GDPR for US Companies: What You Need to Know
Quick Answer
US companies must comply with GDPR if they offer goods or services to EU residents or monitor their behavior. This applies regardless of having no physical presence in the EU. Non-EU companies may also need an EU representative.
Does GDPR Apply to US Companies?
Yes — if your US company processes personal data of EU/EEA residents. GDPR's extraterritorial scope (Article 3) means it applies based on whose data you process, not where your servers are located or where your company is incorporated.
Key Takeaways
- GDPR applies to US companies that offer goods/services to EU residents or monitor their behavior
- No physical EU presence required — a website accessible from the EU can trigger GDPR
- US companies without an EU establishment may need to appoint an EU representative
- International data transfers require appropriate safeguards (EU-US DPF, SCCs, etc.)
- EU enforcement against US companies has increased significantly since 2020
Two Triggers for US Companies
| Trigger | Examples | Key Indicators |
|---|---|---|
| Offering goods/services to EU residents (Art. 3(2)(a)) | E-commerce selling to EU, SaaS with EU customers, EU-targeted marketing | EU pricing (EUR), EU shipping options, EU-language content, .eu domains, EU-targeted ads |
| Monitoring behavior of EU residents (Art. 3(2)(b)) | Web analytics tracking EU visitors, behavioral advertising, location tracking | Cookies/tracking on EU visitors, profiling EU users, behavioral targeting in the EU |
⚠️ Having EU Website Visitors Is Not Enough
Simply having a website that EU residents can access doesn't automatically trigger GDPR. The key is whether you're deliberately targeting EU residents (marketing to them, offering EU currencies, shipping to EU) or monitoring their behavior (tracking cookies, analytics). If you're exclusively targeting US customers and an EU resident happens to visit, GDPR may not apply — but this is a fine line.
EU Representative Requirement
Under Article 27, US companies subject to GDPR but without an EU establishment must appoint an EU representative. This is a person or organization based in the EU that serves as a point of contact for supervisory authorities and data subjects.
- Must be located in an EU/EEA member state where your data subjects are
- Can be an individual, law firm, or specialized representative service
- Costs typically EUR 2,000-$10,000/year for representative services
- Your privacy policy must include the representative's contact details
- The representative can be contacted by supervisory authorities on your behalf
International Data Transfers
Transferring personal data from the EU to the US requires appropriate safeguards. The landscape has been complex — Safe Harbor was invalidated in 2015, Privacy Shield in 2020 — but the EU-US Data Privacy Framework (DPF) established in 2023 provides a new mechanism.
EU-US Data Transfer History
2000-2015: Safe Harbor
Self-certification mechanism. Invalidated by CJEU in Schrems I.
2016-2020: Privacy Shield
Replacement for Safe Harbor. Invalidated by CJEU in Schrems II (July 2020).
2020-2023: SCCs Only
Standard Contractual Clauses became the primary transfer mechanism. Required supplementary measures and Transfer Impact Assessments.
2023-Present: EU-US DPF
New framework established via EU adequacy decision. US companies can self-certify. SCCs remain available as an alternative.
| Mechanism | How It Works | Cost/Effort |
|---|---|---|
| EU-US Data Privacy Framework | Self-certify through the DPF program, comply with DPF principles | Moderate — annual certification, privacy policy updates |
| Standard Contractual Clauses (SCCs) | EU-approved contract terms between data exporter and importer | Low — use EU template, may need Transfer Impact Assessment |
| Binding Corporate Rules | Approved internal data protection policies for multinational groups | High — complex approval process, typically for large enterprises |
Practical Steps for US Companies
GDPR Compliance for US Companies
Determine if GDPR applies
Do you target EU customers, have EU employees, or track EU user behavior? If yes, GDPR applies.
Appoint an EU representative (if needed)
If you have no EU establishment but process EU data, appoint a representative. Several services specialize in this for US companies.
Address international data transfers
Certify under the EU-US DPF or implement SCCs for all EU-US data transfers. Update your privacy policy to describe transfer mechanisms.
Implement GDPR-compliant consent
Update cookie banners, marketing consent flows, and data collection forms to meet GDPR standards.
Update your privacy policy
Create a GDPR-compliant privacy notice with all required information. Consider a separate EU-specific privacy notice if your practices differ.
Set up data subject rights processes
Implement procedures to handle access, erasure, portability, and other requests from EU residents within 1 month.
EUR 1.2B
Largest US Company Fine
Meta (2023) for illegal EU-US transfers
EUR 746M
Amazon Fine (2021)
Transparency and consent failures
5,000+
DPF-Certified Companies
US companies certified under EU-US DPF
1 month
DSR Response Time
Same requirements as EU-based companies
Can EU authorities actually enforce GDPR against US companies?
Yes. EU supervisory authorities have issued significant fines against US companies (Meta, Amazon, Google). While direct enforcement (collecting fines) can be challenging without EU assets, companies with EU customers, EU bank accounts, or EU business relationships face real enforcement risk. EU authorities can also issue orders blocking data processing.
Do I need to comply with GDPR and CCPA?
If you process data of both EU residents and California residents, yes — you need to comply with both. There's significant overlap, but differences exist. See our GDPR vs CCPA comparison for details.
Is the EU-US Data Privacy Framework stable?
The DPF was adopted in July 2023 via an EU adequacy decision. While it provides a valid transfer mechanism today, privacy advocates (including Max Schrems/noyb) have signaled potential legal challenges. Most experts recommend maintaining SCCs as a backup transfer mechanism.
What if I just block EU traffic?
If you genuinely don't target EU residents and block EU IP addresses, GDPR likely doesn't apply. However, IP-based blocking isn't perfect (VPNs), and you'd lose EU market access entirely. This approach only makes sense if the EU market isn't relevant to your business.
Find GDPR Tools for US Companies
Compare compliance platforms with international data transfer management and EU representative services.
Browse GDPR Tools