I'm Based in the US - Does GDPR Apply to Me?

The short answer: GDPR follows the person, not the company

If EU visitors hit your site and you run analytics or tracking, GDPR likely applies to you. Article 3(2) ties scope to where the user is, not where your company is incorporated. So a US SaaS, e‑commerce site, or marketing page with EU traffic is in scope.

This article is for educational purposes and does not constitute legal advice. For compliance decisions, consult a qualified legal or privacy professional. Scope: EU/EEA GDPR. UK GDPR contains equivalent provisions under the UK Data Protection Act 2018.

When GDPR applies to a US company: the two-part test

Under GDPR Article 3(2), your US business is within scope if either of the following is true:

1. You offer goods or services to EU residents (Article 3(2)(a))

You don't need to actively market to the EU, and no payment is required. Indicators of intent to target EU users include:

Pricing shown in EUR (€)
Language options in French, German, Spanish, Italian, or other EU languages
EU-specific shipping options or delivery addresses
References to EU users or EU-specific regulations in your terms of service
EU country options in a signup form

A website that is merely accessible in the EU does not automatically trigger scope. But a website that displays EUR pricing, has an EU language toggle, or accepts EU delivery addresses does demonstrate targeting intent — per EDPB Guidelines 3/2018, Section 3.2.

2. You monitor the behaviour of EU residents (Article 3(2)(b))

Behavioural monitoring under GDPR means tracking individuals across time or sessions to analyse or predict behaviour. This includes:

Running Google Analytics, Meta Pixel, Hotjar, or any behavioural analytics tool on your site
Retargeting EU visitors via advertising networks
A/B testing or personalisation based on browsing behaviour
Session recording tools that capture EU user interactions

If an EU resident visits your US company's website and your tracking scripts execute, you are processing personal data (IP address, device identifiers, behavioural data) and engaging in behavioural monitoring — which brings you within GDPR's scope under Article 3(2)(b).

What being in scope means in practice

You need a lawful basis for processing (for analytics/marketing that's usually consent under Article 6). Non-essential scripts must not run until the user has given valid consent. You need a privacy policy that explains what you collect, why, retention, and rights (access, deletion, portability). EU users can ask for access, deletion, or restriction (Articles 15–22). If you have no EU establishment, Article 27 requires an EU representative. If you use processors (e.g. AWS, Stripe, analytics) that handle EU data, you need Article 28 DPAs. Sending EU data to the US needs a transfer mechanism under Chapter V — typically Standard Contractual Clauses.

For the full obligation list and exact references, see the full guide on our blog (link at the end).

Where it usually goes wrong: the tracking stack

The usual way US companies land in scope and in violation is the tracking stack. GA on page view, Meta Pixel before consent, Intercom on first visit — those scripts run on EU visitors regardless of HQ. So you're processing EU personal data (IP, device IDs, behaviour), often without a lawful basis if consent wasn't collected first. Same technical gap for a US startup with GA4 and HubSpot on the marketing site: the moment an EU user lands, you're in scope.

Enforcement: DPAs can reach non-EU entities

The EDPB's April 2024 report on extraterritorial enforcement documents that EU DPAs have tools to investigate and act against entities outside the EU when they're in scope. Enforcement is complex but possible, especially with EU customers, revenue, or EU-based providers. The Dutch DPA's €290 million fine against Uber in 2024 (unlawful transfer of EU drivers' data to the US) is one example of action against a US-headquartered company.

CCPA doesn't cover GDPR

US state laws (CCPA, VCDPA, CPA) are separate. A CCPA-style cookie banner does not satisfy GDPR. CCPA is opt-out (for sale of data); GDPR is opt-in for non-essential processing. Consent before tracking isn't required under CCPA; under GDPR it is. A "Do Not Sell" banner can satisfy CCPA; EU visitors need an affirmative opt-in before analytics or tracking run.

Three practical steps

1. Check if you're in scope. Do EU residents visit? Do tracking scripts run on first load before any interaction? Do you show EUR pricing, EU languages, or EU delivery? Yes to any → treat yourself as in scope.

2. Audit what your site actually does. A privacy policy and a banner aren't enough. You need to see behaviour: do scripts block until consent or fire on load? Open the site in a fresh session, reject consent, and watch the Network tab. Anything that runs before consent is a risk under Article 7. For a systematic runtime check — what loads before consent, which trackers, which risks — run your website through a free audit (no signup, no email gate): https://securespells.com

3. If you're in scope, fix the implementation. Use a CMP that actually blocks non-essential scripts until consent, not just shows a banner. Fire GA, Meta Pixel, and other behavioural tools only after consent. Appoint an EU rep if you have no EU establishment (Article 27). Put DPAs in place with processors and use SCCs for transfers to the US.

Run your website

See what your site does before consent — which trackers fire, which scripts are in scope, where the risks are.

Free runtime audit, no signup, no email gate: https://securespells.com