"We don't have an office in Europe"
It's the most common reason US companies give for skipping cookie consent, and it misreads how the GDPR defines its own reach. The regulation was written to follow EU residents' data, not to stop at the EU's borders. Whether you have a European office is only one of two triggers, and it's not the one that catches most American websites.
The two triggers in Article 3
Article 3 sets the GDPR's territorial scope with two separate criteria:
- Establishment (Article 3(1)): if you process data "in the context of the activities of an establishment" in the EU, the GDPR applies, regardless of where the processing happens. This is the branch-office test.
- Targeting (Article 3(2)): even with no EU establishment at all, the GDPR applies if your processing relates to (a) offering goods or services to people in the EU, whether or not payment is involved, or (b) monitoring their behaviour as it takes place in the EU.
Most US companies get caught by the second one.
"Offering goods or services": intention matters
Merely having a website that Europeans can reach isn't enough on its own. The EDPB's Guidelines 3/2018 look for evidence that you intended to offer to people in the EU. Signals include using an EU language or currency, mentioning EU customers, shipping to EU countries, using an EU country domain, or running marketing aimed at an EU audience. If your checkout offers euros and ships to Germany, you're offering goods to people in the EU.
"Monitoring behaviour": this is the one that catches everyone
The second limb of Article 3(2) is where most sites land without realising it. Tracking the behaviour of people in the EU, through analytics, profiling, behavioural advertising, or similar, is monitoring. The EDPB specifically points to the use of cookies and tracking techniques for behavioural analysis or profiling. So if EU visitors reach your site and you run Google Analytics, a Meta Pixel, or any behavioural ad tag on them, you're monitoring their behaviour in the EU, and Article 3(2) applies to that processing. The EDPB has been explicit that this covers tracking someone across sites to build a profile, which is exactly what a standard advertising pixel does.
You don't have to sell anything in Europe. A US content site with EU readers and standard ad tracking is monitoring behaviour, and needs to handle consent for those visitors accordingly.
What this means in practice
If any meaningful share of your traffic comes from the EU or UK and you run non-essential tracking, assume the GDPR (and the UK's PECR) applies to those visitors. That means prior consent before analytics and advertising cookies fire, a reject option as easy as accept, and a record of consent. It doesn't mean you have to show a heavy opt-in banner to your US traffic, who fall under a different regime.
A concrete example
Say you run a US-based SaaS with a public marketing site. You don't sell in Europe and you have no EU office. But your blog ranks for terms that pull in readers from Ireland, the Netherlands, and Germany, and every page runs Google Analytics and a LinkedIn ad pixel. Under Article 3(2), you're monitoring the behaviour of people in the EU. The GDPR applies to that monitoring, which means those visitors need prior consent before the analytics and pixel fire. Being "US-based" changes nothing, because the trigger is where the visitor is, not where you are.
The UK works the same way
Leaving the EU didn't change this. The UK GDPR keeps an equivalent Article 3, and the Privacy and Electronic Communications Regulations (PECR) still require consent for non-essential cookies. A US company with UK visitors faces the same targeting-and-monitoring analysis, enforced by the ICO. So "we only deal with the US" has to account for both EU and UK residents who reach your site.
US state laws don't let you off either
Even setting the GDPR aside, US companies increasingly face their own consent and opt-out rules. California's CPRA, plus laws now in effect across more than a dozen states, require honouring opt-out preference signals like Global Privacy Control and giving users a way to opt out of sale or sharing. "We're US-only" is turning into its own compliance obligation, not an exemption. See the US state privacy laws guide.
The practical answer: serve the right banner by region
You don't have to choose between annoying your US visitors and exposing your EU ones. Detect the visitor's region and serve the appropriate experience: opt-in before tracking for EU and UK visitors, an opt-out and preference-signal path for the relevant US states, and a lighter touch elsewhere. CookieBeam runs region-aware banners from a single install, so a US company with EU traffic can meet Article 3(2) for the visitors it applies to without over-asking everyone else. To confirm whether you even need a banner for a given audience, see do I need a cookie banner.
The cost of assuming you're exempt
Assuming you're out of scope is a bet, and the downside is one-sided. If you're right, you saved a consent banner for a slice of traffic. If you're wrong, you've been processing EU residents' data with no lawful basis the whole time, which is the kind of finding that turns a routine complaint into a fine. A region-appropriate banner costs almost nothing to run and removes the bet entirely.
Sources
- GDPR Article 3 (territorial scope), gdpr-info.eu
- EDPB Guidelines 3/2018 on the territorial scope of the GDPR, edpb.europa.eu