GDPR in the US: Does It Apply to American Businesses?

The GDPR is a European law. But if you run an American business with a website, it very likely applies to you. This catches a lot of US business owners off guard. They assume that because their company is based in Texas or Florida or California, European regulations are not their problem.

That assumption is wrong, and it has already cost some American companies significant money. This guide explains when the GDPR applies to US businesses, what you need to do about it, and how American privacy laws compare.

Does the GDPR Apply to US Businesses

The short answer is: if your website is accessible to people in the European Union and you collect their personal data, yes, the GDPR applies to you.

The GDPR has what is called "extraterritorial scope." This means it applies to organizations outside the EU under two conditions:

Condition 1 - Offering Goods or Services to People in the EU

If your website sells products or services to people in the EU, the GDPR applies. This does not require a physical presence in Europe. "Offering" goods or services is interpreted broadly. Indicators include:

• Your website is available in EU languages (German, French, Spanish, etc.)
• You accept payments in euros or other EU currencies
• You reference EU customers or markets in your marketing
• You ship products to EU addresses
• EU residents can create accounts on your platform

Even if you do not actively target EU customers, having a website that EU residents can access and use may trigger GDPR obligations.

Condition 2 - Monitoring the Behavior of People in the EU

If your website tracks or profiles individuals in the EU, the GDPR applies. This includes:

• Using Google Analytics to collect data from EU visitors
• Running Facebook Pixel or other advertising trackers
• Using cookies to track browsing behavior
• Building user profiles based on behavior data
• Using retargeting or remarketing campaigns that reach EU residents

The critical point here is that most websites with global reach do at least some of this. If you use Google Analytics and do not block EU traffic, you are almost certainly monitoring the behavior of EU residents, which brings your website under GDPR jurisdiction.

Common Misconceptions About GDPR and US Businesses

Misconception 1 - "My business is too small for the GDPR to apply"

The GDPR does not have a small business exemption based on company size alone. It applies to organizations of all sizes. There is a limited exemption for organizations with fewer than 250 employees regarding record-keeping requirements, but the core obligations - consent, transparency, data subject rights - apply regardless of size.

Misconception 2 - "I do not sell to Europe, so I am exempt"

You do not need to sell to Europe. If you collect data from EU visitors - even passively through analytics - the GDPR can apply. The "monitoring behavior" trigger catches most websites with any amount of EU traffic.

Misconception 3 - "The EU cannot enforce fines against US companies"

This is technically partially true in practice but increasingly less so. While direct enforcement of GDPR fines against US companies is more complex than against EU-based companies, there are mechanisms for cross-border enforcement. More importantly, if you use EU-based service providers, process payments through EU channels, or have any business presence in Europe, enforcement becomes much more practical.

Several US companies have already faced GDPR-related consequences, including being blocked from serving EU users and having business partnerships terminated due to non-compliance.

Misconception 4 - "I just need to add a cookie banner and I am fine"

A cookie banner is one piece of GDPR compliance, but it is far from the whole picture. The GDPR covers how you collect, process, store, and share personal data across your entire organization. A cookie banner addresses cookie consent specifically. You also need a privacy policy, data processing agreements with your vendors, procedures for handling data subject requests, and more.

Misconception 5 - "The GDPR and CCPA are basically the same thing"

They share some similarities, but they are different laws with different requirements. Complying with one does not automatically mean you comply with the other. We cover the differences in detail later in this article.

Check if your US website is GDPR compliant with a free scan that identifies exactly where you stand.

What US Businesses Need to Do for GDPR Compliance

If your website has EU visitors and collects their data, here is what the GDPR requires of you.

1. Conduct a Data Audit

Before you can comply with the GDPR, you need to understand what personal data you collect, where it comes from, where it is stored, who has access to it, and who you share it with. Map out every data flow on your website and in your business.

This includes data collected through:

• Website forms (contact forms, signup forms, checkout forms)
• Cookies and tracking scripts
• Server logs
• Third-party integrations (analytics, advertising, email marketing, payment processing)
• Customer databases
• Email communications

2. Establish a Legal Basis for Data Processing

The GDPR requires a legal basis for every type of data processing you do. The six legal bases are:

• Consent: The individual has given clear, informed consent (e.g., opting into a newsletter).
• Contract: Processing is necessary to fulfill a contract with the individual (e.g., processing a purchase).
• Legal obligation: Processing is required to comply with a law.
• Vital interests: Processing is necessary to protect someone's life.
• Public task: Processing is necessary for a task in the public interest.
• Legitimate interest: Processing is in your legitimate business interest, balanced against the individual's rights.

For most US small businesses, consent and contract performance are the most relevant bases. Cookie tracking almost always requires consent.

3. Update Your Privacy Policy

Your privacy policy must meet GDPR standards if you serve EU visitors. This means it must be:

• Written in clear, plain language
• Specific about what data you collect and why
• Transparent about who you share data with
• Clear about how long you retain data
• Informative about individuals' rights under the GDPR

For help determining whether you need a privacy policy and what it should contain, see our guide on whether you need a privacy policy.

4. Implement Cookie Consent

You must obtain opt-in consent before placing non-essential cookies on EU visitors' devices. This means:

• A cookie banner that loads before any tracking cookies
• Actual blocking of non-essential cookies until consent is given
• The ability for visitors to accept or reject specific categories of cookies
• An easy way for visitors to change their preferences later
• Records of when and how consent was given

An informational "this site uses cookies" banner is not sufficient. The GDPR requires active, informed consent with granular controls.

5. Handle Data Subject Requests

EU residents have the right to:

• Access their personal data (know what you have on them)
• Rectify inaccurate data
• Erase their data ("right to be forgotten")
• Restrict processing
• Data portability (receive their data in a portable format)
• Object to processing

You need a process for handling these requests and must respond within 30 days. For a small business, this does not need to be a complex system. A dedicated email address and a documented procedure for fulfilling requests is usually sufficient.

6. Review Your Third-Party Vendors

If you use third-party services that process personal data on your behalf (email marketing tools, analytics platforms, payment processors, cloud hosting), you need data processing agreements (DPAs) with each of them. Most major vendors (Mailchimp, Stripe, Google, AWS, etc.) offer standard DPAs that you can accept through their platforms.

7. Consider Appointing an EU Representative

If your business is not established in the EU but regularly processes EU personal data, the GDPR requires you to appoint a representative in the EU. This person or organization acts as a point of contact for EU supervisory authorities. There are services that provide this for a monthly fee.

US Privacy Laws vs GDPR - How They Compare

The United States does not have a single federal privacy law equivalent to the GDPR. Instead, privacy is regulated through a patchwork of federal and state laws. Here is how the major ones compare.

CCPA / CPRA (California)

The California Consumer Privacy Act and its successor, the California Privacy Rights Act, are the closest US equivalent to the GDPR. Key differences:

| Aspect | GDPR | CCPA/CPRA | |---|---|---| | Consent model | Opt-in (must consent before data collection) | Opt-out (can collect data, but must allow opt-out) | | Scope | Any organization processing EU data | Businesses meeting revenue or data thresholds | | Cookie consent | Required before non-essential cookies | Not specifically required for cookies | | Right to delete | Yes | Yes | | Right to access | Yes | Yes | | Private right of action | Limited | Yes, for data breaches | | Fines | Up to 20M euros or 4% revenue | Up to $7,500 per intentional violation |

The biggest practical difference is the consent model. The GDPR requires opt-in consent for most data processing. The CCPA allows you to collect data by default but requires a "Do Not Sell or Share My Personal Information" option.

For a detailed CCPA compliance guide, see our CCPA compliance checklist.

Virginia Consumer Data Protection Act (VCDPA)

Virginia's privacy law took effect in 2023 and applies to businesses that process data of at least 100,000 Virginia residents annually, or 25,000 residents if the business derives over 50% of revenue from selling personal data. It is closer to the GDPR than the CCPA in some respects, including requiring consent for processing sensitive data.

Colorado Privacy Act (CPA)

Colorado's privacy law is similar to Virginia's but includes a universal opt-out mechanism. It applies to businesses that process data of 100,000 Colorado residents or 25,000 residents if the business derives revenue from selling personal data.

Connecticut Data Privacy Act (CTDPA)

Connecticut's law follows the Virginia model closely and includes provisions for consent, data subject rights, and data protection assessments.

Other State Laws

Several other states have passed or are considering privacy legislation. Texas, Oregon, Montana, and other states now have privacy laws on the books. The trend is clearly toward more regulation, not less.

The Case for a Federal Privacy Law

There have been multiple attempts to pass a comprehensive federal privacy law in the US, but none have succeeded as of early 2026. The American Data Privacy and Protection Act came close but stalled. Until a federal law passes, US businesses need to navigate a growing patchwork of state laws in addition to any international obligations like the GDPR.

Practical Steps for US Businesses

If you are a US business owner trying to sort through all of this, here is a practical approach:

Step 1 - Determine Your Exposure

Check your website analytics. What percentage of your traffic comes from the EU? From California? From other US states with privacy laws? This tells you which laws you need to prioritize.

Step 2 - Start with the GDPR

The GDPR has the highest standard. If you comply with the GDPR, you are most of the way toward complying with US state privacy laws as well. The reverse is not true. Start with the strictest standard and work from there.

Step 3 - Get Your Cookie Consent Right

Implement a proper cookie consent mechanism that blocks non-essential cookies for EU visitors and provides opt-out options for US visitors. Many consent management tools support geotargeting, which shows different consent options based on the visitor's location.

Step 4 - Write a Comprehensive Privacy Policy

Create a privacy policy that covers GDPR, CCPA, and other applicable laws. It is better to have one thorough privacy policy than separate policies for each law. Make sure it accurately describes your data practices.

Step 5 - Set Up a Process for Data Requests

Create a simple process for handling access, deletion, and opt-out requests. A dedicated email address like privacy@yourdomain.com and a documented workflow is enough for most small businesses.

Step 6 - Scan and Monitor

Use a compliance tool to scan your website regularly. New plugins, integrations, and code changes can introduce compliance gaps without you realizing it.

The Cost of Non-Compliance for US Businesses

Some US business owners weigh the risk of non-compliance against the cost of compliance and decide to take their chances. This is becoming a worse bet every year. Here is why:

• GDPR enforcement is increasing. The total value of GDPR fines exceeded 4 billion euros cumulatively by 2025.
• US state enforcement is ramping up. California's Privacy Protection Agency is actively investigating and penalizing businesses.
• Business partners and customers are demanding compliance. Many B2B contracts now require GDPR compliance as a condition of doing business.
• Data breaches have legal consequences. If you suffer a breach and were not compliant with applicable privacy laws, the legal and financial fallout is significantly worse.

For a small business, basic GDPR and state privacy compliance costs a few hundred dollars per year at most. The cost of non-compliance can be orders of magnitude higher.

Summary

The GDPR does apply to most US businesses that have websites, because most websites with global reach will inevitably receive visitors from the EU and collect their data through analytics and cookies. Rather than trying to figure out whether you can technically avoid compliance, the smarter approach is to meet the GDPR standard and cover your US state law obligations at the same time.

The building blocks are straightforward: understand what data you collect, get proper consent, be transparent through your privacy policy, respect data subject rights, and monitor your compliance over time.

Run a free compliance scan to see where your website stands with GDPR and US privacy law requirements.