I'm Based in the US — Does GDPR Apply to Me?

The short answer: GDPR follows the person, not the company

GDPR's territorial scope (Article 3(2)) depends on where your users are and whether you target or monitor them — not where your company is incorporated. So if EU visitors hit your site and you run Google Analytics, Meta Pixel, or any behavioural tool, you're likely in scope.

The EDPB's 2024 report on extraterritorial enforcement spells out that EU DPAs can investigate non-EU entities; the Dutch DPA's €290M fine against Uber for example. Dutch DPA press release, 2024

Your company's legal incorporation in Delaware, Texas, or California is irrelevant to this analysis.

What matters is whether EU residents land on your site, and what you do with their data when they do.

The EDPB has confirmed this interpretation in Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), adopted 12 November 2019. These guidelines remain the authoritative reference for assessing extraterritorial scope.

I published a guide that might help US-based makers and founders:
"I'm Based in the US — Does GDPR Apply to Me?"

The post walks through the two-part test, what GDPR requires if you're in scope, and three practical steps (including why a CCPA cookie banner doesn't satisfy GDPR). All sources linked — EDPB guidelines, Article 3, enforcement report. Written for education, not legal advice.

If you're building for or auditing EU-facing products, might be useful:

https://securespells.com/blog/gdpr-us-companies-guide

For a quick GDPR/ePrivacy read on your site: runtime scan at https://securespells.com — no signup, no email required.