Does GDPR Apply to US Companies? Here's What That Actually Means
A 7-person SaaS startup gets a demo request from a German company. The procurement form asks one question that stops the deal cold: "Are you GDPR compliant?" Nobody on the team knows the answer. This exact scenario comes up constantly in r/SaaS and r/gdpr - and the question has real financial stakes. Since 2018, EU regulators have issued $5.65B in GDPR fines, with US companies accounting for 83% ($4.68B) of that total.
Let's be honest: most GDPR guides are either 10,000-word legal textbooks or thinly disguised pitches for compliance software. We're going to skip both and give you what actually matters.
The Quick Version
If you offer goods or services to people in the EU or monitor EU user behavior, GDPR applies to you - regardless of where your servers sit. A cookie banner isn't compliance. You need lawful basis mapping, data processing agreements, DSAR processes, and a cross-border transfer mechanism. Compliance costs range from $5k-$30k for small businesses to $250k-$1M+ for enterprises.
When Does GDPR Apply to US Companies?
Article 3 uses a two-prong test. Either trigger is enough.
Prong 1: EU establishment. A US company with a Dublin office, a Berlin subsidiary, or any EU presence falls under GDPR for all processing tied to that establishment's activities. Straightforward.
Prong 2: Targeting or monitoring. No EU presence? The regulation still applies if you offer goods or services to EU residents or monitor their behavior through cookies, analytics, or behavioral advertising. A checkout page showing EUR pricing, EU shipping options, or localized language versions counts as evidence of targeting. Mere website accessibility from the EU isn't enough - Recital 23 makes that clear.
One detail most guides miss: if your EU customer's data sits on an EU server but a US-based developer accesses it remotely, that counts as a cross-border transfer. We've seen this catch SaaS companies off guard more than almost anything else.
Common Misconceptions
"We added a cookie banner, so we're compliant." A cookie banner handles consent for tracking cookies - one narrow slice. It doesn't address lawful basis for processing, data subject rights, vendor agreements, breach notification, or cross-border transfers. It's the front door, not the house.
"We don't take EU money, so we're fine." GDPR scope is based on whether you offer goods or services to EU residents, even without payment, or monitor their behavior. A free tool can still be in scope.
"We'll just geo-block EU visitors." If you have no EU establishment and genuinely don't target or monitor EU users, the regulation likely doesn't apply - and IP blocking can serve as evidence of non-targeting. But if you're already subject to it, blocking EU users doesn't erase your obligations for data you've already collected.
Your GDPR checklist says every vendor needs a DPA and enforced opt-outs. Prospeo provides DPAs on request, enforces opt-outs globally, and refreshes all 300M+ records every 7 days - so stale, non-compliant data never reaches your outbox.
Prospect into the EU without the compliance headache.
GDPR Compliance Checklist for US Businesses
Here's the thing: compliance for a small startup doesn't need to cost six figures. It needs to be intentional.
Lawful basis mapping. Map every data processing activity to one of GDPR's six legal bases. For most B2B companies, legitimate interest and consent are the two that matter - especially if you're doing GDPR cold email.
Privacy policy update. Cover purposes, legal bases, retention periods, data subject rights, and transfer mechanisms. The Dutch DPA fined a major streaming service $4.75M in November 2024 for privacy notice transparency failures - and the violation was essentially bad documentation, not a breach.
Data Processing Agreements with all vendors. Every tool that touches EU personal data needs a DPA. If you're prospecting into EU markets, make sure your data provider offers DPAs and enforces opt-outs. Prospeo, for instance, provides DPAs on request and enforces opt-outs globally with a 7-day data refresh cycle - similar to what you'd expect from a B2B lead generation database.
DSAR process. Data subjects can request access, deletion, or portability. You have one month to respond. Build the workflow before the first request arrives - in our experience, this is where most small companies stall because they haven't mapped where personal data actually lives across their stack.
72-hour breach notification. If a breach risks individuals' rights, notify the supervisory authority within 72 hours. Not "within a few days." 72 hours.
You'll also need an Article 27 EU representative if you're outside the EU and subject to the regulation without an EU establishment. This isn't a DPO - it's a largely passive "local mailbox" making your company reachable by data protection authorities. Outsourced representative services typically run $1,000-$5,000/year. If your processing is occasional and doesn't involve large-scale special-category data, you're exempt. Penalty for skipping this when required: up to $10M or 2% of global revenue.
Cross-Border Transfers in 2026
The EU-US Data Privacy Framework is the current primary mechanism for transferring personal data from the EU to the US. On September 3, 2025, the EU General Court dismissed a challenge to the DPF and confirmed the validity of the Commission's July 2023 adequacy decision. The court found that US law prioritizes targeted over bulk collection and that "substantially equivalent" protection - not identical - is the standard.
On October 31, 2025, the challenger appealed to the European Court of Justice. The DPF is valid today, but the uncertainty isn't fully resolved.
Practical advice: self-certify to the DPF through dataprivacyframework.gov and maintain Standard Contractual Clauses as a backup. SCCs remain the most widely used transfer mechanism - 88% adoption rate per an IAPP-EY survey. The Dutch DPA's $290M fine against a ride-sharing company in July 2024 for removing SCCs and relying on non-binding guidance shows what happens when you get creative with transfer mechanisms.
How Much Compliance Costs
| Company Size | Year 1 Cost | Ongoing Annual |
|---|---|---|
| Small (under 50 employees) | $5k-$30k | $3k-$12k |
| Mid-sized (50-500) | $30k-$150k | $20k-$60k |
| Enterprise (500+) | $250k-$1M+ | $100k-$500k+ |
The big line items: privacy attorneys run $300-$1,000/hr, a data audit costs $5k-$20k, compliance software runs $5k-$50k/yr, and each individual DSAR can cost $1,400-$3,000 in staff time and legal review.
Look - if you're a 10-person startup with three EU customers, your compliance program is a $5k-$15k project, not a $200k one. Get a privacy attorney for a few hours, implement a proper consent mechanism, sign DPAs with your vendors, and build a DSAR response template. Skip the enterprise compliance platform until you actually need it - focus on the basics of cold email infrastructure and vendor controls first.
GDPR vs. US State Privacy Laws
| Dimension | GDPR | CCPA/CPRA |
|---|---|---|
| Consent model | Opt-in (6 lawful bases) | Opt-out |
| Response timeline | 1 month | 45 days |
| Cross-border transfers | SCCs / BCRs / DPF required | No equivalent |
| Special categories | Strict protections | Narrower definitions |
CCPA compliance isn't GDPR compliance. The consent models are fundamentally different - opt-out vs. opt-in - and GDPR's cross-border transfer requirements have no US equivalent. If you've built a CCPA program and assume you're covered for the EU, you're not - especially if you're running cold email marketing or broader B2B email marketing.
FAQ
What happens if a US company ignores GDPR?
EU authorities can and do fine US companies - US firms have paid $4.68B since 2018. Maximum penalties reach $20M or 4% of global revenue. But the bigger lever is practical: EU partners and customers will refuse to work with non-compliant vendors, killing deals before regulators even get involved. We've watched companies lose six-figure contracts over a missing DPA.
Can I block EU users instead of complying?
If you have no EU establishment and don't target or monitor EU users, the regulation likely doesn't apply - IP blocking serves as evidence of non-targeting. But if your company is already in scope, blocking doesn't remove existing obligations for data you've already collected.
Do I need GDPR-compliant tools for EU prospecting?
Yes. Any tool processing EU personal data on your behalf is a data processor under GDPR, and you're responsible for their compliance. Your providers need to offer DPAs and enforce opt-outs. Before signing up for any prospecting tool, ask two questions: do they provide a DPA, and how do they handle opt-out requests? If the answer to either is vague, walk away.
Bad data doesn't just tank deliverability - it creates GDPR liability. Prospeo's 5-step verification delivers 98% email accuracy with spam-trap removal, honeypot filtering, and catch-all handling. Bounce rates under 4%, not 35%.
Stop risking your domain reputation and your compliance posture.