GDPR in the US: A Checklist for Compliance

The General Data Protection Regulation (GDPR) has a towering impact on data privacy across the world. While it is a European privacy law, its reach extends far beyond the EU, raising important questions for many organizations: Does GDPR apply to US companies? And what are the implications for GDPR in the US?

In practice, the answer is often yes. In December 2020, Twitter was fined €450,000 ($546,000) for failing to document and notify GDPR regulators within 72 hours of a data breach that exposed some users’ private tweets. This was the first cross-border GDPR penalty imposed on a US-based company and a clear reminder that GDPR can extend beyond EU borders.

Does this mean all US companies can face penalties under GDPR? Let’s try to understand GDPR’s impact in the US. In this article, we will look at the effects of GDPR in the US and how US businesses can comply with the European privacy law.

Yes, the GDPR can apply to businesses in the US or any business outside the European Union. As per Article 3 of the GDPR, the territorial scope of the GDPR applies to businesses regardless of whether the processing takes place in the European Economic Area (EEA).

The EDPB’s guidelines consider the following two criteria for the applicability of GDPR:

• Establishment: Article 3(1) notes that any business outside the EU has to comply with the GDPR if it has an establishment (employee, agent, branch, etc.) in the EU.
  • For instance, if a US-based retailer has a branch in the EU for marketing and advertising purposes, this branch can be considered as a stable establishment under GDPR and subject to regulation.

• Targeting: According to Article 3(2), a business that targets individuals in the EU for offering goods or services (even if it’s free) or monitoring their behavior falls under the scope of GDPR.
  • Monitoring activities such as tracking through cookies or other technologies, behavioral advertising, geolocation, market surveys, etc performed by a non-EU business can be subject to GDPR.

Yes. GDPR can apply to US websites even if the business is entirely based in the United States.

Under Article 3, the GDPR applies if a website:

• Offers goods or services to individuals located in the EU/EEA, or
• Monitors the behavior of individuals in the EU, such as through cookies, analytics tools, advertising pixels, or tracking technologies.

First, GDPR is likely to apply if your website shows signs that you are actively serving EU users, not just being accessible from Europe.

Common targeting signals include:

• Prices shown in EUR or EU-local currencies
• Shipping options to EU countries
• Selecting an EU country in a dropdown
• EU-specific versions of the website

However, just being accessible in Europe is not enough. GDPR applies when there is a clear intention to offer goods/services to people in the EU.

Second, even if you do not sell to EU customers, GDPR can apply if you track or profile EU visitors.

If a US company falls under the scope of GDPR, it is subject to same the requirements under GDPR, as its EU counterparts. Let’s take a look at the steps that can help businesses adequately prepare for GDPR in the US.

1. Audit the data you process

The first step is to identify the kind of personal data you are collecting, storing and processing. It could be names, emails, phone numbers, IP addresses, device IDs, credit card or bank details, geolocation data, etc. Note that if your business employs EU residents, current or previous employee data that you have access to will also be subject to GDPR.

Identify the categories of data you collect, whether you collect sensitive personal data such as race, ethnicity, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric data.

If you collect sensitive categories of personal data, you are required to have additional provisions in place, such as a Data Protection Impact Assessment (DPIA) or appointing a Data Protection Officer (DPO).

2. Establish legal bases for processing

Identify the legal basis for processing each personal data that you collect. GDPR provides for six legal bases for processing:

• Consent
• Performance of a contract
• Legitimate interest
• Vital interest
• Legal requirement
• Public interest. 

It is important to note that there must be only one legal basis for processing at a time and that it must be established before the processing begins. The legal basis should also be demonstrable at all times i.e. a business must be able to show internally, to data subjects, and to regulatory entities what legal basis it uses for each user.

3. Assess data transfer from the EU to the US

The GDPR imposes strict restrictions on the transfer of personal data outside the European Union, to third-party countries or international organizations. This is to ensure that GDPR-level protection is accorded to data transferred outside the EU.

Data transfer is not limited to physically moving data to another country. It also includes situations where personal data is stored, accessed, or processed from outside the EEA. For example, if a developer in the US can access customer logs belonging to an EU establishment, this access itself may qualify as a data transfer.

GDPR hence requires that any other organization that you pass the data to outside the EU (including your parent company in the US) must be under a legally binding obligation to follow GDPR’s data protection requirements.

Businesses need to assess, on a case-by-case basis, that the US company you import the data to, will be able to adhere to the contractual obligations of SCCs and provide adequate protections for the privacy rights of individuals whose personal data is transferred. Businesses should also consider whether government authorities can access the data and the availability of judicial redress for the data subjects in the country before transferring that data. 

4. Update privacy policy

A GDPR compliant privacy policy should inform users about the personal data you collect, use, share, and process. It should also detail where the data is stored and the third parties it is shared with, and if it is transferred.

The privacy policy should be:

• Available in a transparent and accessible form
• Written in clear and plain language
• Published conspicuously
• Contain all essential clauses
• Describe the rights accorded to users under the GDPR
• Explain how to exercise data subject rights.

While not all businesses require a DPO (if you process large amounts, you require a DPO), you should include this information in your privacy policy.

5. Obtain prior user consent

Consent is identified as one of the lawful bases for data processing. This means businesses have to obtain consent before processing personal data.

GDPR consent must be freely given, specific and unambiguous. For consent to be free, it should be affirmative i.e. the user must give consent using a positive action. Data collected on websites via contact forms, subscriptions forms, sign up forms, email lists etc. should respect GDPR consent requirements.  

Clear affirmative action means users must take deliberate and specific action to opt-in or agree to the processing, such as — ticking an opt-in box, clicking an opt-in button or link, double opt-in emails etc. You should also use jargon-free, plain language for transparency. You cannot rely on lack of response, inactivity, pre-ticked boxes, default settings or blanket acceptance as signs of consent. You must also provide easy ways for the individual to opt-out or withdraw consent in the future.

6. Obtain cookie consent

Under the GDPR, cookies can qualify as personal data. As a result, websites must obtain valid cookie consent before placing non-essential cookies such as functional, analytics, and advertisement cookies on a user’s device.

Visitors should be clearly informed about cookie use and given a real choice before any tracking begins. The only exception is strictly necessary cookies, which are essential for the website to function.

This is why websites serving users in the EU are required to display a GDPR-compliant cookie consent banner and keep non-essential cookies blocked until the user actively opts in. In practice, this is usually managed through a consent setup that prevents tracking scripts from loading by default.

For most websites, using a ready-made GDPR opt-in template makes this easier to configure correctly, without having to build consent logic manually.

GDPR also requires that users be able to withdraw consent as easily as they gave it. This is usually handled through a revisit consent option that allows visitors to update their preferences at any time.

Alongside, cookie consent should be specific and granular, meaning users should be able to opt-in to activate some cookies and not be forced to accept all. GDPR also prohibits pre-checked boxes, implied consent through continued browsing, and cookie walls that restrict access unless the user agrees.

7. Review data storage practices

As the Privacy Shield is invalidated, the storage of EU data in the US is called into question. Therefore, US companies should ensure that the personal data of EU residents are stored in the EU. Businesses that use cloud-based services for storage, should switch to service providers in the EU or to a country that can provide GDPR-level adequate protections. Businesses should also ensure that data is stored on secure servers that have technical and organisational security measures to safeguard it and to reduce the risk of loss, misuse, and unauthorized access, disclosure and alteration. 

Storage limitation is one of the key principles for data protection in the GDPR. Essentially it means that personal data must be stored for the shortest time possible. Businesses must delete or anonymise personal data once it is no longer needed.

Also, keep in mind that GDPR gives users the right to access, edit and delete their personal data collected by a business. So, you must have a secure system in place to store data.

8. Review agreements with third parties

Any business that third-parties or data processors that you conduct business with should occur with a written agreement in place business. Under GDPR, data controllers are responsible for the actions of data processors. You should identify and list vendors who process data on your behalf. Ensure that you have Data Protection Agreements (DPAs) with third parties so that they fulfil the necessary GDPR requirements. Also, ensure that the third-party business has adequate technical and organizational safeguards.

Include the terms about the security of processing and data breach notification in your agreement. Third-parties must be contractually obligated to report any data breach to supervisory authorities and users, and Data Protection Impact Assessments. It is important to ensure that data processors implement GDPR measures with equal force to mitigate potential fines and penalties that may flow from vendors to your business.

9. Data breach notification

GDPR requires businesses to implement “appropriate technical and organisational measures” to address any security risks that they may face when dealing with personal data. Pseudonymization, encryption, regular systems testing are all measures that are cited as risk reduction measures against data breaches.

In case a data breach occurs, your company must report the event to the appropriate data protection authority (e.g. the ICO in the UK or CNIL in France) within 72 hours of becoming aware of the event. If the data breach poses a high risk to the rights and freedoms of consumers, then they must also be notified by your company.

10. Appoint a DPO or GDPR representative

Do US companies need a DPO or Data Protection Officer? GDPR specifies two main criteria for businesses that need to appoint a DPO.

• One being large scale processing where the core activity of the company involves regular and systematic monitoring of users.
• The second criteria depend on whether you process sensitive categories of data.

If you do not fit the criteria, appointing a DPO can facilitate your GDPR compliance, especially if you are looking to grow in EU markets. 

If you don’t have a physical presence in the EU ie. offices, branches or other establishments, you’ll need to appoint a GDPR representative in an EU country. Your GDPR representative needs to be set up in an EU state where some of the users whose personal data you process are located.  The representative can be an individual or company that will act on your behalf regarding your EU GDPR compliance.

Each of the EU member states has designated a Supervisory Authority (SA) also referred to as Data Protection Authority (DPA), responsible for monitoring the application of GDPR within its territory. A regulator that receives a GDPR complaint from individuals that reside in their territory can be the concerned DPA. If the US company has a headquarter or main establishment in the EU, the DPA of that member state will be the primary or lead regulator for the business, as per GDPR’s one-stop-shop mechanism. 

The Google Spain Decision decision on the territorial scope of GDPR is important in this regard. The  Court of Justice of the European Union (CJEU) held the complaint filed against Google with the Spanish DPA. The court confirmed that since Google Inc. carried out personal data processing in the EU via Google Spain, it will be subject to EU laws. Similarly, tech firms that have EU headquarters in Dublin such as Google, Twitter, Facebook, eBay, PayPal, LinkedIn, Airbnb among a host of other firms, are subject to GDPR. Irish Data Protection Commission (DPC) is the lead regulatory authority in their case. (Read Big Tech vs GDPR)

No, the GDPR does not automatically apply to EU citizens who are located in the United States. The GDPR protects individuals based on where they are located at the time their personal data is processed, not on citizenship or nationality.

In general, the GDPR applies when a business processes personal data:

• in the context of an establishment in the EU/EEA, or
• by offering goods or services to individuals located in the EU/EEA, or
• by monitoring the behavior of individuals located in the EU/EEA (for example, through cookies, analytics, or behavioral advertising).

So, if an EU citizen is living in or visiting the US, the GDPR will usually not apply simply because they are an EU citizen. Instead, US privacy laws may apply depending on the state and the type of data processing.

EU citizens in the US may still be protected under state privacy laws such as the California Consumer Privacy Act (CCPA), and its amendment California Privacy Rights Act (CPRA) as well as other US state laws like the Virginia Consumer Data Protection Act (VCDPA).

Yes, the GDPR technically applies to US government agencies that process the personal data of individuals located in the European Union (EU). Under Article 3, the regulation’s extraterritorial reach covers any entity offering services to or monitoring the behavior of people in the EU, regardless of its physical location.

Why do US laws conflict with GDPR?

The primary conflict stems from the US CLOUD Act, which allows federal law enforcement to compel US-based service providers (like Microsoft or Amazon) to provide data even if it is stored on European servers.

• The Conflict: GDPR Article 48 prohibits the transfer of EU data to foreign authorities unless a specific international treaty (like an MLAT) is in place.
• The Result: This creates a “legal double bind” where companies must choose between violating US warrants or EU privacy laws.

US technology giants face the highest GDPR penalties ever issued, with total fines exceeding several billion euros. As of early 2026, the primary reason for these massive penalties is the unlawful transfer of European user data to US-based servers without adequate legal protections (violating Article 46).

Recent 2025–2026 Enforcement Trends

• New fines are emerging for US AI firms (like Clearview AI and Luka) that scrape EU data to train models without a valid legal basis.
• Regulators are now penalising companies for keeping data longer than necessary, even if no breach occurs.
• Using personal data with an insufficient legal basis for processing or non-compliance with the general data protection principles.

• Identify if you have a physical presence, employees in the EU or you process personal data of EU residents.
• Audit the categories of personal data you process, including sensitive categories of data.
• Establish a legal basis for processing each category of data.
• Ensure adequate SCCs for any data transfer outside the EU.
• Review your data storage and cloud services and their location.
• Update agreements with third parties that you may share data with.
• Appoint a DPO or GDPR representative for your company.
• Obtain prior consent before collecting personal data on your website.
• Obtain consent for using cookies and other tracking technologies.
• Update your privacy policy to ensure transparency and detailed information on processing.

GDPR has led the way for state-level privacy legislations in the US like California Consumer Privacy Act (CCPA), its amendment California Privacy Rights Act (CPRA).

CookieYes is a cookie compliance solution that can help you comply with GDPR in the US. CookieYes can automatically scan your website for cookies, create a customizable cookie consent banner, auto-translate the banner according to the user’s location, and geo-target banner for EU visitors alone.