--- title: "Does GDPR Apply to EU Citizens Living in the US? Legal Insights" subtitle: "Does GDPR apply to EU citizens living in the US? Discover key legal insights on jurisdiction and compliance requirements for businesses." source: "https://www.cookieyes.com?utm_source=cy_llm_widget&utm_medium=cy_llm_widget&utm_campaign=cy_llm_widget" --- # Does GDPR Apply to EU Citizens Living in the US? Legal Insights Have you ever wondered if the privacy rights you enjoyed in Europe will still protect you when you move to the US? Well, that is exactly what we are answering today. This blog offers authoritative legal insights, drawing on the text of GDPR, European Data Protection Board guidelines, and other seminal sources. So, does GDPR apply to EU citizens living in the US? Let’s find out. ## Overview of GDPR’s jurisdiction Let’s start with some of the most-asked questions related to GDPR’s protection for EU citizens. - If I’m an EU citizen residing in the US, do I still enjoy the data protection rights guaranteed by the GDPR? - When does a US-based business fall within the extraterritorial scope of the GDPR? The answers require a nuanced understanding of the [GDPR’s territorial reach](https://www.cookieyes.com/blog/who-does-gdpr-apply-to/), the concept of data subjects, and the specific conditions under which the regulation applies to activities such as online services, cookie consent, and cross-border data transfers. Let us now look into the specifics.  ### What are the key GDPR provisions for EU citizens abroad? The GDPR’s extraterritorial application is one of its most debated aspects. [Article 3](https://gdpr-info.eu/art-3-gdpr/)of the Regulation defines its territorial scope. The GDPR protects the personal data of individuals in the EU, no matter where the business handling their data is located. It applies to companies within the EU and those outside that offer goods or services to EU residents or track their behaviour within the EU. However, it does not automatically protect EU citizens living outside the EU. Instead, they are covered by the privacy laws of the country or US state where they reside. ### From EU to US- Make Compliance Effortless Deploy a custom cookie banner with CookieYes today [Sign up for a free trial](https://app.cookieyes.com/trial?plan=pro-monthly&ref=SFB_28022025) 14-day free trialCancel anytime What are the key differences between GDPR and US privacy laws The[Recital 14 of GDPR](https://gdpr-info.eu/recitals/no-14/) says that the regulation’s purpose is to protect the personal data of individuals within the EU’s territory regardless of their citizenship or place of residence. Businesses must, therefore, consider factors such as data mapping, risk assessments, and the deployment of clear [cookie banners](https://www.cookieyes.com/blog/cookie-banner/) to ensure global compliance. ![Image](https://www.cookieyes.com/wp-content/uploads/2025/02/cy-banner-kfc-1024x470.png) *caption: Cookie banner as seen on KFC’s website* ### Interpretation of “Data Subject” in a global context One of the pivotal elements in [GDPR compliance](https://www.cookieyes.com/blog/gdpr-checklist-for-websites/) is the concept of data subject. According to Article 4, a data subject is a natural person who can be identified, directly or indirectly by personal data such as a name or an identification number of that person. GDPR application to data subjects is not generally based on citizenship or place of residence. The regulation protects any natural person whose data is processed while they are physically present in the European Union. This includes US citizens vacationing on the cliffs of Moher in Ireland as well. However, an EU citizen who has relocated to the US may not automatically benefit from GDPR protections unless the data processing is based in the union. ## Limitations and exclusions: What is not covered under GDPR It is equally important to recognise the limits of GDPR’s jurisdiction. The regulation does not extend to: - Purely domestic activities: Personal data processing by individuals for personal or household activities remains outside the scope of GDPR. - Non-targeted data processing: If a US-based business incidentally processes data of EU residents without any intention of offering services or targeting individuals in the EU, GDPR obligations may not be triggered. This demarcation ensures that businesses are not unduly burdened with heightened legal obligations when their operations do not intersect with the EU market.  ## Scenarios where GDPR applies to EU citizens in the US ### #1 Online services and targeting EU residents GDPR Article 3(1) clarifies that whenever a company is established in the EU, its data processing activities generally must comply with the GDPR, even if the data subject is physically outside the EU. Learn about the [scope of GDPR outside the EU](https://www.cookieyes.com/blog/gdpr-outside-eu/) Once an EU citizen leaves the union, their personal data is not automatically protected under GDPR solely based on their citizenship. Instead, the relevant state laws of their current location will determine the applicable data protection rules.  But here is another scenario- If an EU citizen is travelling temporarily and uses a service based in the EU, the business must comply with GDPR, ensuring the citizen’s data remains protected. Why? Simply because the processing is based in the EU. Example A German social media company processes EU citizens’ personal data for analytics while she lives in the US. This still falls under GDPR because the business is operating “in the context” of an EU establishment (Germany). ### #2 Cross-border data transfers and processing Another significant scenario is the cross-border transfer of personal data. When a US company processes data originating from the EU, it must implement appropriate safeguards, such as Standard Contractual Clauses (SCCs) or other recognised mechanisms, to ensure GDPR compliance. EU citizens in the US who buy online from an EU-based retailer (one that is clearly established in the EU or shipping from an EU location) may still have their purchase details covered by GDPR. Example Take a scenario of ordering from an Italian boutique that operates under an Italian business licence. The boutique’s data processing is “in the context of” its EU establishment, so GDPR rules apply to how it handles an EU citizen in the US’s order information—whether she’s in Milan or Miami. ### #3 Dual residency: Legal complexities In today’s mobile world, many individuals maintain dual residencies or continued ties with the EU even after relocating to the US. In such instances, determining the applicable legal framework becomes complex. Data controllers must carefully assess whether their data processing activities fall within the scope of EU regulations, particularly if the services are offered to individuals in the EU. This includes reviewing cookie consent data and overall data mapping practices. Failing to do so may expose businesses to regulatory scrutiny and substantial fines. Similarly, if your website is hosted in the EU or targets EU residents, regardless of its location, and uses non-essential cookies, it must comply with GDPR requirements. [What GDPR compliance tools does your business need](https://www.cookieyes.com/blog/gdpr-compliance-services/)? ## Enforcement and legal remedies Enforcement of GDPR is a serious matter. Data protection authorities in the EU have demonstrated a commitment to imposing significant fines for non-compliance. Case study: Uber’s €290 million fine for GDPR violation The Dutch Data Protection Authority (AP) has [penalised Uber €290 million](https://autoriteitpersoonsgegevens.nl/actueel/ap-legt-uber-boete-op-van-290-miljoen-euro-om-doorgifte-data-chauffeurs-naar-vs)for failing to protect European taxi drivers’ personal data when transferring it to the U.S. The company stored sensitive information—including account details, location data, and even medical and criminal records—on US servers without implementing the required safeguards. This violation persisted for over two years, with Uber neglecting to adopt model contracts after the EU-US Privacy Shield was revoked in 2020. The fine followed an investigation prompted by complaints from 170 French drivers, conducted in collaboration with European privacy regulators. While Uber has since taken corrective action, the AP considered the breach severe, reinforcing the need for stringent data protection in international transfers. This highlights the real-world risks of non-compliance and the importance of proactive GDPR adherence for businesses handling EU user data. ![Image](https://www.cookieyes.com/wp-content/uploads/2025/02/GDPR-fines-numbers-1024x623.png) *caption: Rising GDPR Fines: A Steady Surge in Penalties from 2018 to 2025 (GDPR enforcement tracker).* EU-based companies must be able to demonstrate their compliance with the GDPR standards for data processing. Also, for US businesses targeting EU citizens, understanding the enforcement mechanisms—including potential fines, reputational damage, and legal challenges—is crucial. A proactive approach to GDPR compliance, combined with comprehensive risk assessments and a commitment to data privacy law best practices, can provide a strong legal defence and enhance consumer trust. What [GDPR compliance challenges](https://www.cookieyes.com/blog/gdpr-compliance-challenges/)do businesses face? ## Best practices for managing GDPR compliance in these cases Though this blog focuses on how GDPR applies to EU citizens in the US, businesses seeking clarity also benefit from these guidelines. Below are recommendations drawn from both the GDPR’s extraterritorial scope and the EDPB’s interpretations. ### For citizens #### #1 Know where you (the data subject) stand EU citizens living in the US should remember that your physical location typically determines GDPR applicability for “targeting” activities (Article 3(2)). If you are not in the EU, many services you engage with are unlikely to be caught by the GDPR unless they are run by an EU-based establishment. #### #2 Understand establishments If you are concerned about your data rights, check if the organisation has a real presence in an EU Member State. If so, they must generally follow GDPR, regardless of where customers live. This is particularly relevant if you still do business with companies in your EU home country. #### #3 Exercise Your data subject rights with EU controllers When an EU establishment processes your data, you typically retain [GDPR rights](https://www.cookieyes.com/blog/gdpr-data-subject-rights/) such as access, rectification, erasure, and objection—even while living in the US or other non-EU countries. If a conflict arises, you can contact the company’s Data Protection Officer (DPO) or representative in the EU. ### For businesses #### #1 Evaluate “targeting” behaviour Non-EU companies should carefully assess whether they intentionally target or monitor individuals in the EU. If yes, you may need to comply with the GDPR for that subset of data processing. The EDPB emphasises that mere website accessibility from Europe is not enough; there must be evidence of deliberate facilitation such as marketing strategies that address EU audiences. #### #2 Designate an EU representative when required Controllers or processors falling under Article 3(2) must usually appoint an EU representative. That representative serves as a local point of contact for data subjects and supervisory authorities. Check[Article 27](https://gdpr-info.eu/art-27-gdpr/) to see if you meet the criteria or qualify for a narrow exemption. #### #3 Data mapping and risk assessments An essential first step is conducting comprehensive data mapping exercises. Identify where data flows originate, where they are processed, and whether they intersect with EU territories. Regular risk assessments enable businesses to detect vulnerabilities in their data processing activities and ensure that GDPR compliance measures are appropriately tailored, thus mitigating the risk of costly fines. #### #4 Implementing robust consent mechanisms Developing a robust consent framework is critical for GDPR compliance. This includes using advanced cookie consent and consent management solutions to obtain explicit, informed consent for data processing. However, even if the GDPR does not apply to your organisation, you are not exempt from consent management obligations. In the United States, several states have their own privacy laws, such as the CCPA/CPRA in California, VCDPA in Virginia, and CPA in Colorado, that impose specific consent and disclosure requirements. The most important consideration for any business is to determine which privacy laws apply to its operations and ensure its consent practices align with those legal requirements. ### Choose the Best CMP for Your Website Join CookieYes-Trusted by 1.5M+ businesses like yours globally [Sign up for a free trial](https://app.cookieyes.com/trial?plan=pro-monthly&ref=SFB_28022025) 14-day free trialCancel anytime [Why is CookieYes the best Consent management platform for your business](https://www.cookieyes.com/blog/best-cookie-consent-tool/)? By clearly communicating the purposes for which data is collected and processed—often through prominently displayed cookie banners and detailed privacy notices—businesses not only meet GDPR requirements but also build trust with their international audiences. #### #5 Regular audits and employee training Data compliance is an ongoing process. Regular internal audits and periodic employee training programmes help ensure that GDPR policies are adhered to across all levels of the organisation. These measures, coupled with the use of data mapping and risk assessment tools, provide a robust defence against potential breaches and demonstrate a commitment to data protection. #### #6 Clear privacy policy and transparency Transparency is a hallmark of GDPR compliance. Businesses must provide a clear and concise [privacy policy](https://www.cookieyes.com/privacy-policy-generator/) that informs how personal data is collected, used, and shared. This openness not only meets regulatory expectations but also reinforces consumer confidence in an organisation’s commitment to data protection, especially when cookie consent and data processing practices are in full view. #### #7 Collaboration with legal experts and technology providers Given the evolving nature of data protection laws, collaboration with specialised legal experts and technology providers is indispensable.  Leveraging expertise in both legal interpretation and compliance technology—such as cookie consent management platforms offered by CookieYes—helps businesses stay ahead of regulatory changes. This proactive stance ensures that their data processing activities remain within the ambit of GDPR while achieving global compliance. ## FAQ on GDPR’s application to EU citizens living in the US Does GDPR apply to my data if I am an EU citizen living in the US? No, GDPR protections are based on your location, not citizenship. If you are physically outside the EU, GDPR generally does not apply unless: - Your data is processed by a company based in the EU. - The data processing is conducted “in the context of an EU establishment” (e.g., an EU-based retailer or service provider handling your data). - Your data is being transferred from the EU to the US and falls under GDPR’s cross-border transfer rules. What rights do I have over my personal data as an EU citizen outside the EU? Your rights under GDPR do not automatically follow you abroad. However, you may be able to still exercise GDPR rights if: - Your data was collected while you were in the EU. - The company processing your data has an establishment in the EU. - Otherwise, you must rely on US state privacy laws (e.g., CCPA for California residents) or company privacy policies. How can US businesses ensure GDPR compliance when handling EU citizens’ data? US businesses should comply with GDPR if they target EU residents or process EU-based data. Key compliance steps include: - Conducting data mapping to track personal data flows. - Implementing Standard Contractual Clauses (SCCs) for cross-border data transfers. - Appointing an EU Representative if required under Article 27. - Using a robust consent management platform (e.g., CookieYes) to obtain explicit consent for data collection. - Providing a clear privacy policy.