Who does GDPR apply to?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Here's what catches US businesses off guard: GDPR applies based on where your subscribers are, not where your company is based. If you have EU residents on your email list, you're subject to GDPR. Doesn't matter if you've never set foot in Europe.
The regulation applies to data controllers (the organization deciding what data to collect and why. That's you) and data processors (organizations processing data on your behalf, like your ESP). If you're using Mailchimp to send to EU subscribers, both you and Mailchimp have GDPR obligations, though different ones. Your ESP typically handles their side through a Data Processing Agreement.
In practice: if you can't guarantee you have zero EU subscribers, treat GDPR as applicable. Most email lists pick up EU addresses over time, especially if you publish content anyone can find or sell to international customers. The safer default is treating GDPR as the standard, not hoping it doesn't apply.
GDPR has also become something of a global reference point. California, Canada, Brazil, and other regions have their own privacy laws that borrow heavily from the same principles. Building your consent practices around GDPR standards usually means you're well-positioned for most of them.
Not sure if GDPR applies to your specific setup? We can help you figure that out. Free call, no pitch.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.