Do US Companies Need to Comply With GDPR?
Yes, a US company can be bound by GDPR with no office, no staff, and no servers anywhere in Europe. But not every US company is, and the difference comes down to a specific test written into the law. We get this question most weeks, and the confusion runs in both directions: some US founders assume GDPR is an EU problem that can't reach across the Atlantic, and others panic that any website a European can open drags them in. Both are wrong, and the truth sits in between.
Article 3(2) is the whole question
GDPR's reach over foreign companies is set by Article 3(2). In plain terms, it says the regulation applies to a company based outside the EU if that company does one of two things involving people who are in the EU: offers them goods or services, or monitors their behaviour. There is no revenue threshold, no minimum user count, and no requirement to have any EU entity. If one of the two triggers is met, GDPR applies to that processing. If neither is met, it does not. So the whole question turns on what those two triggers actually mean, because each is narrower than the panic reading and wider than the "not our problem" reading.
"Offering goods or services" means targeting, not accessibility
This is the trigger US companies most often get wrong. Under Article 3(2)(a), what counts is whether you intend to offer goods or services to people in the EU, not whether a European can technically reach your site. The European Data Protection Board set this out in its Guidelines 3/2018 on the territorial scope of the GDPR. A website being visible from Paris proves nothing on its own. Regulators look for evidence that you actually meant to serve EU customers: prices shown in euros, a proper EU-language version of the site rather than a browser auto-translation, shipping options to EU addresses, marketing aimed at European users, or simply signing up and billing customers you know sit in the EU.
Put it in concrete terms. A US SaaS company that lets a French business subscribe, charges it in euros, and emails invoices to Lyon is offering services in the EU, plainly. A family bakery in Ohio whose website a tourist in Madrid happens to load is not. Most real companies sit closer to one of those poles than they assume, and it is worth being honest about which.
"Monitoring behaviour" is the trigger people miss
The second trigger, Article 3(2)(b), reaches companies that never sell a thing in Europe. It applies when you monitor the behaviour of people while they are in the EU, which in practice means tracking them online: analytics that profile individual visitors, advertising pixels, cookies that build behavioural profiles, retargeting campaigns. If your marketing site runs an ad pixel or behavioural analytics and real people in the EU land on it and get tracked, you may be monitoring EU behaviour under 3(2)(b) even though you would never describe yourself as an EU business.
This is where we would push back on the confident founder who says "we don't sell to Europe, so GDPR can't touch us." Maybe you genuinely do not sell there. If you are running ad tech that follows EU visitors around your funnel, selling is not the only way in.
The obligation most US companies miss: an EU representative
Once GDPR does apply to you under Article 3(2), one requirement blindsides almost everyone: Article 27. It says a controller or processor caught by 3(2) must, in most cases, appoint a representative located in the EU. This is not a lawyer on retainer, and it is not a data protection officer. It is a named person or company, physically in an EU member state, who is your local point of contact so that EU individuals and their regulators have someone in their own jurisdiction to deal with. It also has to be named in your privacy policy, with a real address, so people can actually reach it.
Article 27(2) does provide an exemption, and it is worth reading rather than hoping. You can skip the representative if your processing is occasional, does not involve large-scale use of special-category data such as health or biometric information (or criminal-offence data), and is unlikely to result in a risk to people's rights. "Occasional" carries the weight. A company that runs EU users through its product every single day is not doing occasional processing, even at modest volume. A lot of small US companies talk themselves into this exemption when the facts do not support it.
What enforcement actually looks like
Here is the calmer truth, because the scare version is out of proportion. No European regulator is going to appear at your Delaware office and seize a server. Enforcement against a US company with no EU establishment runs through far more ordinary channels, and your representative sits at the centre of them.
Because you have no EU establishment, you also lose the "one-stop shop" that lets EU-based companies answer to a single lead authority. Any of the 27 national data protection authorities can act where your processing affects people in their country. Your Article 27 representative becomes the practical pressure point: under Article 27(4), the representative can itself face enforcement proceedings for your failures, which is why credible representatives charge real money for the exposure. The statutory ceiling for the representative failure sits in GDPR's lower tier, up to €10 million or 2% of global annual turnover under Article 83(4), though fines purely for a missing representative have so far been uncommon. It usually surfaces as an aggravating factor once an authority is already looking at you for something else.
The pressure that reaches most US companies first is not a regulator at all. It is an EU customer's procurement team, or a partner's vendor-security review, asking for your privacy documentation and the name of your EU representative before they will sign. For a US business, that is usually the door GDPR walks through.
Where the US-EU data deal fits, and where it does not
One reliable source of confusion is the EU-US Data Privacy Framework. As of 2026 it is valid law, though a French legislator's challenge is now on appeal at the Court of Justice of the EU after the General Court upheld the Framework in September 2025, so its long-term standing is not guaranteed. The Framework does one specific thing: it lets EU organisations transfer personal data to US companies that self-certify under it. That is a transfer question. It says nothing about whether GDPR applies to you in the first place, which is still governed entirely by Article 3(2). You can be outside the Framework and squarely inside GDPR's scope, or certified under it and never touched by Article 3(2) at all.
Not sure whether GDPR actually reaches your US company?