GDPR for US Businesses — If EU Residents Use Your Product, You Probably Qualify

The short answer: if you have EU website visitors, customers, or employees, GDPR almost certainly applies to your US company — regardless of where your servers are hosted, where you're incorporated, or how small your company is.

GDPR has no geographic exemption for American businesses. It applies based on where your data subjects (the people whose data you collect) are located, not where your company is. European regulators have fined US companies, and enforcement has been increasing.

💰 GDPR Fine Scale for US Companies

The maximum fine is €20 million OR 4% of global annual revenue — whichever is higher. For a US company with $10M annual revenue, that's up to $400,000. But the €20M floor means even a $500K company faces theoretical €20M exposure. In practice, fines for first-time violations at smaller companies are lower, but still reach tens of thousands of euros.

Does GDPR Apply to Your Business?

GDPR applies to your US company if you meet either of these conditions:

You offer goods or services to people in the EU — this includes free services. A SaaS company with a free tier available to EU users is covered. A blog that runs ads targeted to EU readers is covered.
You monitor the behavior of people in the EU — this includes any analytics tracking (Google Analytics, Mixpanel, etc.) that collects IP addresses or identifies individuals in the EU. If you use cookies that track user behavior and EU users visit your site, you're likely covered.

Notice what's not on the list: "having a business in Europe" or "selling to European companies." GDPR is triggered by having EU individuals as users, customers, or subjects of data collection — not by your business location.

Scenario	GDPR Applies?
US SaaS company with EU subscribers	Yes
US ecommerce site that ships to EU	Yes
US blog using Google Analytics (EU visitors)	Yes
US B2B company selling only to US businesses with no EU operations	No
US company with EU employees	Yes (employee data)
US non-profit with EU donors	Likely yes
US company with an "EU pricing" page	Yes
US company that occasionally gets EU purchases unsolicited	Likely no (if not targeted)

What GDPR Actually Requires

GDPR is not primarily about cookie banners. Those are just one visible symptom of deeper requirements. Here's what compliance actually means:

Lawful Basis for Processing

You must identify a legal basis for every category of personal data you collect. The six lawful bases are: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. You can't default to "legitimate interests" for everything — it requires a balancing test.

Privacy Notice / Privacy Policy

Your privacy policy must include: what data you collect, why you collect it (the lawful basis), how long you keep it, who you share it with (including US/EU data transfers), and a list of data subject rights. A generic "we respect your privacy" statement doesn't satisfy GDPR.

Consent Mechanism for Cookies & Marketing

Non-essential cookies (analytics, advertising, personalization) require prior, explicit, informed consent from EU users. Pre-ticked boxes, consent buried in T&Cs, and "by continuing to use this site you consent" banners are all non-compliant. You need a real cookie consent mechanism with clear accept/reject options.

Data Subject Rights Fulfillment

EU individuals have the right to: access their data (respond within 30 days), correct inaccurate data, delete their data ("right to be forgotten"), object to processing, and receive their data in a portable format. You need a process to receive and fulfill these requests within GDPR's 30-day deadline.

Data Transfer Mechanisms

Transferring personal data from the EU to the US requires a legal mechanism. Currently, the EU-US Data Privacy Framework (DPF) is the primary mechanism — US companies can self-certify with the Department of Commerce. Standard Contractual Clauses (SCCs) in vendor contracts are an alternative.

Breach Notification: 72 Hours

Any personal data breach must be reported to the relevant EU supervisory authority within 72 hours of becoming aware of it. If the breach is high risk to individuals, affected individuals must also be notified without undue delay. This is a hard deadline — no exceptions for weekends.

Data Processing Records

Organizations with 250+ employees, or that process high-risk data, must maintain written records of all processing activities. Even below this threshold, maintaining a record of processing activities is considered best practice and demonstrates compliance in investigations.

How US Companies Actually Get Fined

GDPR enforcement against US companies typically starts one of three ways:

1. Customer or User Complaint

Any EU individual can file a complaint with their national data protection authority (DPA). If a customer feels their data was misused, their rights weren't respected, or they can't get their data deleted — they can file. DPAs investigate. Small companies get fined just like large ones.

2. Data Breach

If you experience a breach involving EU personal data and fail to notify within 72 hours — or notify inadequately — you'll face fines for the breach notification failure, potentially on top of fines for the underlying security failure. The 72-hour clock starts when you become "aware" of the breach, not when you complete your investigation.

3. Targeted Investigation

DPAs conduct proactive investigations, particularly around cookie compliance and data transfers. The Irish DPA (which handles most US tech company cases, since many have EU headquarters in Ireland) has investigated hundreds of companies. Spanish, French, and German DPAs are also active enforcers.

A US company with $3M annual revenue received a €30,000 fine from the German DPA for inadequate cookie consent implementation. The investigation began when a user filed a complaint. The fine was proportionate to company size, but €30K is still €30K.

Minimum Viable GDPR Compliance for a US Business

If you're a small US company with some EU exposure and limited resources, here's the minimum you need to do:

Audit your data collection — what personal data do you collect from EU users? List every source: website, product, CRM, email platform.
Update your privacy policy — add GDPR-specific disclosures: lawful basis for each category, EU data subject rights, data transfer mechanisms (DPF or SCCs), DPA contact information.
Implement a cookie consent banner — with clear accept/reject options. No pre-ticked boxes. Block non-essential cookies until consent is given.
Self-certify under the EU-US Data Privacy Framework — if you transfer EU personal data to US systems (which you almost certainly do). Costs $0, takes a few hours, valid for 1 year.
Add SCCs to vendor contracts — for any vendor that processes EU data on your behalf, Standard Contractual Clauses should be in place. Most major vendors (AWS, Google, etc.) provide these in their DPA agreements.
Create a data subject request process — establish a mechanism for EU users to request access, deletion, or portability of their data. Document how you'll respond within 30 days.
Create a breach notification procedure — know which EU DPA to notify (determined by where your EU users are located), and how to notify within 72 hours.

⚠ The Most Common US Compliance Miss

Most US companies implement a cookie banner but forget about data transfer mechanisms. Sending EU personal data to US-based systems (your CRM, email platform, analytics tool) without a valid transfer mechanism is a GDPR violation — even if your privacy policy is perfect and your cookies are handled correctly.

Don't Forget US State Privacy Laws

While building GDPR compliance, US companies should simultaneously address state-level privacy requirements:

California (CCPA/CPRA): Applies to companies with $25M+ annual revenue, 100,000+ California consumer records, or 50%+ revenue from selling personal information
Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA): Similar frameworks to GDPR, covering residents of those states
Texas (TDPSA), Florida (FDBR), Oregon (OCPA): Newer state laws with varying thresholds and requirements

A GDPR compliance program gives you 70–80% of what you need for US state privacy laws. Building them together is more efficient than sequential compliance projects.

Assess Your Full Compliance Exposure

The compliance quiz identifies all frameworks that apply to your business — GDPR, HIPAA, state privacy laws, and more. 5 minutes to a prioritized action plan.

⚡ Take Free Compliance Quiz Full GDPR Framework Guide

GDPR for US Businesses: Do You Need to Comply?

Does GDPR Apply to Your Business?

What GDPR Actually Requires

How US Companies Actually Get Fined

1. Customer or User Complaint

2. Data Breach

3. Targeted Investigation

Minimum Viable GDPR Compliance for a US Business

Don't Forget US State Privacy Laws

Assess Your Full Compliance Exposure

Related Articles

Get insights like this delivered weekly.

GDPR for US Businesses: Do You Need to Comply?

Does GDPR Apply to Your Business?

What GDPR Actually Requires

How US Companies Actually Get Fined

1. Customer or User Complaint

2. Data Breach

3. Targeted Investigation

Minimum Viable GDPR Compliance for a US Business

Don't Forget US State Privacy Laws

Assess Your Full Compliance Exposure

Related Articles

The True Cost of Non-Compliance: Fine Exposure by Industry

5-Minute Compliance Checkup: Is Your Business at Risk?

Complete GDPR Compliance Framework Guide

Get insights like this delivered weekly.