, understanding these transfer restrictions is essential to maintaining lawful data flows and avoiding compliance exposure.
Why EU-US Data Transfers Are Regulated
The EU has no adequacy decision for the United States as a whole. That means, in the EU's legal assessment, US law does not provide equivalent protection for personal data compared to the GDPR. US surveillance laws, particularly FISA 702 and Executive Order 12333, give US government agencies access to data in ways that EU law prohibits for EU residents.
As a result, any transfer of EU personal data to the US, including to your own cloud infrastructure, is unlawful unless you have a valid transfer mechanism in place.
"Transfer" is broad. It covers: data stored on US cloud servers, remote access by US-based staff to EU personal data, multi-region cloud deployments with US nodes, and API calls that send EU data to US-hosted services.
Transfer Mechanism 1 - EU-US Data Privacy Framework (DPF)
The Data Privacy Framework was adopted in July 2023 and replaced the invalidated Privacy Shield. Under the DPF, the EU issued an adequacy decision for US companies that self-certify with the US Department of Commerce. Once certified, EU personal data can flow to your organization without additional transfer mechanisms.
Eligibility requires FTC or Department of Transportation jurisdiction, which covers most US private sector companies.
To certify: visit dataprivacyframework.gov and complete the self-certification process. Annual renewal is required. The DPF is active and valid as of May 2026. Ongoing legal challenges exist from privacy advocacy groups, so monitoring the status is wise, but the framework is currently a fully valid transfer mechanism.
Transfer Mechanism 2 - Standard Contractual Clauses (SCCs)
SCCs are pre-approved contract clauses issued by the European Commission that provide a valid legal basis for EU-US transfers when included in your agreements with EU parties or processors.
The 2021 updated SCC modules are mandatory following the Schrems II ruling. Older versions are non-compliant. There are four modules covering different transfer scenarios:
- Controller to Controller
- Controller to Processor
- Processor to Processor
- Processor to Controller
Using SCCs now requires a Transfer Impact Assessment (TIA). The TIA documents whether US surveillance laws (FISA 702, EO 12333) could prevent the data importer from meeting its SCC obligations. If the answer is yes, additional safeguards are needed, typically strong encryption where the US company does not hold the decryption keys.
In practice, most major US SaaS vendors include updated SCCs in their DPA. If your vendor's DPA doesn't reference the 2021 SCCs and they're processing EU data, that is an active compliance gap.
Transfer Mechanism 3 - Binding Corporate Rules (BCRs)
BCRs are internal rules approved by a lead EU supervisory authority that allow personal data transfers within a corporate group. They require 1-2 years to get approved and involve significant legal investment.
BCRs are only practical for large multinationals with EU subsidiaries. For most US SMBs and mid-market companies, DPF certification or SCCs are the right path.
GDPR-Compliant File Transfer Practices
Every individual transfer email with personal data attached, FTP sync, cloud backup, API call, and database replication needs a valid mechanism. The mechanism isn't just about the relationship; it's about each flow of data.
Technical controls that reduce transfer risk include end-to-end encryption in transit and at rest, strict access controls limiting who can query or export EU data, audit logs of all data access and transfer events, and data residency settings in your cloud provider (e.g., AWS EU-West, Azure North Europe).
Pseudonymization reduces risk but doesn't eliminate the transfer mechanism requirement. Even pseudonymized data that remains re-identifiable is personal data under GDPR.
Can the EU Fine US Companies for GDPR?
Yes, here's how enforcement works. Each EU member state has its own supervisory authority. Ireland's Data Protection Commission (DPC), France's CNIL, Germany's BfDI, and so on. Any EU resident can file a complaint with their national authority. That authority investigates and can issue fines.
For US companies with EU operations, revenue, or infrastructure, direct enforcement is straightforward. For companies with no EU presence at all, collecting the fine is harder logistically, but the reputational damage, public enforcement notices, and potential restriction of EU market access are real consequences. Enterprise EU buyers routinely check enforcement databases.
Fine Structure Article 83
GDPR uses a two-tier penalty structure, and both tiers calculate against global annual turnover, not EU revenue.
Tier 1: up to €10 million or 2% of global annual turnover (whichever is higher): violations of controller/processor obligations, Articles 8, 11, 25-39 (DPIAs, DPOs, breach notification, data by design, records).
Tier 2: up to €20 million or 4% of global annual turnover: violations of core principles, lawful basis requirements, data subject rights, transfer rules, and non-compliance with supervisory authority orders.
"Global annual turnover" means the entire corporate group worldwide. A $500M US company fined 4% of turnover faces a €20M penalty, not 4% of its EU revenue.
Is There a US Equivalent of GDPR?
No federal equivalent exists. As of May 2026, there is no comprehensive federal privacy law in the United States. The American Data Privacy and Protection Act (ADPPA) has been proposed in Congress but has not been enacted.
The US approach to data privacy is sectoral and fragmented. HIPAA covers healthcare. COPPA covers children's online data. GLBA covers financial institutions. Beyond these, there are growing state-level laws, but no single national framework equivalent to GDPR.
GDPR vs. CCPA/CPRA
The fundamental difference: GDPR says you need a reason to process data before you process it. CCPA/CPRA says you can process data by default unless someone opts out. These are opposite philosophies.
Other US State Privacy Laws to Know
Companies that are GDPR-compliant generally satisfy the rights requirements of all five. The harder GDPR obligations, prior consent, legal basis documentation, and transfer mechanisms go beyond what any current US state law requires.
GDPR Compliance Checklist for US Companies
Use this as a working checklist. Each item maps to a specific legal requirement.
Data Governance
- Data mapping completed; all EU personal data sources identified and documented
- ROPA created and kept current (Article 30)
- Legal basis documented for every processing activity in the ROPA
- Special category data identified; DPIA completed for any high-risk processing
- Data retention periods are defined per category and technically enforced
Website and Consent
- Full cookie audit completed; every cookie categorized (essential vs. non-essential)
- CMP implemented with equal Accept/Reject prominence and no dark patterns
- Technically verified: non-essential cookies do not fire before consent is granted
- Consent logs stored with timestamp, notice version, and user identifier
- Privacy policy updated to meet Articles 13 and 14; linked in the footer and at every collection point
- The DSAR intake process is live and documented
Contracts and Vendors
- All third-party processors identified
- DPA signed with every processor before they handle EU personal data
- Transfer mechanism confirmed per processor (DPF certification or 2021 SCCs)
- Transfer Impact Assessment completed for any SCCs covering US transfers
- EU Representative appointed and named in the privacy policy
Operations
- 72-hour breach response plan documented with a clear escalation path and assigned roles.
- Staff trained on GDPR obligations relevant to their role.
- Process documented for handling all eight data subject rights within a 30-day deadline.
- DPO appointed if required (or fractional DPO engaged if significant EU exposure)
- Annual compliance review calendared.
Use this checklist, but don't want to tackle it alone? ComplyJet automates your GDPR compliance program from cookie audits to vendor DPAs so you can focus on growth. Start your GDPR compliance program.
GDPR Compliance Timeline for US Companies [Strategic Action Plan]
Most US companies try to tackle everything at once and stall. A phased approach works better. Here's a realistic timeline:
Weeks 1-2: Data mapping and cookie audit. You can't fix what you haven't identified. Get a complete inventory of tools touching EU data and document every cookie on your site.
Weeks 2-3: Cookie consent implementation. Deploy a compliant CMP. Verify technically that no non-essential scripts fire before consent. This is your highest-visibility compliance gap.
Weeks 3-4: Privacy policy rewrite. Update to meet Articles 13 and 14 legal basis per activity, transfer mechanisms, supervisory authority rights, and retention periods.
Weeks 4-6: Processor DPAs and transfer mechanism confirmation. Go through every vendor that handles EU data. Get DPAs signed. Confirm each vendor is either DPF-certified or includes updated SCCs.
Month 2: Build your DSAR workflow and breach response plan. Document how requests come in, how you verify identity, how you fulfill across systems, and how you log outcomes.
Months 2-3: Complete legal basis documentation and full ROPA. This takes time to do properly; start early, but don't let it block the higher-risk items above.
Ongoing: Staff training, annual review, regulatory monitoring.
Turn this GDPR roadmap into an actionable workflow.
Start Here
When Do You Need a Data Protection Officer?
A DPO appointment is mandatory in three situations: you are a public authority or body; your core activities involve regular, systematic monitoring of individuals on a large scale (behavioral advertising platforms fall here); or your core activities involve large-scale processing of special category data.
Most US SMBs don't meet these thresholds. But if you have a significant EU exposure, a substantial EU customer base, process sensitive data, and large-scale analytics, a fractional DPO service is worth considering. Specialist firms offer this for a fraction of the cost of a full-time hire.
GDPR Logging Requirements: What Records You Must Keep
GDPR's accountability principle (Article 5(2)) requires you to be able to demonstrate compliance, not just claim it. That means records.
Technical note: logs must be tamper-evident and access-controlled. A spreadsheet that anyone can edit doesn't meet the standard.
Frequently Asked Questions
Does GDPR apply to US companies with no EU office?
Yes. Article 3(2) applies to any company that offers goods or services to EU residents or monitors their behavior, regardless of where the company is located or whether it has any EU presence.
Does GDPR apply to EU citizens in the US?
No. GDPR protects residents by location, not citizens by nationality. A French citizen living and working in New York is not protected by GDPR when using US services in the US.
Does GDPR apply to US websites?
Yes, if the site targets EU users or tracks EU visitors through cookies, analytics, or pixels. Simply being accessible from the EU is not enough; active targeting or monitoring triggers the regulation.
Can EU regulators enforce fines against US companies?
Yes, particularly against companies with EU operations, EU revenue, or EU-based infrastructure. For companies with no EU presence at all, collecting a fine is logistically harder, but enforcement actions cause reputational damage, are publicly listed on regulator websites, and can restrict access to EU enterprise markets.
What is a GDPR compliance statement?
A formal declaration that a company has implemented GDPR-compliant practices. It typically references your privacy policy, the transfer mechanisms in use, your DPO or EU representative's contact information, and which supervisory authority has jurisdiction. It's not legally required under GDPR, but it's increasingly requested in EU enterprise procurement processes and RFPs.
What does GDPR mean for US B2B companies?
It still applies. EU business customers' employees are data subjects. Their names, email addresses, job titles, and behavioral data tracked in your CRM or analytics tools are all personal data under GDPR. B2B is not exempt.
What is the difference between GDPR and CCPA?
GDPR requires a documented legal basis before processing personal data. It's an opt-in, prior-consent model for many activities. CCPA/CPRA operates on an opt-out model: processing is permitted by default until a consumer objects. GDPR's fines scale with global turnover; CCPA fines are per violation. GDPR applies to EU residents globally; CCPA applies to California residents.
Conclusion
GDPR is not a future compliance consideration for US companies. It is a current legal obligation for any organization with EU website visitors, EU customers, or EU employees, and enforcement is accelerating, not slowing down.
If you take nothing else from this guide, focus on three things first.
Start with a cookie audit and compliant CMP. Non-essential cookies firing on page load before consent is one of the most common and most easily flagged violations. It's also one of the fastest to fix.
Then confirm your EU-US transfer mechanism. Check every processor that handles EU personal data. Are they DPF-certified? Do their DPAs include the 2021 SCCs? If neither, you have an active compliance gap.
Then rewrite your privacy policy to meet Articles 13 and 14. Add legal basis disclosures, transfer mechanisms, retention periods, and the right to complain to a supervisory authority. Write it in plain language that a non-lawyer can understand.
Everything else in this guide, the ROPA, the DSAR workflow, the breach response plan, and the staff training, builds on these three. Get these right first, then work through the checklist systematically.
Need help working through the checklist or assessing your current GDPR posture? Talk to the ComplyJet compliance team. We help US companies identify gaps and build compliance programs that hold up to scrutiny
