GDPR in the US: a complete guide for American businesses

Introduction: GDPR beyond Europe

What GDPR is and why it matters globally

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection and privacy law, which came into effect in May 2018. GDPR establishes strict requirements for how organizations collect, process, store, and protect personal data of EU data subjects. GDPR has become the "gold standard" for data privacy globally, inspiring similar legislation worldwide such as the California Consumer Privacy Act (CCPA) in the USA and Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD). Its core principles, including transparency in data handling, data minimization, accountability, and individual rights, have reshaped how businesses worldwide manage privacy compliance.

Why US companies need to pay attention

GDPR compliance is not limited to companies physically located in Europe; its extraterritorial reach extends to businesses anywhere in the world if they offer goods or services to individuals living in the EU or monitor online behavior. For example, this includes selling electronic items, providing SaaS services, or tracking behavior through analytics or targeted advertising. American businesses operating from the US are not exempt from European law, and EU regulators have already taken enforcement actions against US-based companies, demonstrating that GDPR obligations are actively enforced across borders. GDPR non-compliance can result in substantial fines reaching up to €20 million or 4% of global annual revenue, so understanding GDPR requirements is essential to maintain customer trust, brand reputation, and avoid regulatory fines or scrutiny.

Does GDPR apply to the US?

Extraterritorial scope of GDPR (Article 3)

GDPR Article 3 establishes its reach outside of EU borders, and US companies are included in two primary ways:

• Offering goods or services: When a US organization actively targets EU residents, regardless of whether payment is required, such as having a website available in EU languages (German, French, Italian), accepting euros or other EU currencies for payment, shipping products to EU countries, or explicitly marketing to EU residents. Even free services such as SaaS platforms, mobile apps, or newsletters can fall under GDPR regulations if they are intentionally offered to EU residents.
• Monitoring behavior of EU individuals: If organizations track individuals' behavior in the EU, this includes tracking cookies, monitoring IP addresses and buying patterns, or behavioral advertising through analytics or predictive decision-making.

When does GDPR apply?

GDPR applies when processing personal data of EU data subjects when organizations offer goods or services to them or monitor their behavior. To determine if your US business is in scope, look for these common scenarios:

• EU customer base: Selling products (physical or software) or e-commerce services to users located in the EU.
• EU website visitors: Tracking user data from EU visitors through website cookies or any other analytical tool.
• EU employee data: US companies that process payroll or HR data of staff working for European regional offices or subsidiaries.
• Marketing to EU residents: US companies marketing to EU residents through email campaigns or social media advertising.

GDPR jurisdiction explained

GDPR jurisdiction is based on where the data subject is located, not where the company processes personal data. A US-based company with no EU office, no EU servers, and no EU legal entity can still be subject to GDPR if it processes personal data of individuals who are residents of the EU. For organizations that engage in cross-border data processing (operating in multiple EU countries), one Lead Supervisory Authority (LSA) acts as lead regulator. The LSA is typically located where the company's main EU establishment is or where processing decisions are made. A US company with no EU presence cannot benefit from the "one-stop-shop" mechanism of LSA and may have to answer to regulators in every EU country where they have users.

GDPR applicability to US entities

Which US companies fall under GDPR

US companies must comply with GDPR if they process personal data of EU residents while offering goods or services to them or monitoring their behavior. Common categories of companies subject to GDPR include:

• E-commerce: Any online US store that sells products or services to EU customers, including shipping to EU or translating websites into European languages.
• SaaS providers: US companies selling Software as a Service to EU customers who host their data on these platforms.
• Marketing and ad-tech: Tech firms that use tracking pixels, cookies, or IP-based targeting to monitor EU visitors' behavior for targeted marketing campaigns.
• Multinational companies: US parent companies with subsidiaries and offices that process data of EU residents.
• Hospitality and travel: Hotels, airlines, and booking platforms that process personal data of EU tourists.
• Health andresearch: Biotech firms or researchers conducting clinical trials that include participants from Europe.

Who is subject to GDPR (controllers, processors)

GDPR distinguishes two key roles of organizations that process personal data:

• Controllers: The organization that determines the purpose and means of processing personal data. For example, a US SaaS company that decides how user data is collected and used is typically a controller.
• Processors: The organization that processes personal data on behalf of a controller, following their instructions. For example, a US-based cloud provider or analytics vendor supporting an EU or US company.

Both roles have GDPR obligations. Controllers are responsible for lawful processing, transparency, and accountability for data subject rights. Processors must implement appropriate technical and organizational security measures, maintain processing records, and sign Data Processing Agreements (DPAs) with controllers. GDPR explicitly imposes direct legal obligations on processors, making compliance essential for US service providers.

Does GDPR apply to US citizens abroad?

GDPR protections are based on location, not citizenship. A US citizen living in the EU is fully protected by GDPR when their personal data is processed by local or targeting organizations. The same applies to US citizens visiting the EU as tourists, students, or business travelers; they are protected by GDPR regulations when offered any services or when their behavior is monitored.

Does GDPR apply to EU citizens in the US?

An EU citizen living or traveling in the United States is generally not protected by GDPR when a US company processes their data, unless that company is specifically targeting or monitoring individuals in the EU. Citizenship is not the criteria of GDPR, it focuses on the location of the data subject and targeting behavior of the organization processing personal data.

Does GDPR apply to the US government?

GDPR has limited applicability to the US government, federal, or local agencies, as they generally don't offer commercial goods or services to EU residents or engage in behavior monitoring as defined in GDPR regulations. However, US government contractors and vendors managing personal data of EU individuals may have GDPR obligations, particularly when acting as processors for EU-based organizations. US federal agencies providing digital services to EU residents (tourism promotion, educational programs, visa application systems) require compliance with GDPR requirements.

GDPR requirements for US companies

GDPR compliance requirements for US companies

US companies processing personal data of EU residents must meet several obligations; compliance is not optional or partially needed. GDPR requirements are legal requirements designed to protect individuals' rights and freedoms:

• EU representative: Companies without an EU establishment must appoint a representative located in one of the EU member states where data subjects live, as per Article 27. This representative acts as a contact point for supervisory authorities and data subjects.
• Records of Processing Activities (ROPA): Organizations must maintain written records listing all processing activities as per Article 30, including processing purposes, data categories, recipients with whom data is shared, and retention periods.
• Security measures: Organizations must implement technical and organizational measures appropriate to data protection risks such as data encryption, access control, comprehensive logging, and incident response procedures, under Article 32.
• Data breach notification: If a data breach occurs that poses risk to EU data subjects' personal data, organizations must notify the European Supervisory Authority and affected individuals within 72 hours of discovery, as per Article 33.
• Data subjectaccess requests (DSARs) within requiredtimeframes. Organizations must implement procedures to respond to DSARs for correction, deletion, restriction, objection, and data portability within a one-month period.

Core GDPR principles (lawful basis, transparency, minimization)

GDPR compliance is built upon seven foundational principles governing all personal data processing. US companies must not only follow these principles but also demonstrate compliance with each one:

• Lawfulness, fairness, and transparency: Personal data must be processed on a valid legal basis such as consent, contract, or legitimate interest, and must be clearly explained to individuals through privacy notices.
• Purpose limitation: Data must be collected for specific, explicit, and legitimate purposes and can't be reused outside the original purpose.
• Data minimization: Organizations should only collect personal data necessary for the stated purpose.
• Accuracy: Personal data must be kept accurate and up to date, with mechanisms to correct or delete incorrect data.
• Storage limitation: Organizations must implement data retention policies—once data is no longer needed, it must be deleted or anonymized.
• Integrity and confidentiality: Appropriate technical measures must protect data against unauthorized access, processing, loss, or disclosure.
• Accountability: Organizations must demonstrate ongoing compliance through policies, procedures, audits, signed contracts, and incident response plans.

Netwrix data security solutions help US companies discover and classify where personal data resides with automated labeling of sensitive data, supporting GDPR's privacy by design principles. Using automated search and discovery mechanisms to locate specific data across your entire infrastructure, organizations can identify and locate personal data needed to respond to Data Subject Access Requests (DSARs) within required timeframes. Netwrix identity and access governance capabilities provide comprehensive audit trails of who has access to personal data, what changes are made, by whom, and when—adhering to the principle of least privilege.

GDPR compliance checklist for US companies

Step-by-step compliance checklist tailored for US organizations

Implementing GDPR compliance for US companies requires a practical shift from "notice and choice" to a proactive accountability model. The following checklist can help streamline operations according to GDPR standards:

1. Determine applicability: Analyze if your organization offers goods/services in the EU or monitors EU data subjects' behavior.
2. Conduct data mapping: Create a comprehensive inventory of what EU personal data you collect, where it's stored, and who has access.
3. Appoint EU representative: Designate a person or entity within an EU member state to function as a local contact point for supervisory authorities and data subjects.
4. Create and maintain ROPA: Document all processing purposes, categories, retention periods, data recipients, and descriptions of security measures.
5. Document lawful bases: Identify and record the lawful basis for each personal data processing activity (consent, contract, legitimate interests, etc.).
6. Update privacy notices: Review and update privacy policy with plain language explaining data collection, user rights, retention periods, and contact information.
7. Implement consent mechanisms: Ensure consent is freely given, specific, informed, and unambiguous, with no pre-ticked boxes or hidden terms.
8. Establish DSAR procedures: Create standard workflows to verify identities and respond to Data Subject Access Requests within 30 days.
9. Review vendor contracts: Update or establish GDPR-compliant Data Processing Agreements (DPAs) with all third-party vendors.
10. Implement technical safeguards: Deploy data encryption, access controls, pseudonymization, and privacy by design to protect personal data.
11. Establishbreach notification protocols: Create incident response plans with mechanisms for breach detection, assessment, prevention, and reporting to meet 72-hour deadlines.
12. Set up data transfer mechanisms: Implement Standard Contractual Clauses (SCCs) or rely on adequacy decisions for moving data from EU to the US.
13. Conduct staff training: Provide role-based training to ensure employees understand GDPR responsibilities and procedures.
14. Document compliance efforts: Maintain compliance records including DPIAs, DPAs, audit logs, policies, procedures, and training evidence.

Netwrix compliance and audit solutions provide comprehensive pre-built reports on data classifications, user access permissions on files, servers, and SharePoint sites, and security posture of endpoints—all aligned with GDPR requirements. Access reviews can be automated to identify overexposed data, and ongoing monitoring of user activity, permission changes, and data access provides evidence-based audit trails.

GDPR vs. US privacy laws

US equivalent of GDPR (CCPA, CPRA, CDPA, HIPAA, GLBA, etc.)

The United States has no single federal law that matches the scope and structure of GDPR. Instead, data protection in the US operates through a complex system of industry-specific federal regulations and state-level laws.

Sector-specific federal laws:

• HIPAA: The Health Insurance Portability and Accountability Act regulates Protected Health Information (PHI) in the healthcare industry.
• GLBA: The Gramm-Leach-Bliley Act focuses on financial institutions, requiring them to regulate information sharing practices and protect sensitive customer data.
• COPPA: The Children's Online Privacy Protection Act enforces policies to protect children's data online.

State-level legislation:

• CCPA/CPRA: The California Consumer Privacy Act is one of the most comprehensive laws, granting California residents rights to know, delete, and stop processing of their data.
• VCDPA and CPA: Virginia's Consumer Data Protection Act and Colorado's Privacy Act are similar data protection frameworks focusing on consumer rights and data controller obligations.

Comparison: GDPR vs. US laws (scope, rights, enforcement)

GDPR is more detailed and emphasizes individual rights and organizational responsibilities than most US privacy laws. Key differences include:

• Consent approach: GDPR relies on clearly defined lawful bases for data processing where consent must be freely given, specific, informed, and unambiguous. US laws generally emphasize opt-out mechanisms, allowing businesses to collect and process data by default.
• Scope and definitions: GDPR defines personal data broadly, covering any information that can identify an individual, and applies to any organization processing EU residents' data regardless of location. US privacy laws often have limited territorial scope and narrower definitions.
• Data subject rights: GDPR provides comprehensive rights including access, rectification, erasure, data portability, and restriction or objection to processing. US laws typically provide a more limited set of rights.
• Penalties: GDPR non-compliance can result in fines up to €20 million or 4% of annual global turnover. US penalties are typically fixed (usually $2,500 to $7,500 per intentional violation), not revenue-based.
• Enforcement: Each EU member state has its own Data Protection Authority (DPA) that enforces GDPR regulations. US privacy laws are primarily enforced by state Attorneys General and the Federal Trade Commission.

Future of US privacy law (ADPPA and national-level discussions)

The direction of US privacy regulations is moving toward continued expansion of state-level legislation, with more states adopting GDPR-inspired regulations. Efforts have been made to pass a federal-level data protection law like the American Data Privacy and Protection Act (ADPPA) and American Privacy Rights Act (APRA) that could override some aspects of state-level laws and provide unified data protection across the United States. US privacy legislation is increasingly aligning with GDPR-like principles such as data minimization, purpose limitation, and strict protection of sensitive data categories, though currently implemented through an opt-out approach rather than an opt-in model.

Enforcement and penalties in the US context

How GDPR is enforced against US businesses

GDPR regulators actively enforce compliance against both EU and non-EU-based companies. Penalties impact far beyond fines and can affect operations, contracts, and market access. EU Data Protection Authorities (DPAs) have authority to investigate any company that targets EU consumers or monitors their behavior, regardless of where their headquarters are based. US companies with a presence in EU member states through offices or representatives are subject to direct legal action within that member state. DPAs coordinate with US regulators like the Federal Trade Commission (FTC) for exchange of information during investigations. Authorities may target non-compliant companies' European assets, blacklist companies for doing business as direct operators and vendors, and make public announcements that put pressure on brand image.

Fines levied against US companies

GDPR enforcement history shows that US-based organizations are regularly subjected to significant penalties to ensure compliance. Major US tech companies have faced huge fines, including a landmark €1.2 billion penalty in 2023. These strict penalties demonstrate regulators' willingness to impose maximum pressure and show that compliance is cheaper than penalties. Common compliance violations include inadequate consent mechanisms (particularly around cookies and behavior tracking), unlawful cross-border data transfers, insufficient legal basis for personal data processing, insufficient technical and organizational measures, and delayed breach notification.

Risks of non-compliance (financial, operational, reputational)

GDPR non-compliance has multi-layered consequences that could be more damaging to a US company's long-term health:

• Financial risk: Administrative fines are structured in two tiers—up to €10 million or 2% of global turnover for non-compliance like record-keeping failures, and up to €20 million or 4% of global turnover for unlawful data transfer or inadequate legal basis.
• Operations disruption: DPAs may order companies to suspend or stop specific data processing activities, resulting in product changes, service halts, or withdrawal of features from the European market.
• Contractual impacts: Most EU companies include GDPR compliance warranties in vendor contracts that can result in immediate termination if non-compliance is discovered.
• Reputational damage: DPA enforcement decisions are made public and often generate significant media coverage. A non-compliant status can impact ongoing and pending contracts, erode customer and investor trust, and prevent companies from entering new markets.

Practical guidance for US businesses

What GDPR means for US companies in practice

GDPR compliance requires concrete operational changes across every department workflow, not just legal documentation. Marketing teams must implement clear consent mechanisms, moving from an opt-out approach to explicit opt-in—no pre-ticked boxes on sign-up forms, clear and granular control choices for consent, and easy withdrawal options. Website cookie banners must provide real choices (accept, reject, or selective consent). Privacy notices must be in plain language explaining what data you collect, why, how long you keep it, and users' rights. Customer service teams must be trained to understand and process Data Subject Access Requests (DSARs), with tools and procedures to process requests within 30-day deadlines. Vendor contracts should be reviewed to ensure Data Processing Agreements (DPAs) are in place for all processors and sub-processors.

Common compliance challenges for US firms

US companies often face structural and cultural hurdles when aligning with GDPR:

• Cultural gaps: US business culture often favors broad data collection, while GDPR emphasizes data minimization, a shift from "collect all data that might be useful later" toward "collect only what you need now and are permitted to collect."
• Technical debt: Legacy systems were not built with "privacy by design" in mind and may lack capabilities to export, delete, or segregate access for individual user data.
• Organizational silos: Personal data is often scattered across different department tools (sales CRM, marketing emails, finance billing systems). A centralized system is needed to respond to DSAR requests.
• Vendor management: Managing the vendor ecosystem adds complexity, requiring proper contracts with strict security measures enforcement, data processing instructions, and regular reviews are essential.

Best practices: Data minimization, audits, consent management

US companies should move beyond reactive compliance and adopt a proactive, framework-based approach:

• Data minimization by design: Collect only the data needed for specific processing rather than hoarding data "just in case." Define purposes clearly and set data retention schedules for automatic deletion.
• Privacy and security by design: When building new products or features, consider "what's the minimum amount of data we need to make this work" and how to make data processing secure.
• Regular privacy audits: Regularly assess and review data flows, access rights, retention practices, and security controls to identify and mitigate flaws.
• Consent management: Use structured consent and preference management tools to track who consented to what, when, how, and for what purpose.
• Access controls and least privilege: Implement role-based access control (RBAC) policies ensuring employees can only access specific personal data needed for their role, with proper audit trails.

US companies can rely on Netwrix identity security and data protection capabilities for automated data discovery and classification to uphold GDPR's data minimization and privacy by design principles. Netwrix solutions can scan on-premises, cloud only, or hybrid environments to identify and categorize personal data, with search capabilities supporting DSAR fulfillment in minutes rather than days. Netwrix Threat Detection and Response proactively scans for vulnerabilities and security misconfigurations, analyzes unusual user activities to prevent insider threats, stops ransomware attacks, and provides detailed audit trails for forensic investigation to support investigation and evidence collection required for the 72-hour notification deadline.

Conclusion

Summary of key takeaways for US companies

GDPR is European law, but its reach is global and substantially impacts US companies processing personal data of European data subjects. GDPR is not a theoretical or optional legal requirement; it is strictly enforced for any organization that offers goods or services or monitors behavior of EU data subjects, including websites accessible to EU visitors, targeted marketing, and data analytics of EU consumers. There's currently no single federal US law matching GDPR's comprehensive scope, individual rights framework, or enforcement mechanisms. Organizations must implement specific measures including appointing an EU representative, maintaining detailed Records of Processing Activities (ROPA), implementing privacy and security by design, establishing lawful bases for each processing activity, and having mature processes for handling DSARs and incident response. Non-compliance fines can reach up to €20 million or 4% of annual global turnover, and EU regulators have shown willingness to impose maximum penalties.

Importance of proactive compliance for global business

Adopting a proactive approach toward GDPR is not just about avoiding fines; it is a long-term business strategy for growth. The European Union represents 450+ million consumers and a combined economy of €18-€22 trillion, and without GDPR compliance, US companies risk regulatory bans from contracts or digital marketplaces. Modern consumers are becoming more privacy-conscious, and GDPR-compliant practices reflect companies' commitment to users' rights and responsible data handling. US federal privacy law is becoming increasingly inevitable, and a strong GDPR-compliant infrastructure provides a foundation that reduces future compliance gaps and rework at home.

For US companies navigating GDPR requirements, Netwrix data security and compliance capabilities provide visibility into where EU personal data resides, enforce access control with the principle of least privilege, enable continuous monitoring of personal data and security posture of endpoints hosting personal data, provide analytics on anomalous activities around personal data to detect and prevent security breaches, and maintain audit-ready evidence essential for GDPR compliance.

Explore Netwrix GDPR compliance solutions to discover how data security and identity governance capabilities can help your US business achieve and maintain compliance with EU data protection requirements.