The General Data Protection Regulation is a European Union law, so American businesses often assume it is Europe’s problem. Sometimes that is right. Often it is not, and the companies most surprised to learn they are covered are small ones: an online store, a SaaS tool, a newsletter with subscribers in Berlin.
What GDPR is
GDPR took effect in 2018 and is the EU’s comprehensive privacy law. It governs personal data, defined broadly: names, emails, IP addresses, location data, cookie identifiers, anything relating to an identifiable person. It gives people rights over their data (access, correction, deletion, portability, objection) and puts obligations on the organizations that collect and process it, with fines that can reach 20 million euros or 4 percent of worldwide annual revenue, whichever is higher.
The number that matters for this post, though, is in Article 3, the territorial scope provision.
The two hooks that catch US companies
A US company with no European office can still be covered in two ways.
Hook one: offering goods or services to people in the EU. The test is targeting, not mere accessibility. A website that Europeans can technically visit is not, by itself, covered. Signals of targeting include: pricing in euros, an EU-language version of the site aimed at an EU market, shipping to EU countries, marketing directed at EU customers, or an EU country domain. Take payment from customers in France and ship them products, and you are plausibly offering goods to people in the EU. Notably, the hook is people in the EU, not EU citizens; an American living in Madrid counts, while a French tourist buying from your shop in Boston generally does not.
Hook two: monitoring behavior of people in the EU. This is the quieter hook. Tracking cookies, behavioral analytics, ad retargeting, profiling: if your site tracks visitors’ behavior and some of those visitors are in the EU, this hook can reach you. It is the reason cookie consent banners conquered the internet. In practice, regulators have focused enforcement on companies with a real EU footprint rather than every US blog with a stray Belgian reader, but the legal text is broad, and a US company deliberately building an EU audience should assume it applies.
If neither hook applies, GDPR does not cover you directly, though it can still arrive by contract: large customers routinely push GDPR-style data protection terms onto their US vendors, so plenty of American companies comply commercially even when the law does not reach them.
If it applies, what does it actually require?
The full regime is long, but the core obligations are:
- A lawful basis for processing. You need a legal justification (consent, contract necessity, legitimate interests, and a few others) for each use of personal data. Consent must be genuine: specific, informed, and as easy to withdraw as to give. Pre-ticked boxes do not count.
- Transparency. A privacy notice that honestly says what you collect, why, how long you keep it, and who you share it with.
- Honoring data subject rights. People can ask for their data, ask you to fix it, and in many cases ask you to delete it, and you generally have a month to respond.
- Data minimization and security. Collect only what you need, keep it only as long as you need it, protect it appropriately.
- Breach notification. Serious breaches must be reported to the regulator within 72 hours of discovery.
- Paperwork proportional to your risk. Records of processing activities, data processing agreements with vendors, and, for some organizations, an EU-based representative and a data protection officer.
- Cross-border transfer rules. Moving EU personal data to US servers is itself regulated, historically handled through mechanisms like standard contractual clauses and, more recently, an EU-US data privacy framework. This corner of the law has been repeatedly litigated and revised; if transfers matter to your business, this is the section to get current advice on.
Why a US reader should care even if GDPR misses them
GDPR became the template. California’s privacy laws started the trend domestically, and a growing list of states have followed with comprehensive privacy statutes of their own. The specifics differ, but the direction is the same: transparency, individual rights, accountability for vendors. A small company that builds GDPR-shaped habits (know what data you hold, why you hold it, and how to delete it) is largely pre-building compliance for whatever US law reaches it next.
The practical sequence
- Map your data: what you collect, where it lives, which vendors touch it.
- Decide honestly whether either Article 3 hook applies to you.
- If yes, fix the visible layer first (privacy notice, consent mechanics, cookie behavior), then the plumbing (vendor agreements, deletion workflows, breach plan).
- If transfers or regulators are in the picture, get a privacy lawyer. This is one of the areas where the law genuinely moves.
For more plain-English business law, see the business law topic page.
Further reading
- LLC vs Corporation: Which Entity, Plainly
- Setting Up in the US: Legal Basics for Foreign Companies
- Business Law: all posts
I am a law student, not a lawyer, and privacy law changes quickly. Nothing on this site is legal advice. If GDPR compliance matters to your business, talk to a licensed attorney.