Who does GDPR apply to?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Here's what catches US businesses off guard: GDPR applies based on where your subscribers are, not where your company is based. If you have EU residents on your email list, you're subject to GDPR. Doesn't matter if you've never set foot in Europe.

The regulation applies to data controllers (the organization deciding what data to collect and why. That's you) and data processors (organizations processing data on your behalf, like your ESP). If you're using Mailchimp to send to EU subscribers, both you and Mailchimp have GDPR obligations, though different ones. Your ESP typically handles their side through a Data Processing Agreement.

In practice: if you can't guarantee you have zero EU subscribers, treat GDPR as applicable. Most email lists pick up EU addresses over time, especially if you publish content anyone can find or sell to international customers. The safer default is treating GDPR as the standard, not hoping it doesn't apply.

GDPR has also become something of a global reference point. California, Canada, Brazil, and other regions have their own privacy laws that borrow heavily from the same principles. Building your consent practices around GDPR standards usually means you're well-positioned for most of them.

Not sure if GDPR applies to your specific setup? We can help you figure that out. Free call, no pitch.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me figure out if GDPR applies to me and what I need to do.

I read this on the Email Almanac about who GDPR applies to. I want to figure out whether GDPR actually applies to my email program and what I should do about it. My situation: 1. Do I have any EU subscribers or EU website visitors? yes / no / unsure, what percentage roughly? 2. Where is my business registered? country 3. What does my current opt-in process look like? [single opt-in / double opt-in / at purchase / imported / other] 4. Do I have a Data Processing Agreement with my ESP? yes / no / unsure 5. Have I had any GDPR-related subscriber requests (access, deletion, etc.)? yes / no --- My details: - Email platform/ESP: e.g. Mailchimp, Kit, Klaviyo, HubSpot, Brevo - Domain(s): your sending domain - Sending volume: e.g. 10,000/month - Audience locations: mostly US / EU-heavy / global / unsure - Business type: B2B / B2C / newsletter / SaaS / e-commerce - Privacy policy in place: yes / no / in progress

Edit the yellow boxes, then send to the AI of your choice.