GDPR for US Companies: What You Actually Need to Do in 2026

Last updated: 2026-04-05 — ComplianceStack Editorial Team

GDPR applies to you even if you've never set foot in Europe. If you have a website, SaaS product, or service that EU residents use — and you collect their personal data — the General Data Protection Regulation applies to you. This guide is written specifically for US companies navigating GDPR without a dedicated European legal team.

Does GDPR Apply to Your US Company?

GDPR applies to any organization — regardless of location — that:

1. Offers goods or services to EU/UK residents (even if free), OR
2. Monitors the behavior of EU/UK residents (analytics, behavioral advertising, tracking)

Practical test: If EU residents can sign up for your product, buy your service, or use your website and you collect their email, IP address, or behavioral data — GDPR likely applies to you.

Small business exception: GDPR has limited exemptions. Organizations with fewer than 250 employees are exempt from some Article 30 record-keeping requirements (unless processing is regular, involves special categories, or poses risks to rights). This is a narrow exception — it doesn't mean GDPR doesn't apply.

The UK question: Post-Brexit, the UK operates under UK GDPR — substantively similar to EU GDPR. US companies with both EU and UK users need to address both, though a unified privacy program usually covers both.

Your GDPR Legal Basis Options

Every data processing activity must have a lawful legal basis under GDPR Article 6. The six legal bases:

1. Consent — Freely given, specific, informed, unambiguous. Must be as easy to withdraw as give. Checkbox pre-ticked = invalid.
2. Contract — Processing is necessary to fulfill a contract with the data subject.
3. Legal obligation — You're required by law to process the data.
4. Vital interests — Processing is necessary to protect someone's life.
5. Public task — Rarely applicable to US private companies.
6. Legitimate interests — Balanced against the individual's rights; requires a Legitimate Interests Assessment (LIA).

For most US SaaS companies, the most common bases are: Contract (for account data needed to deliver the service), Consent (for marketing emails, non-essential cookies), and Legitimate Interests (for fraud prevention, security, product analytics).

For special category data (health, biometrics, race, religion, political opinions), explicit consent or another specific condition is required — regular consent isn't enough.

Your GDPR Action Checklist

Privacy foundation:
- Update your Privacy Policy to describe what data you collect, why, legal basis for each purpose, retention periods, and individual rights
- Add a 'Do Not Sell / Do Not Share' link if you're also subject to CCPA
- Implement cookie consent mechanism (consent banner for non-essential cookies)

Data mapping:
- Document all personal data you collect, store, or process
- Identify all vendors (processors) who receive EU personal data
- Execute Data Processing Agreements (DPAs) with all processors

Individual rights infrastructure:
- Build a process to respond to access requests within 30 days
- Build a process to handle erasure ('right to be forgotten') requests
- Support data portability requests (export user data in machine-readable format)
- Document your objection/restriction handling process

Security:
- Conduct a Data Protection Impact Assessment (DPIA) for high-risk processing
- Implement technical and organizational security measures
- Build a 72-hour breach notification process to your lead supervisory authority

International transfers:
- If you transfer EU data to the US, use Standard Contractual Clauses (SCCs) with your EU customers/users
- EU-US Data Privacy Framework certification is an alternative if applicable

Governance:
- Designate an EU Representative if you have no EU establishment but process EU data (required under Article 27 for many US companies)
- Appoint a Data Protection Officer (DPO) if you engage in large-scale systematic monitoring or process special category data at scale

GDPR Enforcement: What US Companies Face

Many US companies assume GDPR enforcement can't reach them. That assumption has become increasingly dangerous:

- Regulatory authorities can issue binding orders, including stop-processing orders that effectively shut you out of the EU market
- Large fines (4% of global annual revenue or €20M, whichever is higher) have been issued to US companies
- Meta's record €1.2 billion fine (2023) for Facebook's EU-US data transfers remains the largest GDPR penalty to date
- Noyb and other advocacy organizations specifically file complaints targeting US companies
- Even smaller US SaaS companies have received DPA letters requiring response

The EU Representative requirement: US companies without an EU establishment that process EU personal data must designate an EU Representative under Article 27. Services like DP-Dock, Bird & Bird, and others provide this service for ~€500–€2,000/year. Failure to designate one is itself a GDPR violation.

GDPR Penalties and Enforcement by Country

GDPR enforcement varies dramatically by country. Some DPAs are aggressive; others move slowly:

Most active enforcement:
- Ireland (DPC): Major tech company headquarters; €1.2B (Meta), €310M (LinkedIn), €225M (WhatsApp)
- Germany: Multiple DPAs (one per state); active enforcement of cookie consent and analytics tools
- France (CNIL): Active enforcement of cookie violations, Google Analytics bans
- Netherlands (AP): Active enforcement of dark patterns and consent
- Spain (AEPD): High volume of enforcement actions

Penalty tiers:
- Lower tier (administrative violations, Art. 83(4)): Up to €10M or 2% of global annual revenue
- Upper tier (core principles, rights violations, transfers, Art. 83(5)): Up to €20M or 4% of global annual revenue

For reference: A US SaaS company with $5M annual revenue could theoretically face up to $200,000 in GDPR fines for upper-tier violations. In practice, first-time violations by smaller companies often result in warnings or lower fines — but not always.

More Resources

• Framework Education Hub
• HIPAA for Dental Practices
• HIPAA for Mental Health Providers
• GDPR for SaaS Companies
• HIPAA Penalty Tiers
• GDPR Fines Overview
• Free 5-Minute Compliance Quiz
• Regulatory Deadline Tracker
• HIPAA Risk Calculator
• Find a Compliance Consultant