Does GDPR Apply to US Companies? A Compliance Guide

Yes, GDPR can apply to a US company that has never opened a European office. Article 3(2) of Regulation (EU) 2016/679 extends the law to any controller or processor outside the EU when its processing touches people who are in the Union, provided one of two tests is met. This guide explains exactly when those tests are triggered, what a US company must do once they are, and what fines are at stake.

For a full overview of what GDPR requires (including the seven data-processing principles and the six lawful bases), see the companion explainer. The EU Data Privacy Laws hub covers the broader European framework.

The Short Answer: Yes, If You Meet Either Test

Article 3(2) of GDPR is explicit: the regulation applies to controllers and processors not established in the EU when their processing relates to (a) offering goods or services to data subjects in the Union, regardless of whether payment is required, or (b) monitoring the behaviour of data subjects in so far as their behaviour takes place within the Union.

The key consequence for US businesses is that physical presence in the European Union is irrelevant to the analysis. A software company headquartered in Austin, a media publisher based in Chicago, or an e-commerce retailer in Phoenix can all fall within GDPR's reach depending solely on how they interact with people who are in the EU at the time of processing.

Two separate triggers exist, and meeting either one is sufficient. Most US companies that have EU website traffic, EU customers, or EU-facing marketing need to work through both tests carefully.

The Two Triggers: Offering Services Versus Monitoring Behaviour

The Targeting Test: Offering Goods or Services (Article 3(2)(a))

The first trigger applies when a US company is offering goods or services to data subjects who are in the Union. "Offering" requires an element of deliberate targeting. It is not enough that EU residents can access your website.

Recital 23 of GDPR draws this boundary directly: "The mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention." In plain terms, a US company that happens to use English on its website does not automatically reach EU residents simply because English is widely spoken there.

What does cross the line, according to Recital 23? Factors that show an intention to serve EU data subjects include: using a language or currency generally used in one or more EU Member States alongside the ability to order goods or services in that language; offering EU-specific delivery options; and directly mentioning customers or users who are in the Union. The European Data Protection Board's Guidelines 3/2018 (Version 2.0, adopted 12 November 2019) provide additional examples: top-level domain names referencing an EU country, EU-targeted advertising, or a website that displays prices in euros with a shopping cart that accepts EU shipping addresses.

Practical examples where a US company almost certainly triggers Art 3(2)(a):

• An online retailer whose checkout accepts euros, ships to Germany and France, and displays a "Ships to Europe" banner.
• A SaaS company whose pricing page says "For EU customers, VAT will be added at checkout" and whose support pages address GDPR rights.
• A subscription service that runs Facebook or Google ad campaigns geo-targeted to EU Member States.

Practical examples that are unlikely to trigger Art 3(2)(a) on their own:

• A US law firm's website with an English-language contact form that has no EU-facing services and no EU delivery or pricing information, even if a Belgian user once filled out the form.
• A US blogger whose posts are globally accessible but whose site has no EU-currency options, no EU shipping, and no EU-directed marketing.

The Monitoring Test: Tracking EU Behaviour (Article 3(2)(b))

The second trigger is behavioural monitoring. Recital 24 of GDPR explains that this covers tracking EU residents' behaviour online, including profiling activities used to analyse or predict their personal preferences, behaviours, and attitudes.

The monitoring test is reached by a wide range of standard US digital marketing and analytics practices:

• Installing third-party advertising or retargeting pixels (Google Ads, Meta Pixel, LinkedIn Insight Tag) on a website visited by EU users, where those pixels collect IP addresses and browsing behaviour to build audience segments.
• Running a web analytics platform (even a self-hosted one) configured to capture and retain individual-level IP addresses from EU visitors.
• Using a customer data platform that stitches together EU users' browsing, purchase, and email-open histories into a behavioural profile for downstream targeting.
• Operating a mobile app that logs EU users' location or in-app behaviour over time.

A US company does not need to be intentionally targeting EU users to satisfy the monitoring test. If your analytics or ad platform is capturing individual-level data from people who happen to be in the EU and you are using that data to make decisions about those individuals, the monitoring trigger may apply independently of the targeting test.

Practical Checklist: Does Your Business Meet Either Test?

Work through these questions before concluding GDPR does not apply:

• Does your website or app offer checkout, registration, or sign-up flows that accept EU payment methods, currencies, or shipping addresses? (Targeting test indicator.)
• Have you run paid advertising campaigns geo-targeted to any EU country? (Targeting test indicator.)
• Does your privacy policy, terms of service, or support documentation reference EU users, GDPR rights, or EU data protection specifically? (Targeting test indicator.)
• Do you use any advertising pixel, analytics tag, or tracking cookie that collects EU users' IP addresses or browsing data? (Monitoring test indicator.)
• Does your CRM, marketing platform, or data warehouse contain profiles that include EU residents as identified or identifiable individuals? (Both tests may apply.)

If you answered yes to any of the above, treat GDPR as applicable and continue through the obligations below.

Step 1: Designate an EU Representative (Article 27)

Once Art 3(2) pulls a US company into GDPR's scope, Article 27(1) imposes an immediate structural requirement: the company must designate in writing a representative established in one of the EU Member States where its data subjects are located.

The EU representative serves as the company's local point of contact for data subjects and supervisory authorities. Data subjects can exercise their GDPR rights through the representative. Any EU data protection authority (DPA) can direct enforcement correspondence and administrative actions to the representative. The representative must be mandated to be addressed in addition to, or instead of, the controller or processor itself.

The representative does not need to be a law firm or a large corporate body. Commercial representative services exist in EU Member States specifically for this purpose. What matters is that the designation is in writing and that the representative's identity and contact details are disclosed in the company's privacy policy.

The Article 27(2) narrow exception. Not every US company that technically meets Art 3(2) must appoint a representative. Article 27(2)(a) carves out processing that is: (a) occasional; (b) does not include, on a large scale, processing of special categories of data under Article 9(1) (health data, biometric data, racial or ethnic origin, religious beliefs, etc.) or data relating to criminal convictions; and (c) is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope, and purposes of the processing. Public authorities are also exempt under Art 27(2)(b).

This exception is narrow in practice. Most US companies running a website with advertising cookies, a marketing email list, or behavioural analytics will not qualify, because their processing is ongoing (not occasional) and involves persistent individual-level tracking. A US researcher who collected a one-time anonymous survey from EU academics might qualify; a US SaaS company with a recurring EU subscriber base will not.

Failure to appoint is a fine-eligible violation. Missing a required Art 27 representative is a Tier 1 fine violation under Art 83(4), exposing the company to up to EUR 10 million or 2% of global annual turnover, whichever is higher.

Once you have confirmed GDPR applies, the GDPR for Small Businesses compliance checklist covers the full stack of day-to-day controller obligations: privacy notices, lawful basis documentation, data subject rights responses, processor contracts, and breach notification.

Step 2: Choose Your Data Transfer Mechanism

A separate legal question arises the moment an EU company or EU individual transfers personal data to your US servers: that outbound transfer from the EU to the US requires a lawful transfer mechanism under GDPR Chapter V (Articles 44 through 49). The CJEU's Schrems II judgment (2020) invalidated the predecessor Privacy Shield mechanism, but two primary tools are now available to US companies.

Option A: Self-Certify to the EU-US Data Privacy Framework

On 10 July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (DPF) as Commission Implementing Decision (EU) 2023/1795 under GDPR Article 45(3). The decision concludes that the United States ensures an adequate level of protection for personal data transferred to DPF-certified US organizations, meaning EU partners can transfer data to a certified US company without needing any additional contract or authorization.

The DPF is administered by the US Department of Commerce. A US company self-certifies annually to the DoC, committing to the seven DPF Principles: Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse Enforcement and Liability. Certification is limited to companies subject to FTC or Department of Transportation jurisdiction. Most private-sector US companies qualify, but financial institutions under the GLBA and certain other regulated industries have specific rules to check.

Under the DPF, EU individuals have multiple redress pathways: direct complaint to the certified organization (45-day response requirement), independent dispute resolution bodies, the US Department of Commerce, the FTC, national DPAs, and the EU-US Data Privacy Framework Panel as a final binding recourse, which can impose individual-specific non-monetary equitable relief.

For analysis of the DPF's current litigation risk and long-term stability, including the pending Latombe challenge and the PCLOB oversight mechanism, see the EU-US Data Privacy Framework deep-dive.

Option B: Execute 2021 Standard Contractual Clauses

US companies that are not DPF-certified, or that want a transfer mechanism that does not depend on the adequacy decision's political durability, may use the 2021 Standard Contractual Clauses (SCCs) established by Commission Implementing Decision (EU) 2021/914 of 4 June 2021. The 2021 SCCs replaced the pre-GDPR 2001 and 2010 SCC decisions and are now the required form; the old clauses cannot be used for new transfers.

The 2021 SCCs use a modular structure with four modules mapped to different transfer scenarios:

• Module 1 (Controller to Controller): applies when a US company receives EU personal data from an EU partner and processes it for its own purposes.
• Module 2 (Controller to Processor): applies when a US company processes EU personal data strictly on behalf of an EU controller, for example a US cloud provider or marketing processor.
• Module 3 (Processor to Sub-Processor): applies when a US company acts as a sub-processor engaged by an EU processor.
• Module 4 (Processor to Controller): the less-common scenario where a US processor sends data back to its EU controller.

A US company receiving EU data from an EU business partner should determine which module governs the relationship before executing the SCCs. Getting the module wrong is itself a compliance failure.

The 2021 SCCs also require a Transfer Impact Assessment (TIA): the US data importer must assess whether US law conflicts with its SCC obligations, and must notify the EU exporter if it cannot comply. Data subjects are direct third-party beneficiaries of the SCCs and can enforce the clauses against either party. For detailed guidance on module selection, TIA mechanics, and the interaction with BCRs, see the GDPR international data transfers guide.

Option C: Binding Corporate Rules for Multinationals

Binding Corporate Rules (BCRs) are a third available transfer mechanism, approved by a lead DPA, for multinational corporate groups that transfer personal data internally across borders. The European Commission has confirmed that the national security safeguards and redress mechanisms established in connection with the DPF adequacy decision also support the use of SCCs and BCRs, reinforcing both as durable alternatives.

BCRs require DPA approval, a process measured in months rather than days, and are practical only for large multinationals with ongoing intragroup transfers. For most US companies, DPF self-certification or 2021 SCCs are the operative choice.

What Fines Can You Face?

GDPR Article 83 establishes a two-tier fine structure, and both tiers apply to non-EU companies subject to Art 3(2).

Tier 2 (Article 83(5)) is the higher tier. It covers violations of the GDPR's most fundamental provisions, including: processing without a lawful basis (Arts. 5 and 6); breaching the conditions for valid consent (Art. 7); processing special-category data without authorisation (Art. 9); and violating the basic principles of processing. The maximum is EUR 20,000,000, or in the case of an undertaking, 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Tier 1 (Article 83(4)) is the lower tier. It covers procedural and structural violations: failure to maintain records of processing activities (Art. 30), failure to notify a data breach to the supervisory authority within 72 hours (Art. 33), failure to designate an EU representative when required (Art. 27), and failure to conduct a required data protection impact assessment (Art. 35). The maximum is EUR 10,000,000, or 2% of global annual turnover, whichever is higher.

Several points are important for US companies specifically:

• Fines are calculated per violation and can be stacked. A company that lacks a lawful transfer mechanism, has no EU representative, and failed to notify a breach faces potential fines across multiple articles simultaneously.
• Supervisory authority jurisdiction over a non-EU company is determined by where the EU data subjects whose data was processed are located. A US company with users in Germany, France, and the Netherlands may face action from any of those three DPAs, or from a lead authority designated under the one-stop-shop mechanism if the company later establishes a main EU establishment.
• The fine maxima are not floors. Supervisory authorities apply the Art 83(2) factors (nature, gravity, duration of the infringement; number of data subjects affected; intentional or negligent character; prior violations; cooperation with the authority) to calibrate the actual fine. A US startup with 5,000 EU users and no lawful transfer mechanism faces a different risk profile than a US tech company with 50 million EU users.

The GDPR Obligations That Apply Once You Are Covered

Confirming GDPR scope is the gateway, not the finish line. A US company that meets Art 3(2) must satisfy the full stack of GDPR controller obligations, including:

Lawful basis for processing. Every processing activity must rest on one of the six lawful bases in Art 6(1): consent, contract, legal obligation, vital interests, public task, or legitimate interests. For most US businesses, the operative bases are consent (for marketing) and legitimate interests (for analytics and fraud prevention, subject to a balancing test).

Privacy notice. Data subjects must receive the Art 13 or Art 14 information notice at the time of data collection, including the identity of the controller, purposes and legal bases for processing, retention periods, and data subject rights.

Data subject rights. GDPR grants EU residents the rights of access (Art 15), rectification (Art 16), erasure (Art 17), restriction (Art 18), portability (Art 20), and objection (Art 21). Requests must generally be answered within 30 days at no charge.

Records of processing activities. Art 30 requires both controllers and processors to maintain written records of their processing activities, available to supervisory authorities on request. An exception applies under Art 30(5) for organisations with fewer than 250 employees, unless the processing is likely to result in a risk to data subjects, is not occasional, or includes special-category data. Because this exception is narrow, most US companies with ongoing EU-facing operations should maintain a record of processing activities regardless of size.

Processor contracts. Where a US controller engages a vendor or processor to handle EU personal data, Art 28 requires a written contract specifying the subject matter, duration, nature and purposes of the processing, the type of personal data, and the categories of data subjects. The contract must impose the Art 28(3) obligations on the processor.

Breach notification. Art 33 requires notification to the competent supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to natural persons. The 72-hour clock runs from awareness, not from the breach event itself.

For the complete compliance checklist (including data protection by design obligations, consent management, data subject rights workflows, and the DPA notification procedure), see the GDPR for Small Businesses compliance checklist.

Related guides

• GDPR International Data Transfers: Chapter V Rules (2026)
• GDPR Right to Be Forgotten (Article 17) Explained
• EU AI Act and Data Privacy: GDPR Intersection Explained
• EU Data Privacy Laws: GDPR, AI Act & the 2025-2026 Digital Reforms
• What Is GDPR? Complete Guide to EU Data Protection (2026)

Sources