The GDPR's extraterritorial scope makes it applicable to all businesses, including those in the United States, as long as it gathers information from "data subjects in the Union" and engages in "professional or commercial activity" with 250 or more employees.
For instance, if your website collects visitor data via cookies, then GDPR applies to all visitors from the EU and UK. Noncompliance can result in fines.
How GDPR Is Enforced on U.S. Companies
GDPR applies to non-EU companies↗ if they offer goods or services to EU residents or monitor their online activities. Any US company subject to the GDPR has to meet the same strict requirements as companies in the EU.
For instance, if you have a website in the official language of any EU member state or offer prices in Euros, you're deemed to be targeting EU citizens and liable to the GDPR.
To comply with GDPR as a US company, you can use the following checklist, with the advice of your local privacy counsel:
- Comply with GDPR cookie consent↗
- Designate a data protection officer to oversee all EU resident's data
- Inform consumers how you're collecting their data and for what purposes
- Have a data processing agreement with your vendors
- Review your data processing protocols and tighten security
- Identify steps to follow in case of a data breach
- Observe cross-border data transfer rules
- Appoint an EU representative
Complying with GDPR cookie consent↗ means your users must explicitly agree to store cookies on their devices. You can implement this by getting users' consent through a checkbox, button, or by accepting a GDPR notification.
Following the above GDPR compliance checklist and consulting your local privacy counsel could help reduce the risk of EU regulatory action.
Fines for Non-Complying U.S. Companies
It pays to be GDPR compliant↗, given that US companies found to be breaking GDPR can rack up fines of up to €10 to €20 million, or up to 4% of the company's annual revenue.
How GDPR Applies to Your eCommerce Data Stack
If you run a Shopify or BigCommerce store, you're likely using a tech stack that spans multiple vendors. Each integration—from Klaviyo for email marketing to Google Analytics for traffic tracking to Meta Pixel for retargeting ads—collects and processes customer data. Under GDPR, you're responsible for all of it.
This matters because GDPR doesn't distinguish between data you collect directly and data your third-party tools collect on your behalf. If a customer from Germany visits your store and Meta Pixel fires on page load, Meta is processing that person's data as a processor under your instruction. You need a data processing agreement (DPA) with Meta to do this legally.
For your Shopify store specifically, you should audit every app you've installed. Does the analytics tool have a DPA? Does your email platform? Your review system? Your chatbot? Any gap here is a compliance gap.
The practical step: Create a spreadsheet listing every tool connected to your Shopify admin or website. Note whether each vendor has signed a DPA with you. Contact vendors who haven't—most reputable ones will provide one on request. This audit alone prevents the majority of enforcement actions against eCommerce brands.
Data Subject Access Requests (DSARs) and Your Response Obligations
One of the least visible but most operationally demanding GDPR requirements is handling a data subject access request (DSAR). When an EU or UK customer emails asking "give me all the data you have on me," you have 30 days to comply.
For eCommerce brands, this is complicated. A customer's data might live in your Shopify customer database, your email marketing platform, your analytics tool, your advertising accounts, and your fulfillment system. Manually pulling this together across systems is slow and error-prone.
You need a process: designate someone responsible for DSAR responses, create a template email acknowledging receipt, and set a reminder system to hit the 30-day deadline. Many mid-market brands underestimate how often these requests come—especially if you have thousands of EU customers.
If you miss the deadline or provide incomplete data, you can be fined. Even more costly: customers may escalate to their local data protection authority, triggering an investigation that extends beyond just that one request.
Set up a folder or ticketing system where DSARs are logged the moment they arrive. Document what data you found, where you found it, and what you sent to the customer. This evidence of good-faith effort matters if a regulator ever looks at your practices.
Cookie Consent Beyond the Banner
Installing a cookie banner is necessary but not sufficient. Your banner needs to do more than notify visitors—it must capture genuine consent before tracking begins.
This means your Meta Pixel, Google Analytics, and other tracking pixels should not fire until a visitor actively accepts cookies. Many Shopify stores violate this by loading Google Analytics automatically, then asking for consent afterward. Regulators view this as consent-washing—the damage is already done.
Your banner should also distinguish between essential cookies (needed to run checkout) and non-essential ones (analytics, retargeting). Visitors must be able to accept essential cookies while rejecting tracking. A "reject all" button must be equally prominent as "accept all."
Additionally, consent is not permanent. You should re-prompt customers periodically (every 6-12 months is common practice) and provide an easy way for them to withdraw consent at any time. If a customer unsubscribes from your Klaviyo list, they should also be opted out of retargeting pixels.
Test your own cookie banner by visiting your store as a new visitor in an incognito browser. Do the tracking pixels fire before you click anything? If yes, you have a compliance problem.
Cross-Border Data Transfers and Adequacy Decisions
For U.S. companies, GDPR's strictest rules apply to moving EU customer data outside the EU. The U.S. is not deemed "adequate" under GDPR, meaning you can't simply store EU customer data on AWS servers in Virginia without special safeguards [VERIFY current adequacy status].
Your hosting provider, email platform, and backup vendor all matter here. If Klaviyo stores EU customer data in U.S. data centers, there must be legally binding Standard Contractual Clauses (SCCs) in place—language in your vendor agreement that legally protects the transfer.
For eCommerce brands, this often means reviewing your terms with Shopify, your hosting provider, and any cloud storage service. Most major providers have SCCs in place, but smaller or niche vendors might not. This is a conversation to have with your privacy counsel and your vendors directly.
Practically: ask each vendor where they store data geographically and whether they have SCCs executed with you. Document the answers. This protects both you and your customers.