PrivacyProof · US sellers

GDPR privacy & cookie consent for US sellers: does it apply to you?

GDPR + the cookie rules require a clear privacy policy, lawful opt-in for non-essential cookies, and a way for people to exercise their data rights. Check yours in 60 seconds.

In force EU rule US sellers

Does GDPR privacy & cookie consent apply if you're based in the US?

🌍 Short answer: Being based in the United States doesn't put you outside EU law. The EU's rules apply based on whether you offer goods or services to people in the EU — not on where your business is registered. If EU customers can buy from you, you're generally in scope.

There's no US carve-out: a US business selling into the EU is treated like any other for these rules. You may also have US equivalents (e.g. state privacy laws), but those are separate obligations from the EU rule on this page.

When you're in scope

As a US seller, this rule generally applies once you collect personal data from visitors in the EU or UK and sell to, ship to, or target customers in the EU. Collect data from EU/UK visitors? Check your privacy policy, cookie consent, and data-rights handling. Not sure? The free checker tells you in about a minute — no signup.

What it requires

If you're in scope, you need to be able to answer "yes" to each of these — the points sellers most often get caught on:

Do you have a published privacy policy?
Non-essential cookies (analytics/ads) load…
Can visitors reject cookies as easily as accept?
Is there a route to access/delete/correct data?
Do you state a lawful basis for processing?
Do you disclose third parties / processors?
Is there a privacy contact (and EU/UK rep if needed)?

What's at stake

⚠️ Exposure: up to €20M or 4% of global turnover (Art. 83) · Status: In force. EU regulators can act against non-EU sellers who reach EU customers.

Compare the penalty for every rule →

Common questions

Do I have to comply with gDPR privacy & cookie consent as a US seller?

Being based in the United States doesn't put you outside EU law. The EU's rules apply based on whether you offer goods or services to people in the EU — not on where your business is registered. If EU customers can buy from you, you're generally in scope.

Do I need a cookie consent banner?

If you serve EU/UK visitors and use any non-essential cookies (analytics, advertising), yes — they must load only after the visitor opts in, with a Reject option as easy as Accept.

What must a GDPR privacy policy include?

What data you collect, why, the lawful basis, who you share it with, how long you keep it, international transfers, and how to exercise data rights — in plain language, available at collection.

What are the GDPR fines?

Up to €20 million or 4% of global annual turnover, whichever is higher — plus regulator orders and reputational damage.

The source

RuleGoose checks this against the EU GDPR (Reg. (EU) 2016/679), UK GDPR + ePrivacy/cookie rules. Read it yourself: EUR-Lex — Regulation (EU) 2016/679 →

Check your GDPR privacy & cookie consent compliance — free.
Answer a few questions, see exactly where you're exposed, and draft the fix. No signup, runs in your browser. Run the PrivacyProof checker →

or get one RuleGoose Score across every EU rule that reaches your business.

The full picture for US sellers

GDPR privacy & cookie consent is one of several EU rules that can reach a US business. See the full EU compliance guide for US sellers →, or read the platform-neutral GDPR privacy & cookie consent guide.

Same rule, other countries

GDPR privacy & cookie consent for UK sellers → GDPR privacy & cookie consent for Canadian sellers → GDPR privacy & cookie consent for Australian sellers →

Informational only, not legal advice, and not affiliated with the EU. Territorial scope can be fact-specific — confirm against the cited source. Last reviewed 2026-06-30.