Does GDPR Apply to US Companies? What You Actually Need to Do

Q: "Does GDPR apply to US companies"

"Yes, GDPR applies to US companies if they offer goods or services to people in the EU/EEA or monitor the behavior of people in the EU/EEA — regardless of whether the company has a physical presence in Europe. The practical triggers: your website is accessible to EU users and you collect their personal data, you have EU customers or users, or you use analytics/tracking that monitors EU visitors' behavior. Compliance requires a privacy policy that meets GDPR standards, a lawful basis for processing data (usually consent or contract), the ability to delete a user's data on request within 30 days, and a Data Processing Agreement (DPA) with every vendor that handles EU personal data. Fines can reach 4% of global annual revenue, but enforcement against small US companies has been rare — the real risk is losing EU customers who check your compliance posture."

Does GDPR apply to US companies

Quick answer

Yes, GDPR applies to US companies if they offer goods or services to people in the EU/EEA or monitor the behavior of people in the EU/EEA — regardless of whether the company has a physical presence in Europe. The practical triggers: your website is accessible to EU users and you collect their personal data, you have EU customers or users, or you use analytics/tracking that monitors EU visitors' behavior. Compliance requires a privacy policy that meets GDPR standards, a lawful basis for processing data (usually consent or contract), the ability to delete a user's data on request within 30 days, and a Data Processing Agreement (DPA) with every vendor that handles EU personal data. Fines can reach 4% of global annual revenue, but enforcement against small US companies has been rare — the real risk is losing EU customers who check your compliance posture.

Dealing with this at your company? 15 minutes usually clarifies next steps. Book a free call →

A client — a 25-person SaaS company based in Austin — had 200 users in Germany. They’d never thought about GDPR because “we’re a US company.” Then a German user submitted a data deletion request. They didn’t have a process. They didn’t know where the user’s data lived across their systems. They panicked for two weeks, hired a lawyer for $15K, and still weren’t sure they’d fully complied.

This is the typical GDPR wake-up call for US companies. Not a fine. Not an enforcement action. A data subject request they can’t handle.

The short answer is almost certainly yes if you operate online. GDPR applies to any organization that:

Offers goods or services to people in the EU/EEA. This doesn’t require physical presence in Europe or even actively targeting EU customers. If your SaaS product is accessible to EU users and you collect their data (email, name, payment information), GDPR applies.

Monitors the behavior of people in the EU/EEA. If you use analytics, cookies, or tracking technologies that capture data about EU visitors, GDPR applies — even if those visitors never become paying customers.

The common misconception: “We don’t market to Europe, so GDPR doesn’t apply.” If EU residents can sign up for your product and you collect their personal data, GDPR applies. The regulation follows the data subject, not the company’s intent.

Strip away the legal complexity and GDPR requires six practical things:

Lawful basis for processing. You need a legal reason to collect and use personal data. For most SaaS companies, this is either consent (the user opted in) or contract (you need the data to provide the service they signed up for). Legitimate interest is a third option but requires a documented balancing test.

Transparent privacy policy. Your privacy policy must clearly describe what data you collect, why you collect it, how long you keep it, who you share it with, and how users can exercise their rights. GDPR-compliant privacy policies are more specific than typical US privacy policies — “we may share your data with partners” isn’t sufficient. You need to name the partners or categories of partners.

Data subject rights. EU users have the right to access their data (you must provide a copy within 30 days), correct inaccurate data, delete their data (“right to be forgotten”), restrict processing, data portability (export in a machine-readable format), and object to processing. You need processes to handle these requests. The 30-day response deadline is firm.

Data Processing Agreements. Every vendor that processes personal data on your behalf (your cloud provider, analytics platform, email tool, customer support system) needs a DPA — a contract that binds them to GDPR-compliant data handling. Most major vendors (AWS, Google Cloud, Stripe, Intercom) have standard DPAs available. You need to sign them.

Data breach notification. If you experience a breach involving EU personal data, you must notify the relevant EU supervisory authority within 72 hours. If the breach poses a high risk to individuals, you must also notify the affected data subjects. This is faster than most US state breach notification laws.

Data transfer mechanisms. Transferring EU personal data to the US requires a legal mechanism. The current option is the EU-US Data Privacy Framework (DPF), which replaced Privacy Shield in 2023. If your company is DPF-certified, transfers are straightforward. If not, you need Standard Contractual Clauses (SCCs) in your contracts with EU customers and vendors.

The Practical Compliance Plan

For a US SaaS company with EU users, here’s what to do:

Week 1: Data mapping. Identify every system that stores EU personal data — your production database, analytics tools, email marketing platform, customer support system, error tracking, logs. Create a simple spreadsheet: system name, what data it holds, retention period, vendor DPA status.

Week 2: Privacy policy update. Update your privacy policy to meet GDPR requirements. This means being specific about what you collect, why, how long you keep it, and who you share it with. A GDPR-compliant privacy policy also works for US privacy laws (CCPA, state laws), so this is a single effort.

Week 3: Data subject request process. Build the ability to handle access, deletion, and portability requests. This means knowing exactly where a user’s data lives and being able to extract or delete it across all systems within 30 days. If you followed the PII handling practices I described in my guide on PII, you’re already halfway there.

Week 4: Vendor DPAs. Review every vendor that handles personal data. Sign DPAs where needed. Most vendors have self-serve DPA processes — it’s usually a page in their trust center.

Total cost: Minimal if you do it in-house. $5K-$15K if you engage a privacy lawyer for the policy and DPA review. The engineering work for data subject request handling is the biggest investment — 40-80 hours depending on how scattered your data is.

The Enforcement Reality

GDPR fines can reach 4% of global annual revenue or €20 million, whichever is greater. But enforcement against small US companies has been rare. The large fines (Meta’s €1.2B, Amazon’s €746M) target big tech companies.

The real risk for most US companies isn’t fines — it’s losing business. EU enterprise customers increasingly require GDPR compliance documentation during procurement. If you can’t demonstrate compliance, you lose the deal. And with more US states passing their own privacy laws (CCPA, Virginia’s VCDPA, Colorado’s CPA), the investment in privacy compliance pays dividends domestically too.

Working through this yourself?

I help scaling companies navigate exactly this kind of decision.

If you're between $2M–$50M, have real technical decisions to make, and don't have a CTO in the room — a 15-minute call usually clarifies whether there's a fit. No pitch, no deck.

Book a free 15-min call Christopher Grant · Fractional CTO · LinkedIn

← All Articles

Does GDPR Apply to US Companies? What You Actually Need to Do

Does GDPR Apply to You?

What GDPR Actually Requires

The Practical Compliance Plan

The Enforcement Reality