GDPR Compliance for US Companies: 2026 Complete Guide

Last updated: 2026-05-03 — ComplianceStack Editorial Team

The EU General Data Protection Regulation is not a European problem — it is a global one. Any US company that sells to, serves, or tracks the behavior of people in the European Economic Area is subject to GDPR's full enforcement regime, regardless of whether it has a single employee on European soil. With the Irish Data Protection Commission issuing a €1.2 billion fine against Meta in 2023 and the LinkedIn enforcement action landing in 2024, the message from European regulators is unambiguous: US company size and cross-Atlantic distance are not shields. This guide explains exactly when GDPR applies to your US business, what it requires, and how to build a program that holds up under regulatory scrutiny.

Does GDPR Apply to Your US Company? (Article 3 Territorial Scope)

The most important question US companies ask is whether GDPR applies to them at all. Article 3 of the GDPR establishes two independent tests, and satisfying either one is sufficient to trigger full compliance obligations.

Test 1 — The Establishment Test (Article 3(1)): If a US company has any establishment in the EU — a subsidiary, a branch office, even a small sales office — and personal data is processed in the context of the activities of that establishment, GDPR applies to that processing. The processing itself does not need to take place in the EU. A US company whose EU subsidiary generates sales leads processed by US servers is covered.

Test 2 — The Targeting Test (Article 3(2)): This is the provision that catches most US companies. Even without any EU presence, GDPR applies when a controller or processor not established in the EU processes personal data of data subjects who are in the Union, where the processing relates to: (a) the offering of goods or services to those data subjects, whether or not payment is required; or (b) the monitoring of their behavior as far as the behavior takes place within the Union.

Practical examples that trigger the targeting test:
- A US SaaS company with EU-based paying customers is offering a service to EU data subjects. GDPR applies to every piece of data processed about those customers.
- A US e-commerce store that ships products to France, Germany, or any other EEA country is offering goods to EU data subjects. The targeting test is met the moment you accept a German billing address.
- A US analytics or ad-tech company running pixel-based tracking on websites visited by EU users is monitoring the behavior of EU data subjects. GDPR applies even if the company has never marketed itself to European customers.
- A US B2B company that collects contact form submissions from EU business professionals is processing personal data of EU data subjects in the context of offering services.

The targeting test does not require intent. Regulators look at objective factors: Does the site accept EU payment methods? Are prices shown in Euros? Is the site available in European languages? Is EU-specific content present?

Article 27 — EU Representative Requirement: Controllers and processors subject to GDPR under the targeting test who are not established in the EU must designate, in writing, a representative in an EU Member State where data subjects are located. Failure to appoint one is itself a violation under Article 83(4), punishable by fines of up to €10 million or 2% of global turnover. The only exceptions are for processing that is occasional, does not include large-scale processing of special categories of data or data about criminal convictions, and is unlikely to result in a risk to rights and freedoms — a narrow carve-out that most SaaS, e-commerce, and analytics businesses cannot rely on.

For a full assessment of whether your company is in scope, use the compliance quiz at /compliance-quiz or review the GDPR framework overview at /frameworks/gdpr.

GDPR's 6 Lawful Bases for Processing Personal Data (Article 6)

Every processing activity involving personal data of EU data subjects must rest on one of six lawful bases enumerated in Article 6(1). There is no default lawful basis — you must identify it in advance, document it in your Records of Processing Activities, and disclose it to data subjects in your privacy notice.

1. Consent (Article 6(1)(a)): Consent under GDPR is not a checkbox or a pre-ticked opt-in. It must be freely given, specific, informed, and unambiguous. Silence, pre-ticked boxes, and inactivity do not constitute consent. Consent must be as easy to withdraw as to give. For marketing communications to EU individuals, consent is the most defensible basis — but it is also the most brittle: once withdrawn, you must stop processing and cannot retrospectively rely on another basis. See the GDPR marketing consent checklist at /checklist/gdpr-marketing-consent for the operational requirements.

2. Contract (Article 6(1)(b)): Processing is lawful if it is necessary for the performance of a contract to which the data subject is party, or to take steps at the data subject's request prior to entering a contract. The EDPB has made clear it is narrower than it appears: the processing must be objectively necessary, not merely useful or convenient. A SaaS product using behavioral analytics to improve UX cannot rely on Article 6(1)(b) — the contract can be performed without it.

3. Legal Obligation (Article 6(1)(c)): Processing is lawful if it is necessary to comply with a legal obligation to which the controller is subject. This covers things like financial recordkeeping obligations, anti-money laundering checks, and employment law requirements. The obligation must be under EU or Member State law — a US statutory obligation does not satisfy this basis under GDPR.

4. Vital Interests (Article 6(1)(d)): Processing is lawful if it is necessary to protect the vital interests of the data subject or another natural person. This is a narrow emergency basis — life or death situations — not a general safety rationale.

5. Public Task (Article 6(1)(e)): Processing is lawful if it is necessary for the performance of a task in the public interest or in the exercise of official authority vested in the controller. This applies primarily to public bodies and is rarely relevant for US commercial companies.

6. Legitimate Interests (Article 6(1)(f)): The most flexible basis, but also the most frequently misapplied. Legitimate interests requires a three-part Legitimate Interests Assessment (LIA): (i) identify a legitimate interest; (ii) demonstrate necessity — the processing must be necessary to achieve the interest; (iii) balance — the controller's interest must not be overridden by the data subject's interests, rights, or freedoms. The EDPB's guidance and multiple enforcement decisions (including the LinkedIn €310M fine in October 2024) confirm that legitimate interests cannot be used as a fallback basis when consent has been refused or is inconvenient.

US company practical note: Many US companies arrive at GDPR compliance having relied on terms-of-service consent that does not meet GDPR's consent standard, or on "legitimate interests" that was never documented through an LIA. Before building your compliance program, audit every processing activity and assign a defensible lawful basis with written documentation.

Cross-Border Data Transfers Post-Schrems II (Articles 44–49)

Chapter V of the GDPR (Articles 44–49) governs the transfer of personal data from the EEA to third countries, including the United States. Every time EU personal data flows to a US server — whether through a SaaS platform, a cloud provider, an analytics tool, or an internal HR system — a lawful transfer mechanism must be in place.

The Schrems History:
Schrems I (October 2015): The Court of Justice of the European Union (CJEU) invalidated the EU-US Safe Harbor framework in *Maximillian Schrems v. Data Protection Commissioner* (C-362/14), citing the US government's mass surveillance programs revealed by Edward Snowden. Overnight, thousands of US companies lost their primary transfer mechanism.

Schrems II (July 2020): The CJEU invalidated Privacy Shield in *Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems* (C-311/18). The court held that US national security law did not provide EU data subjects with equivalent protections to those guaranteed in the EU. The court also imposed new conditions on Standard Contractual Clauses: companies must conduct a Transfer Impact Assessment (TIA) to determine whether the law of the destination country allows the SCCs to be effective in practice.

EU-US Data Privacy Framework (DPF) — July 2023: Following Schrems II, US Executive Order 14086 introduced new intelligence community oversight mechanisms, and the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework in July 2023. US companies that self-certify with the US Department of Commerce can receive EU personal data under the DPF without additional safeguards. However, the DPF is under active legal challenge by Max Schrems and noyb — a third invalidation remains a real risk. Companies relying solely on DPF should maintain SCCs as a backup.

Standard Contractual Clauses (SCCs) — June 2021: The European Commission updated the SCCs via Implementing Decision EU 2021/914. The new SCCs include four modular sets for different controller-processor relationships and require the parties to complete a Transfer Impact Assessment documenting whether supplementary measures are needed. SCCs are the most widely used transfer mechanism for US companies not certified under DPF.

Binding Corporate Rules (BCRs): For multinational groups, BCRs allow intragroup transfers under a single approved binding policy. BCRs must be approved by a lead supervisory authority and typically require 18–24 months and significant legal investment.

Practical requirement for US companies: Audit every vendor, SaaS tool, and data flow that involves EU personal data. For each one, document the transfer mechanism: DPF certification, SCCs with completed TIA, or adequacy decision. Transfers with no mechanism in place are a direct Article 83(5) violation. Use the GDPR vendor management checklist at /checklist/gdpr/vendor-management to track your transfer mechanisms systematically.

Data Subject Rights Under GDPR (Articles 15–22)

The GDPR confers eight distinct rights on EU data subjects. US companies must have documented processes for receiving, verifying, and responding to each type of request. The failure to honor data subject rights is an Article 83(5) violation.

Right of Access (Article 15): Data subjects may request confirmation of whether their personal data is being processed and, if so, a copy of that data along with supplementary information (purposes, categories, recipients, retention periods, rights available). The response must be provided within one calendar month from receipt of the request, extendable by two further months for complex or numerous requests with notice to the requester. The first copy is free.

Right to Rectification (Article 16): Data subjects may request correction of inaccurate personal data and completion of incomplete personal data. Response timeline: one month.

Right to Erasure / Right to be Forgotten (Article 17): Data subjects may request deletion of their personal data where: the data is no longer necessary for the purpose it was collected; consent is withdrawn and no other basis exists; the data subject objects under Article 21 and there are no overriding legitimate grounds; the data was unlawfully processed. Erasure must extend to backups once the backup cycle processes.

Right to Restriction of Processing (Article 18): Data subjects may request that processing be restricted — data is stored but not otherwise used — pending resolution of a contested accuracy claim, an objection under Article 21, or where processing was unlawful and the subject prefers restriction over erasure.

Right to Data Portability (Article 20): Data subjects who provided data under consent or contract basis may receive that data in a structured, commonly used, machine-readable format (CSV, JSON) and transmit it to another controller. This right applies only to automated processing.

Right to Object to Direct Marketing (Article 21(2)): This is an absolute right — data subjects may object to processing of their personal data for direct marketing purposes at any time and the controller must cease that processing immediately. There is no balancing test; no legitimate interest override applies.

Right to Object — Other Processing (Article 21(1)): For processing based on public task or legitimate interests, data subjects may object at any time on grounds relating to their particular situation. The controller must stop unless it demonstrates compelling legitimate grounds that override the data subject's interests.

Right Not to Be Subject to Automated Decision-Making (Article 22): Data subjects have the right not to be subject to decisions based solely on automated processing — including profiling — that produce legal effects or similarly significant effects. Where such processing occurs (credit scoring, automated hiring screens, content moderation), the controller must provide human review on request and an explanation of the decision logic.

Operational requirements: Build a data subject rights intake process that: (1) accepts requests through multiple channels; (2) verifies identity without requesting excessive information; (3) logs every request with timestamp for the one-month clock; (4) produces responses in plain language. The GDPR data mapping checklist at /checklist/gdpr-data-mapping is the prerequisite — you cannot honor access requests without knowing where data lives.

GDPR Article 83: Fine Tiers and How They're Calculated

Article 83 of the GDPR establishes a two-tier administrative fine structure. Understanding which violations fall into which tier — and how fines are calculated within those tiers — is essential for risk-quantifying your exposure.

Tier 1 Fines (Article 83(4)) — Up to €10,000,000 or 2% of total worldwide annual turnover, whichever is higher:
Violations covered include obligations of controllers and processors (Articles 8, 11, 25–39, 42, 43). In practice, this covers failures in: privacy by design and default (Art. 25), data processing agreements (Art. 28), records of processing activities (Art. 30), security measures (Art. 32), breach notification to DPA (Art. 33), breach notification to individuals (Art. 34), and DPIAs (Art. 35). See the full list at Tier 1 GDPR violations page at /penalties/gdpr/tier-1-violations.

Tier 2 Fines (Article 83(5)) — Up to €20,000,000 or 4% of total worldwide annual turnover, whichever is higher:
The most serious violations: breaches of the basic principles of processing (Art. 5 — lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality); lawful basis failures (Art. 6); consent conditions (Art. 7); violations of data subject rights (Arts. 12–22); international transfer violations (Arts. 44–49). See Tier 2 GDPR violations at /penalties/gdpr/tier-2-violations.

The 10 factors in Article 83(2) that determine fine level within a tier:
1. The nature, gravity, and duration of the infringement
2. The intentional or negligent character of the infringement
3. Actions taken to mitigate the damage suffered by data subjects
4. The degree of responsibility of the controller or processor
5. Any relevant prior infringements
6. The degree of cooperation with the supervisory authority
7. The categories of personal data affected
8. The manner in which the DPA became aware of the infringement
9. Compliance with measures ordered under Article 58(2)
10. Adherence to approved codes of conduct or certification mechanisms

Key calculation rule: Fines are calculated as the higher of the fixed euro amount or the percentage of worldwide annual turnover — not as a choice the company makes. A company with €10 billion in turnover faces up to €400M on a Tier 2 violation (4% exceeds the €20M cap). This is why GDPR fines are existential for large companies in a way that most US state privacy fines are not.

Data breach-specific enforcement examples are tracked at /penalties/gdpr/data-breach-fines.

Major GDPR Enforcement Cases Against US Companies (2018–2025)

The following enforcement actions against US companies represent the most significant GDPR decisions to date. Each establishes regulatory interpretation that shapes compliance expectations for all companies in scope.

Meta Platforms (Ireland) — €1.2 billion | May 2023
The largest GDPR fine in history was issued by the Irish Data Protection Commission (DPC) following an EDPB Article 65 binding decision that overruled Ireland's proposed lower sanction. The violation: Meta continued to transfer personal data of EU Facebook users to US servers under Privacy Shield after Schrems II invalidated that mechanism in July 2020. Meta attempted to rely on SCCs, but the DPC — directed by the EDPB — found those SCCs were insufficient given US surveillance law. Meta was also ordered to suspend transfers and bring processing into compliance within five months.

Amazon Europe Core S.à r.l. (Luxembourg) — €746 million | July 2021
The Luxembourg Commission Nationale pour la Protection des Données (CNPD) issued this fine for Amazon's behavioral advertising system. The core finding: Amazon placed advertising cookies and processed personal data for targeted advertising without obtaining valid consent from EU users. The cookie consent mechanism did not meet GDPR's standard for freely given, specific, informed, unambiguous consent.

Instagram/Meta (Ireland) — €405 million | September 2022
The Irish DPC found that Instagram had exposed the personal data of child users (ages 13–17) by defaulting their accounts to public and by displaying children's contact information in their public-facing business accounts. The violations covered Articles 5, 6, 12, and 13, establishing that default settings for children's accounts must be privacy-protective.

WhatsApp/Meta (Ireland) — €225 million | September 2021
The Irish DPC found that WhatsApp failed to provide adequate transparency to both users and non-users about how their personal data was processed and shared with other Meta companies. The privacy notices were found to violate Articles 12, 13, and 14 (transparency obligations). The EDPB's Article 65 dispute resolution mechanism raised the fine from the DPC's original proposal — an early demonstration of the EDPB's willingness to override national DPAs proposing insufficient sanctions.

LinkedIn Ireland (Ireland) — €310 million | October 2024
The Irish DPC found that LinkedIn's behavioral advertising practices violated multiple provisions. LinkedIn relied on consent, contract, and legitimate interests to process member data for targeted advertising. The DPC found: (1) the consent obtained was not freely given or sufficiently informed; (2) the contract basis was applied too broadly; (3) the legitimate interests balancing test was not properly conducted. This is the most significant post-DPF enforcement action and directly addresses the misuse of legitimate interests for advertising — a common pattern among US digital companies.

TikTok Technology Limited (Ireland) — €345 million | September 2023
The Irish DPC found that TikTok's default settings for user accounts belonging to children under 18 were set to public, exposing children's content and profiles to all users. TikTok also enabled a "Family Pairing" feature that allowed adults not verified as the child's parent to control a child's account settings. Violations covered Articles 5(1)(c) (data minimisation), 5(1)(f) (integrity and confidentiality), 13 (transparency), and 25 (privacy by design).

All six cases involve US-headquartered companies processed through the Irish DPC, reflecting the concentration of US tech company European headquarters in Ireland. However, supervisory authorities in Germany, France (CNIL), Spain (AEPD), Italy (Garante), and the Netherlands (AP) are increasingly active against smaller US companies.

GDPR vs. CCPA/CPRA: Key Differences for US Companies

US companies frequently ask whether a GDPR compliance program satisfies their California obligations, or vice versa. A robust GDPR program covers most CCPA/CPRA requirements, but several California-specific obligations have no GDPR equivalent — and the reverse is also true.

Territorial Scope:
- GDPR: Applies to processing of personal data of data subjects in the EU, regardless of the controller's location. Triggered by offering goods/services to or monitoring behavior of EU individuals.
- CCPA/CPRA: Applies to for-profit businesses doing business in California meeting one of: (1) annual gross revenues exceeding $25 million; (2) buying, selling, or sharing personal information of 100,000+ consumers or households; (3) deriving 50% of revenues from selling consumers' personal information.

Consent Model:
- GDPR: Opt-in consent required for most marketing and tracking. Legitimate interests is available for some processing but requires a documented LIA.
- CCPA/CPRA: Opt-out model for sale or sharing of personal information. The Global Privacy Control (GPC) browser signal must be honored as a valid opt-out in California — a browser-based technical standard with no GDPR equivalent.

Data Subject/Consumer Rights:
- Both regimes provide: right to know/access, right to deletion, right to data portability.
- GDPR additionally provides: right to rectification (Art. 16), right to restriction (Art. 18), right to object to automated decision-making (Art. 22), right to object to direct marketing (Art. 21(2) — absolute).
- CPRA additionally provides: right to correct (similar to GDPR rectification), right to limit use of sensitive personal information.

Fines:
- GDPR: Up to €20M or 4% of global annual turnover (Tier 2), €10M or 2% (Tier 1).
- CCPA/CPRA: Up to $7,500 per intentional violation or $2,500 per unintentional violation, enforced by the California Privacy Protection Agency (CPPA). CPRA adds $7,500 per violation involving minors' data.

Practical compliance note: GDPR's more stringent consent, transparency, and rights requirements mean that companies with a mature GDPR program generally satisfy the majority of CCPA/CPRA obligations automatically. The key gaps to address specifically for California: (1) implement GPC signal opt-out recognition; (2) add a "Do Not Sell or Share My Personal Information" link if applicable; (3) document the "sensitive personal information" limit-use mechanism. For a structured comparison of HIPAA and GDPR requirements, see /compare/hipaa-vs-gdpr.

GDPR Breach Notification Requirements (Articles 33–34)

The GDPR's breach notification obligations are among the most operationally demanding in the regulation. US companies accustomed to state breach notification laws — which typically allow 30, 45, or 60 days — face a dramatically shorter clock under GDPR.

Article 33 — Notification to Supervisory Authority:
In the event of a personal data breach, the controller must notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach. The 72-hour clock starts from the moment the controller "becomes aware" — which regulators interpret as the moment the controller has a reasonable degree of certainty that a breach has occurred, not the moment the full scope is understood. Partial notification is permitted and expected where full information is not yet available.

Article 33(2) — Processor Obligation: Processors must notify their controller without undue delay upon becoming aware of a personal data breach. Data Processing Agreements (DPAs) under Article 28 must contain a specific clause requiring this notification. US SaaS companies acting as processors for EU customers must have this workflow in place. "Without undue delay" from processors is interpreted by most supervisory authorities as within 24–36 hours to allow the controller to meet its own 72-hour deadline.

Content of the supervisory authority notification (Article 33(3)): The notification must include:
- The nature of the personal data breach, including categories and approximate number of data subjects and records concerned
- The name and contact details of the DPO or other contact point
- The likely consequences of the breach
- The measures taken or proposed to address the breach

Article 34 — Notification to Affected Data Subjects: Where a breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must also notify the affected individuals without undue delay. High-risk indicators include: financial data exposed, health data, data enabling identity theft, data about vulnerable populations.

Article 33(5) — Internal Breach Register: Regardless of whether notification to the DPA or individuals is required, controllers must document all personal data breaches, including those that do not meet the notification threshold. This internal register must capture the facts, effects, and remedial actions and must be available to supervisory authorities on request.

The 72-hour rule in practice: Build your breach response program to operate 24/7. The GDPR breach response checklist at /checklist/gdpr-breach-response includes a pre-approved notification template, a decision tree for high-risk vs. low-risk assessment, and a DPA contact directory for all 30+ EEA supervisory authorities. Failure to notify a breach is an Article 83(4) violation — up to €10M or 2% of turnover.

Building Your GDPR Compliance Program as a US Company

Building a GDPR compliance program is not a one-time project — it is an ongoing operational function. The following ten-step roadmap provides a structured path from exposure assessment to defensible compliance. The GDPR compliance pulse dashboard at /gdpr-compliance-pulse can track your progress across each step.

Step 1 — Determine Whether GDPR Applies (Article 3): Apply the establishment test and the targeting test. If you serve EU customers, ship to the EEA, or run behavioral analytics on EU visitors, the answer is almost certainly yes. Take the compliance quiz at /compliance-quiz if you are uncertain.

Step 2 — Appoint an EU Representative if Required (Article 27): If you are subject to GDPR under Article 3(2) and do not have an EU establishment, you must appoint a representative in writing in a Member State where your data subjects are located. Several firms offer EU representative services.

Step 3 — Assess Whether a DPO is Required (Article 37): A Data Protection Officer is mandatory for: (a) public authorities; (b) controllers or processors whose core activities require large-scale, regular, and systematic monitoring of individuals; (c) controllers or processors whose core activities involve large-scale processing of special categories of data. Many US SaaS and analytics companies meet threshold (b).

Step 4 — Data Mapping and Records of Processing Activities (Article 30): Article 30 requires controllers with 250+ employees — and smaller companies where processing is non-occasional or involves special categories — to maintain written records of processing activities. Data mapping is also the prerequisite for every other step. Use the GDPR data mapping checklist at /checklist/gdpr-data-mapping.

Step 5 — Lawful Basis Inventory: For each processing activity in your ROPA, document the lawful basis. Where you rely on consent, ensure it meets GDPR standards. Where you rely on legitimate interests, complete a Legitimate Interests Assessment.

Step 6 — Update Privacy Notices (Articles 13–14): Both require disclosure of: controller identity and contact details, DPO contact, purposes and lawful bases for all processing, recipients, international transfers and safeguards, retention periods, and all available data subject rights.

Step 7 — Implement Data Subject Rights Request Processes (Articles 15–22): Build an intake workflow, identity verification process, one-month response clock, and response templates for each right type. Log every request. For SaaS companies, the ComplianceStack SaaS GDPR guide at /compliance/gdpr/saas covers technical implementation.

Step 8 — Audit and Remediate Cross-Border Transfers (Articles 44–49): Inventory every tool, vendor, and data flow that moves EU personal data to the US or other non-EEA countries. For each, document the transfer mechanism: DPF certification, SCCs with TIA, or adequacy decision.

Step 9 — Implement Technical and Organisational Security Measures (Article 32): Article 32 requires measures appropriate to the risk, including encryption, pseudonymisation, access controls, availability and resilience, and regular testing.

Step 10 — Conduct DPIAs for High-Risk Processing (Article 35): A Data Protection Impact Assessment is mandatory before commencing processing likely to result in high risk — including systematic profiling, large-scale processing of special categories, and systematic monitoring of publicly accessible areas. Use the GDPR DPIA checklist at /checklist/gdpr-dpia. For comparison with HIPAA's risk analysis requirements, see /compare/hipaa-vs-gdpr.

GDPR FAQs for US Companies

Does a US company with no EU office need to comply with GDPR?
Yes, if it meets the targeting test under Article 3(2) — which applies to any company offering goods or services to EU data subjects or monitoring their behavior, regardless of where the company is incorporated or where its servers are located. The absence of a physical EU presence means you need an EU representative under Article 27, but it does not exempt you from GDPR's substantive requirements.

What is a Data Processing Agreement (DPA) and when is it required?
A Data Processing Agreement is the written contract required by Article 28 of the GDPR whenever a controller engages a processor to process personal data on its behalf. If you use AWS, Google Cloud, Salesforce, HubSpot, Zendesk, or virtually any other SaaS tool that touches EU personal data, you are a controller and that vendor is a processor. You must have a signed DPA in place with each, containing: subject matter and duration, nature and purpose of processing, obligations and rights of the controller, subprocessor authorization requirements, data subject rights assistance, deletion or return of data, audit rights, and security obligations.

What is the difference between a data controller and a data processor?
A data controller (Article 4(7)) is the entity that determines the purposes and means of processing personal data. A data processor (Article 4(8)) processes personal data on behalf of the controller, following the controller's instructions. Most US companies that collect customer data are controllers for that data. When they use a third-party analytics tool or cloud storage service, that vendor is their processor. Controllers bear primary compliance obligations under GDPR; processors have more limited direct obligations but face significant contractual liability.

Can we still use Google Analytics after Schrems II?
Several European DPAs — Austria, France (CNIL), Italy, Denmark, Finland — issued decisions in 2022 finding that Google Analytics violated GDPR by transferring EU users' personal data to Google servers in the US without an adequate transfer mechanism. The EU-US Data Privacy Framework, adopted in July 2023, partially resolves this: Google is certified under DPF, which is currently a valid transfer mechanism. However, the DPF is under legal challenge. Companies should verify Google's DPF certification is current and implement IP anonymization. Privacy-by-design alternatives (Matomo self-hosted, Fathom, Plausible) avoid the transfer question entirely.

What happens if a US company ignores GDPR enforcement?
Ignoring GDPR concentrates the risk rather than eliminating it. European supervisory authorities can investigate US companies, issue fines, and order processing to cease. More immediately: (1) EU-based enterprise customers will require GDPR-compliant DPAs as a condition of doing business; (2) EU-based data subjects can lodge complaints with any supervisory authority, triggering investigations that can result in orders to stop processing entirely; (3) reputational damage from a public enforcement action is disproportionate to the cost of compliance. Use the free GDPR compliance assessment at /gdpr-compliance-pulse before deciding the regulation does not apply to you.

More GDPR Resources

• GDPR Framework Guide
• GDPR Tier 1 Fines
• GDPR Tier 2 Fines
• GDPR for SaaS Companies
• Compliance Gap Analyzer (Free)
• Free 5-Minute Compliance Quiz
• Regulatory Deadline Tracker
• Remediation Action Plan ($49)
• Find a GDPR Compliance Consultant