What Is GDPR?
GDPR (General Data Protection Regulation) is a European Union privacy law that governs how organizations collect, use, and protect the personal data of people in the EU and UK. It applies to any business worldwide that handles EU or UK residents' data, including US companies with European visitors or customers. GDPR requires clear consent, transparency about data use, strong security, and respect for individual rights like access and deletion, with heavy fines for violations.
- Full name
- General Data Protection Regulation (EU)
- In effect since
- May 25, 2018 (European Commission)
- Applies to
- Any business handling EU/UK residents' personal data
- Maximum fine
- Up to 20 million euros or 4% of global revenue
What is GDPR? #
The General Data Protection Regulation (GDPR) is the European Union's comprehensive privacy law, in force since May 25, 2018. It sets rules for how organizations collect, store, use, and share the personal data of individuals in the EU, and the UK maintains an equivalent version after Brexit. Personal data under GDPR is broad, covering anything that can identify a person: names, email addresses, IP addresses, location data, cookies, and more. The law is built on the principle that individuals own their personal data and organizations merely borrow it under strict conditions. GDPR grants people rights over their data and imposes obligations on the businesses that handle it, backed by significant fines for non-compliance. Its reach is global, because it applies based on whose data is being processed, not where the business is located. This is why many US businesses, including small ones with European visitors, need to understand it. Our /wiki/website-privacy-laws-explained reference gives the broader context, and our /services/website-security team helps implement the practical safeguards GDPR expects.
Does GDPR apply to US businesses? #
Many US business owners assume GDPR is a European problem that does not concern them, but that is often wrong. GDPR applies based on whose personal data you process, not where your business sits. If your website collects data from people located in the EU or UK, whether through contact forms, newsletter signups, e-commerce orders, or even analytics cookies, GDPR can apply to you. Specifically, it reaches non-EU businesses that offer goods or services to EU residents or that monitor their behavior online. A US company actively selling to or marketing in Europe clearly falls under it. That said, a purely local business, like a plumber serving one US town with no European customers, generally has little practical exposure. The key question is whether you genuinely handle EU or UK residents' data. Because analytics and advertising tools can quietly collect data from any visitor, even domestic-focused sites sometimes touch it. Assess your actual situation rather than assuming either extreme. Our /services/web-design team builds compliant data handling into sites for businesses with any European audience.
What rights does GDPR give people? #
GDPR grants individuals a set of strong rights over their personal data, and businesses must be able to honor them. The right of access lets people ask what data you hold about them and receive a copy. The right to rectification lets them correct inaccurate data. The right to erasure, often called the right to be forgotten, lets them request deletion of their data in many circumstances. The right to restrict or object to processing lets them limit how their data is used, including opting out of marketing. The right to data portability lets them obtain their data in a usable format to move elsewhere. People also have rights around automated decision-making and profiling. Crucially, businesses must respond to these requests within set timeframes, usually one month, and generally without charge. Honoring these rights requires knowing what data you hold and where, which means good data management. Ignoring a valid request risks complaints and fines. Our /services/database-services team helps businesses organize data so these requests can be answered accurately and on time.
What is lawful basis and consent? #
Under GDPR, you cannot process personal data just because you want to; you need a valid "lawful basis" for each use. There are six lawful bases, including consent, contract, legal obligation, vital interests, public task, and legitimate interests. Consent is the most talked-about but also the most demanding: it must be freely given, specific, informed, and unambiguous, shown by a clear affirmative action. This is why pre-ticked boxes and "by using this site you agree" notices do not count. For cookies and marketing, valid consent usually means the visitor actively opts in. Legitimate interests can justify some processing without consent, but only after balancing your needs against the individual's rights and documenting that assessment. Choosing and documenting the correct lawful basis for each type of processing is a core GDPR requirement. Getting consent wrong is one of the most common compliance failures, especially around cookies and email marketing. Our /services/web-design team implements proper consent mechanisms, and our /tools/privacy-policy-generator helps document how and why you process data, supporting a defensible lawful basis.
What is a privacy policy under GDPR? #
GDPR requires transparency, and the privacy policy is the main way businesses provide it. Your privacy policy must clearly explain, in plain language, what personal data you collect, why you collect it, the lawful basis for processing, how long you keep it, who you share it with, whether it leaves the EU, and how people can exercise their rights. Vague, boilerplate policies do not satisfy GDPR; the information must be specific to your actual practices and genuinely understandable, not buried in legalese. The policy must be easily accessible, typically linked in your site footer. It should also name a contact for privacy questions and, where required, a Data Protection Officer. A privacy policy is not a one-time document either; it must be kept current as your data practices change. Many small businesses use generic templates that do not reflect what they actually do, which fails the transparency test. Getting this right builds trust as well as compliance. Our /tools/privacy-policy-generator produces a tailored starting point, and our /services/web-design team ensures it is properly linked and matched to your real data handling.
What are cookies and consent banners about? #
Cookie consent banners, those pop-ups asking permission to use cookies, exist largely because of GDPR and the related ePrivacy rules. Cookies and similar trackers often collect personal data, so using non-essential cookies, like analytics and advertising trackers, generally requires valid consent before they load. This is why compliant banners let visitors accept or reject categories of cookies rather than assuming agreement. Strictly necessary cookies that make the site function can be used without consent, but tracking and marketing cookies cannot fire until the visitor opts in. Many banners are non-compliant because they only offer "accept," use pre-ticked boxes, or load trackers before consent is given. Doing it properly means blocking non-essential cookies until the visitor actively agrees and making rejection as easy as acceptance. This has real technical implications for how analytics and ad tools are loaded on your site. Getting it wrong is a frequent source of complaints. Our /services/web-design and /services/website-security teams implement compliant consent management that blocks trackers until genuine consent is captured, keeping your analytics lawful.
What are the penalties for breaking GDPR? #
GDPR is backed by serious financial penalties, which is a major reason it commands attention worldwide. Regulators can impose fines up to 20 million euros or 4% of a company's total global annual revenue, whichever is higher, for the most serious violations. Lesser breaches carry fines up to 10 million euros or 2% of global revenue. Beyond fines, regulators can order businesses to stop processing data, which can be operationally devastating, and individuals can seek compensation for damages. There is also reputational harm, since GDPR enforcement actions are often public. In practice, regulators have pursued companies of all sizes, and while the largest fines target major corporations, smaller businesses are not immune, especially for clear failures like ignoring data subject requests or suffering a breach through negligence. Data breaches must generally be reported to authorities within 72 hours, and failing to do so compounds the penalty. The financial and operational stakes make compliance a genuine business priority, not a box-ticking exercise. Our /services/website-security team helps reduce breach risk and supports the safeguards that keep you on the right side of these rules.
How do you make a website GDPR-compliant? #
Making a website GDPR-compliant involves several practical steps that work together. Start by mapping what personal data you collect, why, where it is stored, and who it is shared with, since you cannot protect or explain data you have not inventoried. Establish a lawful basis for each type of processing and implement proper consent for anything that needs it, including a compliant cookie banner that blocks non-essential trackers until opt-in. Publish a clear, specific privacy policy and link it prominently. Build processes to honor data subject rights, like access and deletion requests, within the required timeframes. Secure the data with appropriate measures, since GDPR requires protection proportional to the risk, meaning encryption, access controls, and patching. Minimize the data you collect to only what you need, and set retention limits so you do not keep it forever. Review vendors and analytics tools for their own compliance. This is ongoing, not a one-time fix. Our /services/web-design and /services/website-security teams build these safeguards in, and our /tools/privacy-policy-generator and /tools/ada-compliance-checker help cover the documentation and accessibility angles.
GDPR alongside other privacy laws #
GDPR is the most influential privacy law, but it is not the only one, and US businesses increasingly face a patchwork of regulations. California's /wiki/what-is-ccpa (and its successor, the CPRA) gives California residents rights that echo GDPR, and other US states have passed their own privacy laws with varying rules. Because these laws overlap in principle, building your website around GDPR's strong standards often puts you in good shape for many others, since GDPR is among the strictest. However, each law has its own specifics, definitions, and thresholds, so compliance with one does not automatically satisfy another. The practical strategy for many businesses is to adopt privacy-respecting practices, clear disclosure, genuine consent, honored rights, and solid security, that hold up broadly, then address specific requirements for the jurisdictions that truly apply to them. Privacy law is also evolving quickly, so ongoing attention matters. Understand the wider landscape in our /wiki/website-privacy-laws-explained reference and compare with /wiki/what-is-ccpa, and our /services/web-design team builds sites with adaptable privacy foundations that handle multiple regimes rather than chasing each law separately.
FAQ
Does GDPR apply to my US-only business?
It depends on whether you actually handle EU or UK residents' data. A purely local US business with no European customers generally has little exposure. But if your site collects data from EU or UK visitors through forms, sales, or even some analytics and ad tools, GDPR can apply. Assess your real audience rather than assuming you are exempt.
What counts as personal data under GDPR?
Personal data is any information that can identify a person, directly or indirectly. That includes names, email addresses, phone numbers, IP addresses, location data, cookie identifiers, and more. The definition is deliberately broad, so much of what a typical website collects qualifies. If data can be linked to an individual, GDPR likely treats it as personal data requiring protection.
Do I really need a cookie consent banner?
If you use non-essential cookies like analytics or advertising trackers and have EU or UK visitors, generally yes. Compliant banners must let visitors reject as easily as accept and block non-essential cookies until they opt in. Banners that only offer 'accept' or load trackers before consent are non-compliant and a common source of complaints under GDPR.
How much can GDPR fines actually be?
For the most serious violations, up to 20 million euros or 4% of global annual revenue, whichever is higher. Lesser breaches can reach 10 million euros or 2%. Regulators can also order you to stop processing data. While the biggest fines hit large corporations, smaller businesses face penalties too for clear failures like ignoring data requests or negligent breaches.
Is a template privacy policy enough for GDPR?
Usually not on its own. GDPR requires your privacy policy to specifically and accurately describe your actual data practices in plain language. A generic template that does not match what you really collect and do fails the transparency requirement. Use a template as a starting point, then tailor it to your genuine practices, and keep it updated as those practices change.
If I comply with GDPR, am I compliant with US privacy laws too?
Not automatically, but you are often in a strong position. GDPR is among the strictest privacy laws, so meeting it covers many principles found in laws like CCPA. However, each law has its own specific requirements and thresholds, so you still need to address the particular rules of any US state law that applies to your business separately.
Was this helpful?