Does GDPR apply to American companies?

Asked by: Alexandrea Heaney  |  Last update: March 3, 2026
Score: 4.8/5 (16 votes)

Yes, the EU's General Data Protection Regulation (GDPR) applies to many U.S. companies, even without an EU physical presence, if they offer goods/services to or monitor individuals in the European Union (EU) or European Economic Area (EEA). This includes U.S.-based e-commerce sites, SaaS platforms, or any company collecting personal data (like IP addresses, customer info, usage data) from people in the EU/EEA, requiring compliance with GDPR rules on consent, data security, and user rights.

Do US companies comply with GDPR?

GDPR's extraterritorial reach means that U.S. businesses are not exempt from its requirements. If your company processes personal data of EU citizens—whether through offering goods or services, employing EU residents, or monitoring EU citizens' online behavior—your organization is subject to GDPR.

Is GDPR applicable to US citizens?

Additionally, the GDPR protects citizens of the U.S. as data subjects, but only when they're visiting the EU or other EEA countries. The protection only applies while they are using the internet in those territories.

Does UK GDPR apply to US companies?

GDPR Compliance Challenges for US Companies. The General Data Protection Regulation (GDPR) has far-reaching implications for companies operating in the European Union (EU). However, US companies are also subject to the GDPR's requirements, even if they are not specifically targeting EU or UK customers.

Who is exempt from GDPR?

Some of the most common exemptions include businesses that do not process personal data of living persons, businesses that have no connection with the European Union, derogations for businesses with less than 250 employees, or data processing primarily for personal/household activities.

Does GDPR Apply To US Companies? - TheEmailToolbox.com

19 related questions found

Who does the GDPR not apply to?

Some of the key exemptions from GDPR compliance include personal or household activities, government agencies and law enforcement, and the processing of personal data by Member States.

Can European data be stored in the US?

On 10 July the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. On the basis of the adequacy decision, personal data can flow freely from the EU to companies in the United States that participate in the Data Privacy Framework.

How is the GDPR different in Europe and the US?

Key Differences Between GDPR and U.S. Data Privacy Laws. The regulatory approaches to data privacy in the EU and the U.S. diverge considerably, with the EU adopting a comprehensive framework through the GDPR, while the U.S. relies on a patchwork of sector-specific and state-level laws.

Do US banks have to comply with GDPR?

Any financial institution needs to comply with GDPR as well as other laws (for example, AML Act for anti-money laundering).

What replaced the EU US privacy shield?

Dubbed the 'Privacy Shield 2.0', the framework replaced the original EU-US Privacy Shield, which was found to contain shortcomings by the Court of Justice of the EU (CJEU), the EU's highest court, in 2020, in the so-called 'Schrems II' case.

Do all companies have to comply with GDPR?

What size of company must comply with GDPR? Generally, companies with 250 employees or more are required to comply with GDPR rules. However, GDPR is still relevant for small businesses with fewer than 250 employees if they process personal data as a regular part of their business operations.

What are the 6 legal bases of GDPR?

Article 6 of the General Data Protection Regulation (GDPR) sets out what these potential legal bases are, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests.

Which countries are not GDPR compliant?

The following European countries have not adopted the GDPR:

  • Albania.
  • Belarus.
  • Bosnia and Herzegovina.
  • Croatia.
  • Kosovo.
  • Moldova.
  • Montenegro.
  • North Macedonia.

Which country has imposed the biggest GDPR fine?

1. Meta GDPR fine- €1.2 billion. In May 2023, in a groundbreaking decision in the past five years of GDPR enforcement, the Irish Data Protection Commission (DPC) imposed a historic fine of €1.2 billion on US tech giant Meta.

Is GDPR valid in the USA?

Yes, the EU's GDPR (General Data Protection Regulation) applies to many businesses in the U.S., not just those in Europe, due to its "extra-territorial" reach, meaning it governs U.S. companies that offer goods/services to, or monitor the behavior of, individuals in the EU, or have an establishment (like a branch or employees) in the EU. U.S. companies must comply if they process data of EU residents, even if they have no EU presence, by implementing principles like consent, transparency, and data minimization, similar to U.S. state laws like CCPA but with stricter opt-in consent requirements. 

Does GDPR only apply to EU countries?

The GDPR applies to any organization that processes the personal data of EU/UK citizens, regardless of where the organization is located. This means that even if your organization is based outside of the EU/UK, you will still need to comply with the GDPR if you process the personal data of EU/UK citizens.

Does GDPR apply to small businesses?

Yes, small businesses must adhere to the data protection principles, which include the same eight rights that apply to large businesses.

What are the 4 pillars of GDPR?

The GDPR enforces four important principles that organizations must adhere to when handling personal data: lawfulness, fairness, and transparency; purpose limitation; data minimization; and accuracy and storage limitation.

What's the difference between law and legal basis?

The legal basis can be a Constitutional law, a statute, a regulation, or a prior judicial decision that creates a precedent to be followed.. Positive law is full of cases, treaties, statutes, regulations, and constitutional provisions that can be made into a cause of action.

What happens if companies don't follow GDPR?

If we consider that you have failed (or are failing) to comply with the GDPR or the DPA 2018, we have the power to take enforcement action. We may require you to take steps to bring your operations into compliance or we may decide to fine you, or both.

How do you know if a company is GDPR compliant?

Search the register. Search for organisations and people registered with the Information Commissioner's Office (ICO) under the Data Protection Act 2018. Tip: Search by one field at a time, preferably the registration reference.

Do companies based in Europe have to comply with US privacy laws?

The country where the company collecting data is located doesn't matter, and EU companies must comply with US privacy laws if they meet the relevant criteria.

What is the difference between GDPR and US data protection laws?

Unlike similar US data protection laws, which limit regulated data to financial or health information, GDPR protects and regulates various sectors of information that can be tied to data subjects, including location information, IP addresses, and cookie data.

Why was the EU-US privacy shield invalidated?

Privacy Shield was invalidated partly due to its inability to protect EEA data subject's personal information from the U.S. Government's surveillance powers. Those powers are derived from national surveillance laws.

Can EU data be stored in the US?

EU-US data transfers are allowed for US organizations that have been certified. If you wish to do so, you need to meet the privacy principles outlined in the Data Privacy Framework and only then your company will be added to the DPF list.