Visitors from all over the globe access your website, making it confusing to understand which privacy laws apply to you and which ones come with a real possibility of financial penalties. GDPR applicability doesn’t depend on where you’re incorporated. What matters is whether you’re processing personal data of EU citizens and what you're doing with it.
Every website processes personal data in ways that aren't always obvious. Think of forms that collect names and emails, or third-party scripts that send data to servers you're not aware of. Each one is a GDPR compliance liability if it involves data of EU residents.
This article offers a clear checklist to help you determine if you fall under the GDPR radar.
TL;DR
- GDPR applies to any company that intentionally targets EU residents or monitors their online behavior. Additionally, an “EU establishment” such as an employee or office permanently based in the EU can trigger GDPR eligibility.
- While GDPR applies to a broader set of companies than many realize, EU regulators have limited authority to directly fine U.S.-only or non-EU businesses. In these cases regulators will send out warnings or corrective guidance rather than penalties.
- US state privacy laws (like CCPA) are adopting similar expectations to GDPR in terms of data breach security, cross border data transfer, and company liability attached to third-party script data processing.
- Using analytics, heatmaps, or ad pixels that track EU visitors online is considered monitoring and may trigger GDPR compliance requirements.
Does GDPR Apply to My Website? (Eligibility Criteria)
GDPR's territorial scope is defined by Article 3 of the regulation. It is based on two main criteria,
- Establishment
- Targeting
You need only one of these to be true. If either is, GDPR applies. However, it only applies to the specific processing activities that triggered it. The regulation doesn't take over your entire organization, just the data handling that matters.
3 Step Self Assessment - GDPR Applicability
Step 1: Are you established in the EU?
You have an EU establishment if you operate through any stable arrangement in a Member State (this doesn't require a formal office). The threshold for an EU presence is quite low; even a single employee or agent in the EU may count if they act with stability.
You likely have an EU establishment if you have
- A branch, subsidiary, or registered office in any Member State
- An employee, sales rep, or agent working regularly in the EU
- Revenue-generating activities in the EU that are linked to your data processing
If your website's data processing is connected to those EU activities, GDPR applies. If not, move to Step 2.
Step 2: Do you intentionally target EU users?
GDPR applies if your website offers goods or services to people in the EU. The offer must be intentional, not accidental. EU users accessing your website alone is is insufficient to trigger applicability
According to the European Data Protection Board (EDPB) Guidelines, these factors are signs of intentional targeting:
- Naming the EU or specific Member States in reference to goods or services offered
- Paying for search engine advertising directed at EU audiences
- Using the EU’s top-level domains (.de, .fr, .eu) instead of your home country's domain
- Offering delivery of goods to EU states
- Displaying prices in euros currencies alongside ordering capability
- Referencing EU-based customers or testimonials
If you're not targeting EU users, move to Step 3.
Step 3: Do you monitor the behavior of EU visitors?
GDPR applies if you track or profile individuals located in the EU. Recital 24 defines monitoring as:
“tracking natural persons on the internet, including profiling to analyze or predict their preferences, behaviors, and attitudes.”
These activities are usually considered monitoring:
- Retargeting and behavioral advertising
- Collecting Cookies, fingerprints, or identifiers tied to individuals
- Session replay tools and heatmaps linked to specific users
- Location tracking for personalization or marketing
Remember that purely aggregate, anonymized statistical data with no link to individual users generally does not constitute monitoring. “GDPR friendly” analytics tools are built to use permissionless data.
GDPR applies to you if your website does any of the above for visitors located in the EU, even if you never intended to do business in Europe.
Does GDPR Apply to US Companies?
Yes. GDPR can absolutely apply to U.S. companies. Your company's location doesn't determine GDPR applicability.
If your company processes personal data of EU citizens, whether through goods or services, employs EU residents, or monitors EU citizens' online behavior, your organization is subject to the GDPR.
Instead of where you are based, what matters is
- Who visits your site? [Are people located in the EU using your website?]
- How your site processes their data [Are you collecting personal information, tracking behavior, or offering them goods and services?]
You don't need offices, employees, or any physical presence in Europe for the GDPR to apply to your business. Neither the size of your business nor the amount of data you process matters.
Common GDPR triggers for US websites
Having EU visitors and tracking their behavior is grounds for being in scope of GDPR. Behavioral tracking includes any of these popular tools. You may also have unauthorized hidden data trackers such as third party scripts that over-collect data either by accident or with a malicious intent. You can monitor all of the third party data collectors on your website with a client-side compliance tool.
| Category | Examples | Why GDPR applies |
|---|---|---|
| CLIENT-SIDE TRACKING | ||
| Analytics | Google Analytics, Adobe Analytics | Cookies and tracking of EU visitors |
| Advertising pixels | Meta Pixel, Google Ads etc | User behavior monitoring for retargeting |
| Session recording | Hotjar, FullStory, Mouseflow | Records EU user behavior and interactions |
| Lead capture forms | HubSpot, Mailchimp, | Collects personal data from EU visitors |
| Embedded services | YouTube, Google Maps, social widgets | Third-party processing means joint controllership |
| SERVER-SIDE PROCESSING | ||
| Customer databases | PostgreSQL, CRMs, cloud storage | Storing EU customer records and personal data |
| E-commerce | Shopify, WooCommerce | Processing EU customer purchases and payments |
| Email marketing | Mailchimp, SendGrid | Sending emails to EU subscribers |
Can GDPR Penalties Be Enforced on U.S.-only Companies?
Not directly, unless you have a connection to the EU as outlined above in this article.
Do EU regulators have authority over U.S. companies?
EU Data Protection Authorities do not have jurisdiction inside the United States. Therefore those regulating bodies rely on other jurisdictions to enforce their fines against entities outside the EU.
Here's an example of EU regulators going after an U.S. company:
The UK ICO issued a warning to the Washington Post over how it was obtaining consent for cookies. However, the ICO noted that there was little that it could do if the Washington Post decided not to change its practices
GDPR enforcement for U.S. companies
For companies with no EU presence whatsoever, regulatory enforcement is rare. It is typically limited to inquiries, compliance notices, and regulatory bans. Regulators can also publicize non-compliance, inadvertently damaging reputations.
Enforcement pressure increases with any kind of EU connection
GDPR regulators gain leverage if you have:
- EU customers or revenue
- EU employees or contractors
- EU-based infrastructure or vendors
- EU bank accounts or assets
- An EU-facing website or localized offering
Enforcement is actualized at that point. Business restrictions may include orders to cease specific data processing activities or suspend services for EU customers until compliance is achieved. They can essentially force you to stop serving European customers.
Multinational companies are hit the hardest with GDPR penalties
GDPR enforcement against U.S. firms varies by EU member state. Western European countries such as the UK, France, and Ireland have been aggressive in imposing GDPR penalties and initiating investigations against U.S. companies.
The biggest GDPR fines have all targeted companies with a large EU presence
| Company | Fine | EU connection |
|---|---|---|
| Meta | €1.2 billion | Meta routinely transferred EU users’ information to the United States without the required protections |
| Amazon | €746 million | Headquarters in Luxembourg |
| €90 million | French data authorities found that blanket consent forms and pre-ticked boxes were not sufficient as valid consent | |
| Marriott | £18.4 million | The breach ultimately compromised the passwords and credit card records of millions of EU residents |
For a truly U.S.-only company with no EU presence, no EU customers, and no intention of entering the European market, the direct enforcement risk is low. But that's a narrow category, and it's shrinking as businesses go global and as other pressures (covered below) make GDPR-style compliance necessary anyway.
Should U.S.-Only Companies Care About GDPR?
Yes. Here’s why.
Privacy laws are spreading across U.S. states.
U.S. state privacy have gained momentum with new laws introduced, enacted, and coming into force each year. It was not long ago, in 2018, that the California Consumer Privacy Act became the first comprehensive U.S. state privacy law to pass. Since then, many states have passed their own laws with enforcement beginning in 2026.
| Year | States passing laws |
|---|---|
| 2018 | California (CCPA) |
| 2021 | Virginia, Colorado |
| 2022 | Utah, Connecticut |
| 2023 | Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas |
| 2024 | New Hampshire, New Jersey, Kentucky, Maryland, Minnesota, Nebraska, Rhode Island |
As of the time of this publication, 20 U.S. states have enacted comprehensive consumer data privacy laws.
These laws regulate how companies can collect data, what they must disclose, how users can opt out, and security controls to be maintained.
U.S. State privacy laws borrow directly from the GDPR
The Colorado, Connecticut, Delaware, Oregon, Indiana, Iowa, Tennessee, Virginia, and Utah laws adopt terminology of the European Union's General Data Protection Regulation (GDPR) and apply to "controllers" and "processors."
The most common approach in U.S. state privacy laws mirrors the GDPR, which requires that an assessment contain, at a minimum, the processing's risks and benefits to individuals.
If you build your website to be GDPR-compliant, you're already most of the way to complying with U.S. state laws. The reverse is also true. Ignoring GDPR-style requirements means you're likely violating domestic laws, too.
Websites must now respect universal opt-out signals
Many U.S. states now require websites to detect and honor browser-based privacy signals, specifically, the Global Privacy Control (GPC).
As of July 1, 2025, ten U.S. states require websites to honor UOOM signals. These states include California, Colorado, Connecticut, Delaware, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Minnesota, Maryland, and Texas.
California, Colorado, and Connecticut have announced a joint investigative sweep targeting businesses that fail to honor GPC opt-outs.
In practice, this means that
- If a visitor's browser sends a GPC signal, your website must treat it as a valid opt-out request
- The California Attorney General has taken the position that requests to opt out using the Global Privacy Control must be honored by covered businesses as a valid consumer request to stop the sale or sharing of personal information.
- Failure to honor these signals is already being enforced (California's first public CCPA enforcement action against Sephora cited GPC non-compliance)
If your website can't technically detect and respond to these signals, you're non-compliant, even if you never intended to do business outside your home state.
Reduce Privacy Violations from 3rd Party Scripts with Privacy Watch
Throughout this article, we have emphasized that whether users accept or reject cookies, misconfigured or malicious scripts can still leak their private information.
Cookie consent banners manage preferences. They don't enforce behavior. And under GDPR, you're responsible for what every script on your website does.
PrivacyWatch is cside’s client side privacy compliance tool that monitors third party scripts to alert you of potential violations or data breach openings.
cside offers automated compliance reporting for GDPR, CCPA, and HIPAA regulations, with detailed audit trails that prove your adherence during regulatory inspections.
With cside PrivacyWatch, you can
- See which data is accessed by scripts and where it is being sent
- Monitor data access and injection to stop unauthorized tracking
- Identify changes to third-party code on your site that change how your website handles data
- Demonstrate client-side privacy and security measures are in place to comply with GDPR Article 32, Article 25, and Article 28.
- Get automated framework-specific dashboards for GDPR, CCPA and other US state-level laws
- Collect evidence you can produce during regulatory inspections or audits
Schedule a demo with cside now to see how to protect yourself against GDPR violations.
