Plenty of US businesses assume GDPR stops at Europe’s borders. It does not — and discovering that the hard way, through a complaint or a stalled enterprise deal, is expensive. For any US company with European customers or users, GDPR is a real obligation and a genuine part of GDPR compliance.
This guide explains why GDPR reaches US companies, the mindset shifts it demands, the EU representative and transfer requirements, and the practical steps to get compliant efficiently.
Why GDPR reaches US companies
A persistent myth in the US is that GDPR is “Europe’s problem”. It is not. GDPR is extraterritorial: under Article 3 it applies to any organisation — wherever it is based — that offers goods or services to people in the EU, or monitors their behaviour. A US company with EU customers or website visitors is squarely in scope.
That means a SaaS firm in San Francisco, an e-commerce store in Texas, or a media site anywhere in the US can owe the same obligations as a European business. The absence of a European office is no exemption — if anything, it triggers extra requirements.
The two scope tests
US companies fall in scope through two tests. The offering test catches you if you target people in the EU — signalled by EU languages, currencies, shipping, or marketing. The monitoring test catches you if you track EU visitors through analytics, advertising or profiling.
Many US sites meet at least one without realising it. Running EU-targeted ads or analytics on European traffic is enough to bring that processing within GDPR.
Free resource
The Ultimate Guide to GDPR
A practical guide for US companies navigating GDPR alongside US privacy laws.
It is about location, not citizenship
GDPR protects people who are in the EU, not “EU citizens”. A US company serving an American who happens to be travelling in Europe may be in scope for that interaction; nationality is not the test. Focus on whether you target or monitor people located in the EU.
This subtle point trips up teams who assume their US customer base puts them out of reach.
The mindset shift: PII to personal data
US privacy thinking centres on PII — identifying information. GDPR’s personal data is broader, explicitly including IP addresses, cookie IDs and other online identifiers. A US team scoping its GDPR programme around “PII” will routinely under-scope it.
The fix is to treat any data that can be linked to an identifiable person — including analytics and advertising data — as personal data.
From opt-out to lawful basis
US laws like the CCPA lean on notice and opt-out; GDPR requires a lawful basis before you process at all, and leans toward opt-in for marketing and non-essential cookies. This is a fundamental difference: under GDPR you need permission or another valid basis up front, not just an opt-out.
US companies often need to redesign consent flows and cookie banners to meet the GDPR standard.
You must respect EU data subject rights
GDPR grants eight rights — access, erasure, rectification, portability, objection and more — that you must honour, usually within a month, for people in the EU. That requires a request workflow and the ability to find data across your systems.
These rights are broader than most US regimes, so a CCPA-style process will not fully cover them.
You probably need an EU representative
If you are in scope but have no establishment in the EU, you generally must appoint an EU representative — a local contact point in a member state for individuals and regulators. There is only a narrow exemption for occasional, low-risk processing.
This is one of the most commonly missed obligations for US companies, and a relatively easy one to satisfy through a specialist service.
Transfers back to the US
Ironically, getting EU data to your US systems is itself a regulated transfer. You need a valid mechanism: rely on the EU–US Data Privacy Framework if you certify under it, or use Standard Contractual Clauses with a transfer impact assessment.
So a US company in scope must handle both EU-facing obligations and the transfer of that data home — two sides of the same coin.
Security and breach obligations
GDPR’s Article 32 security expectations and its 72-hour breach notification deadline apply to you for EU data. The 72-hour clock is tighter than many US breach laws, so your incident-response plan must account for it.
Aligning your breach process to the strictest applicable deadline keeps you covered across regimes.
Practical first steps for US companies
Start by confirming scope: do you target or monitor people in the EU? If so, map the EU personal data you hold, establish lawful bases, update privacy notices, fix consent and cookies, stand up rights and breach processes, sort out transfers, and appoint an EU representative where required.
Approached in that order, the work is manageable — and much of it strengthens your overall privacy posture, not just your EU compliance.
Leverage what you already have
If you already comply with US state laws like the CCPA, you have a head start: data inventories, rights processes and vendor contracts all transfer across. GDPR generally sets a higher bar, so building to it tends to cover your US obligations too.
The efficient strategy is one privacy programme keyed to the strictest standard you face, with jurisdiction-specific additions layered on top.
Common mistakes US companies make
Recurring errors include assuming GDPR doesn’t apply without an EU office, scoping around “PII”, relying on opt-out instead of a lawful basis, ignoring the EU representative requirement, and overlooking the transfer of EU data back to the US.
Each follows from applying a US privacy mindset to an EU law, and each is straightforward to fix once recognised.
How ISpectra helps
For US companies, GDPR is often the unfamiliar piece of the privacy puzzle — and a core part of serious GDPR compliance when selling into Europe. ISpectra Technologies helps US organisations confirm their scope, map EU data, establish lawful bases and rights processes, handle transfers, and appoint representatives — building one efficient programme that satisfies GDPR alongside US laws.
If you have EU customers or users, a short assessment will show you exactly where you stand.
In one paragraph
GDPR applies to US companies that offer goods or services to people in the EU or monitor their behaviour — an EU office is not required, and location, not citizenship, is the test. US teams must shift from a “PII” and opt-out mindset to GDPR’s broader personal data and lawful basis model, honour the eight data subject rights, meet Article 32 security and the 72-hour breach rule, handle the transfer of EU data back to the US via the Data Privacy Framework or SCCs, and usually appoint an EU representative. Build to the higher GDPR bar and you will largely cover your US obligations too.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
The cost of ignoring it
It is worth being blunt about why this matters commercially, not just legally. US companies that ignore GDPR tend to discover it in one of two painful ways. The first is a complaint or regulatory query — an EU resident objects to how their data was handled, and suddenly a company with no European footprint is corresponding with a supervisory authority and facing potential fines tied to global turnover. The second, and more common, is lost revenue: European customers, and increasingly cautious US enterprise buyers, now ask pointed questions about GDPR during procurement, and a weak or absent answer stalls or kills the deal.
Viewed that way, GDPR readiness is not a defensive cost but a commercial enabler — the thing that lets a US company sell confidently into Europe and pass the privacy questions in enterprise security reviews. The companies that treat it seriously turn a perceived burden into a competitive advantage, while those that wave it away as “Europe’s problem” quietly lose business they never see. Given that much of the work also strengthens compliance with US state laws, getting GDPR right is rarely effort wasted.