The EU's General Data Protection Regulation is often assumed to be a European problem — but many U.S. businesses are surprised to learn it can apply to them too, with significant penalties for non-compliance.

When GDPR Reaches U.S. Companies

GDPR applies to any business, regardless of where it's headquartered, that offers goods or services to people in the EU or monitors the behavior of individuals located in the EU — meaning a U.S. company with EU customers or website visitors can fall within its scope.

Simply having a website that's theoretically accessible from Europe generally isn't enough on its own; what matters is evidence of actually targeting or serving EU individuals, such as pricing in euros, shipping to EU countries, or EU-specific marketing.

Core GDPR Requirements

Covered businesses must have a valid legal basis for processing personal data, provide clear privacy notices, honor individual rights like access and deletion requests, and implement appropriate security measures to protect personal data.

Data breach notification requirements are strict — covered organizations generally must notify the relevant regulator within 72 hours of becoming aware of a qualifying breach.

The Cost of Non-Compliance

GDPR penalties can reach the greater of €20 million or 4% of global annual revenue for the most serious violations, making compliance a genuine business risk rather than a purely theoretical concern.

Even companies not directly subject to GDPR often adopt similar practices voluntarily, since GDPR has influenced privacy expectations and subsequent laws well beyond the EU, including several U.S. state privacy laws.

Frequently Asked Questions

Does GDPR apply if I only have a handful of EU customers?

It can, since GDPR doesn't have a minimum customer threshold — what matters is whether you're offering goods or services to, or monitoring, individuals in the EU.

Is GDPR compliance expensive for a small business?

It varies, but core compliance steps — clear privacy notices, a process for handling data requests, and reasonable security practices — are achievable for small businesses without enterprise-level budgets.

GDPR applicability is a fact-specific question that depends on your actual business activities involving EU individuals. A data privacy attorney can help assess whether it applies to you and what compliance requires.

Was this guide helpful?

Explore more topics or get in touch with a question.

Contact us →