Does the GDPR Apply to American Organizations? - IT Governance USA Blog (2025)

GDPR scope, applicability, and key requirements

Does the EU GDPR (General Data Protection Regulation) apply in the US?

Yes, if your organization offers goods or services to, or monitors the behavior of, EU residents, irrespective of their citizenship. Equally, the EU GDPR doesn’t apply to US residents or customers, even if they’re EU citizens.

The GDPR was introduced to, among other things, ensure a consistent approach to data protection across Europe. It also forces non-European organizations that do business in the EU to meet its high data protection standards.

So, can US companies ignore the GDPR? Not if you’re doing business in the EU.

In this blog

  • Is the GDPR enforceable in the US?
  • What countries are covered by the GDPR?
  • Is there a GDPR equivalent in the US?
  • Can you store data in the US under the GDPR?
  • What are the key areas of the GDPR?
  • How do I comply with the GDPR?

Is the GDPR enforceable in the US?

The GDPR introduced significant maximum fines: up to the greater of €20 million (about $22 million) or 4% of global annual turnover.

But are US organizations receiving GDPR fines?

In a word: Yes. Various American companies have been fined under the GDPR, including a €91 million (about $97 million) fine to Meta, issued by the Irish Data Protection Commission in September 2024. This was a fine for infringements of multiple GDPR articles.

What countries are covered by the GDPR?

This is an interesting question.

Though the primary scope is the EU, as we’ve already established, the GDPR can apply to American companies or sites. For that matter, it can apply to organizations based in any country around the world if they’re offering goods or services to, or monitoring the behavior of, EU residents.

And if you are not processing the data of EU residents?

Then it may still be worth complying with the GDPR.

As the Regulation is internationally acknowledged as the ‘gold standard’ when it comes to privacy legislation, we’ve since seen many more laws like it emerge, including in the US. Considering the EU GDPR’s scope, this shouldn’t be a surprise – the EU is a huge market, and companies around the world want access.

It means that, if you’re meeting the GDPR requirements – if you’re GDPR compliant – you’ve met, or have the tools to meet, many other data privacy laws across the globe. This includes, of course, laws based on the EU GDPR, such as the UK GDPR, as well as state-level privacy laws.

Is there a GDPR equivalent in the US?

For the US version of the GDPR, many point to the CPRA (California Privacy Rights Act).

The US has also seen a proposed federal law: the APRA (American Privacy Rights Act). However, this is only a proposal – to date, the US lacks an enforced privacy law at federal level. As data privacy lawyer Kirsten Craig pointed out:

The US data privacy landscape [is] a complex and varied patchwork of laws.

That’s because data protection laws in the US are either sector-specific, such as HIPAA (Health Insurance Portability and Accountability Act), or state-specific, such as the CPRA.

Finding this blog useful? To get notified of future
expert insight like this, subscribe to our free
weekly newsletter: the Security Spotlight.

Subscribe now

Can you store data in the US under the GDPR?

One of the protections the EU GDPR offers personal data is that it may not be transferred outside the EU unless an appropriate safeguard is in place. This includes data transfers for storage purposes.

One such mechanism is the DPF (Data Privacy Framework). This allows US organizations that sign up to the program to transfer PII (personally identifiable information) to the EU, the UK, and Switzerland.

US organizations can also use SCCs (standard contractual clauses) or BCRs (binding corporate rules) for international transfers of personal data under the GDPR.

What are the key areas of the GDPR?

The six data protection principles are a good place to start. These lie at the heart of the GDPR:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality

In effect, these are telling you to look after the data belonging to natural, living persons. The principles demand that you think hard about:

  • What personal data do you collect?
  • Why (for what purpose) are you collecting it?
  • What lawful basis can you rely on to process data for that purpose?
  • Given that purpose, how long do you need to keep the data for? (Make this as short as possible.)
  • What processes or other measures are you putting in place to make sure the data remains accurate?
  • What appropriate technical and organizational measures are you implementing to keep the data you’re entrusted with safe?

This isn’t an exhaustive list, but gives you a good sense of the types of questions to ask. Many of them aren’t unreasonable demands.

In fact, they reflect good business practices – you shouldn’t be collecting, storing, or processing data you don’t need. This doesn’t just cost unnecessary time and money, but exposes your organization to significantly more risk of a data breach that damages your company financially and reputationally.

By limiting the data to what you need, you can operate more efficiently and cost-effectively as a business.

How do I comply with the GDPR?

To get more advice on how to comply with the data protection principles and other GDPR requirements subject to the maximum fines, download our free green paper: General Data Protection Regulation (GDPR) – A compliance guide for the US.

In addition to the key principles, this paper also covers:

  • The six lawful bases
  • The eight data subject rights
  • What your privacy notice should contain
  • How to lawfully transfer personal data internationally

Download for free

Does the GDPR Apply to American Organizations? - IT Governance USA Blog (2025)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Pres. Lawanda Wiegand

Last Updated:

Views: 6123

Rating: 4 / 5 (71 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Pres. Lawanda Wiegand

Birthday: 1993-01-10

Address: Suite 391 6963 Ullrich Shore, Bellefort, WI 01350-7893

Phone: +6806610432415

Job: Dynamic Manufacturing Assistant

Hobby: amateur radio, Taekwondo, Wood carving, Parkour, Skateboarding, Running, Rafting

Introduction: My name is Pres. Lawanda Wiegand, I am a inquisitive, helpful, glamorous, cheerful, open, clever, innocent person who loves writing and wants to share my knowledge and understanding with you.