GDPR compliance for US companies is not optional — and it is not a European problem alone. It is not. If your company collects, processes, or monitors the personal data of individuals located in the EU — regardless of where your business is incorporated or where your servers are — GDPR applies to you.
This is not a technicality. EU data protection authorities have already pursued enforcement actions against US-based companies, and fines are calculated on global annual revenue, not just European operations. A compliance gap that affects your EU users can cost up to €20 million or 4% of your worldwide turnover, whichever is higher.
Does GDPR Compliance Apply to US Companies?
GDPR’s extraterritorial scope is defined in Article 3. It applies to any organization that:
Offers goods or services to individuals in the EU — this includes free services. If your website is accessible in the EU and you’re collecting email addresses, tracking behavior, or processing payments from EU residents, you are in scope. The test is not whether you have a physical presence in Europe, but whether you are targeting EU residents.
Monitors the behavior of individuals in the EU — analytics tools, retargeting pixels, cookie tracking, and behavioral profiling of EU visitors all trigger GDPR obligations, even if the data never leaves US servers.
The key question is not “do we have a European office?” but “do we have European users or customers?” — and if the answer is yes, does GDPR apply to US companies? It does.
What Most US Companies Get Wrong
Assuming CCPA compliance is enough. GDPR for American businesses is fundamentally stricter than CCPA — the two frameworks share some concepts but operate on different principles. GDPR requires a lawful legal basis before processing any personal data — consent, contract, legal obligation, legitimate interest, or vital interest. CCPA operates on an opt-out model, where data collection is the default. Meeting CCPA does not meet GDPR.
Treating GDPR as a privacy policy update. A revised privacy policy is necessary but not sufficient. GDPR requires operational changes: documented legal bases for each processing activity, a record of processing activities (RoPA), data subject request workflows, data processing agreements with vendors, and breach notification procedures.
Ignoring data transfers. Transferring EU personal data to US servers is a cross-border data transfer under GDPR. Since the invalidation of Privacy Shield by the Court of Justice of the EU in July 2020, the EU-US Data Privacy Framework (DPF) — adopted in July 2023 and upheld by the EU General Court in September 2025 — provides the primary legal pathway for transatlantic data transfers, but only for certified companies. Without DPF certification, standard contractual clauses (SCCs) or binding corporate rules remain the alternative.
Forgetting about vendors. Every third-party tool that processes EU personal data on your behalf — your CRM, email platform, analytics provider, cloud storage — is a data processor under GDPR. You are responsible for ensuring they comply, and you must have a data processing agreement (DPA) in place with each of them.
Key Requirements for US Companies Under GDPR
1. Appoint an EU Representative
If your organization has no physical establishment in the EU but processes EU personal data, Article 27 requires you to appoint a representative in an EU member state. This person or entity serves as the local contact for data protection authorities and individuals exercising their rights.
2. Establish a Lawful Legal Basis for Every Processing Activity
Before collecting or using any personal data, you must identify and document a valid legal basis. For most US companies, the relevant bases are consent, contract performance, and legitimate interest. Legitimate interest requires a documented Legitimate Interest Assessment (LIA) demonstrating that your business purpose does not override the rights of the individuals concerned.
3. Build a Record of Processing Activities (RoPA)
Article 30 requires a documented inventory of all data processing activities — what data you collect, why, from whom, how long you keep it, who you share it with, and what security measures are in place. This document is the foundation of GDPR compliance and the first thing regulators request during an investigation.
4. Implement Data Subject Rights Workflows
EU individuals have eight rights under GDPR: access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making. You must have a process in place to receive, verify, and respond to these requests within one month. There is no exception for non-EU companies.
5. Sign Data Processing Agreements with All Vendors
Any vendor that processes EU personal data on your behalf must sign a GDPR-compliant DPA. This includes your SaaS providers, marketing platforms, cloud infrastructure providers, and any other third party that touches EU data. Accepting a vendor’s standard terms of service is not sufficient unless those terms include a full DPA.
6. Establish a Breach Notification Process
If a personal data breach occurs that poses a risk to individuals, you must notify the relevant EU supervisory authority within 72 hours of becoming aware of it. If the breach poses a high risk to individuals, you must also notify those individuals directly. This timeline is strict — delays are among the most common reasons US companies face enforcement action.
7. Address Cross-Border Data Transfers
US companies with GDPR obligations outside the EU transferring personal data to US servers have three legal mechanisms available: certification under the EU-US Data Privacy Framework, standard contractual clauses (SCCs), or binding corporate rules. The DPF is the simplest pathway for most companies, but certification requires active steps and ongoing annual renewal. Given the history of invalidated transfer frameworks, maintaining SCCs as a backup mechanism is advisable regardless of DPF certification status.
The EU AI Act Adds Another Layer
The EU AI Act entered into force in August 2024 and its main provisions become applicable on 2 August 2026. US companies using AI systems to process EU personal data — for hiring decisions, credit scoring, personalized marketing, fraud detection, or content recommendation — face additional obligations under this framework, including requirements for risk classification, technical documentation, and in certain cases a Fundamental Rights Impact Assessment (FRIA) alongside a standard DPIA. The AI Act applies regardless of where the company is based, mirroring GDPR’s extraterritorial scope.
Practical Starting Point
If you are a US company that has not yet formally assessed your GDPR exposure, the starting point is a data inventory: map what EU personal data you collect, where it flows, who has access to it, and what you are doing with it. From that foundation, you can identify your legal bases, build your RoPA, and prioritize your compliance gaps.
The most common mistake is treating GDPR as a one-time project. It is an ongoing operational obligation — records must stay current, vendor agreements must be reviewed, and breach response procedures must be tested.
Managing GDPR Compliance Across Multiple Entities
For US companies with multiple business units, subsidiaries, or EU-based operations, managing GDPR compliance across a fragmented structure is one of the most common practical challenges. iGDPR was built specifically to support GDPR compliance for US companies and multinationals managing records of processing activities, risk assessments, data subject requests, and vendor agreements for multiple entities in a single system — each with its own documentation, while maintaining centralized oversight.
Frequently Asked Questions about GDPR for US Companies
Yes. GDPR applies to any organization that offers goods or services to individuals in the EU or monitors their behavior — regardless of where the organization is incorporated or where its servers are located. Having no physical presence in Europe does not exempt a US company from GDPR obligations.
No. CCPA and GDPR are fundamentally different frameworks. CCPA operates on an opt-out model — data collection is permitted by default. GDPR requires a lawful legal basis before any personal data is collected or processed. Meeting CCPA does not satisfy GDPR requirements.
The EU-US Data Privacy Framework (DPF) is a self-certification mechanism adopted by the European Commission in July 2023 that allows US companies to transfer EU personal data to the US without additional safeguards. It is not mandatory — Standard Contractual Clauses (SCCs) are an alternative — but it provides the simplest legal pathway for most companies engaged in transatlantic data transfers.
EU data protection authorities can impose fines of up to €20 million or 4% of global annual turnover, whichever is higher. Fines are calculated on worldwide revenue — not just EU operations. Authorities have pursued enforcement actions against US-based companies, and the territorial location of the business does not prevent enforcement.
Yes, if the company has no physical establishment in the EU but processes EU personal data. Article 27 of GDPR requires the appointment of a representative in an EU member state who serves as the local point of contact for data protection authorities and data subjects.
The EU AI Act becomes fully applicable on 2 August 2026 and mirrors GDPR’s extraterritorial scope — it applies to any company whose AI systems affect EU residents, regardless of where the company is based. US companies using AI for decisions that affect EU individuals (hiring, credit, marketing, fraud detection) face obligations including risk classification, technical documentation, and in some cases a Fundamental Rights Impact Assessment.
Manage GDPR compliance for your US operations in one place
iGDPR helps you build and maintain your record of processing activities, manage data subject requests, document legal bases, and track vendor agreements — across multiple entities if needed. See how it works in practice.
START FREE TRIAL, no commitment