What is GDPR?
TL;DR
The General Data Protection Regulation, a European Union law governing how businesses collect, store, and use personal data of EU residents. GDPR applies to any business (regardless of location) that collects data from people in the EU, meaning most websites with international visitors need compliance. Key requirements include: obtaining explicit consent before collecting data, clearly explaining what data you collect and why, giving users the right to access, correct, or delete their data, reporting data breaches within 72 hours, and only collecting data you actually need. For marketing, GDPR impacts Email List building (you need documented consent), Google Analytics 4 (you need consent for tracking), cookies (you need a Cookie Consent banner), and forms (you must explain data usage). Non-compliance can result in fines up to €20 million or 4% of global revenue. Even if you're a small U.S. business, if EU visitors use your site, GDPR technically applies. Practical compliance includes: a clear Privacy Policy, cookie consent banner, Double Opt-In for emails, and processes for handling data requests.
On this page
Frequently Asked Questions About GDPR
Does GDPR apply to my small business in the US?
Technically yes, if anyone from the EU visits your website or joins your email list. In practice, enforcement against small US businesses is rare. But basic compliance (consent banner, privacy policy, opt-in email) is good practice regardless and protects you.
What does GDPR require for email marketing?
Explicit, documented consent before adding anyone to your list. No pre-checked boxes, no automatic opt-ins. You must explain what emails they'll receive and make it easy to unsubscribe. Double opt-in provides the strongest proof of consent.
Do I need a cookie consent banner?
For EU visitors, yes. GDPR requires consent before setting non-essential cookies (tracking, advertising). Essential cookies (login, shopping cart) don't require consent. Most consent banners let users choose which cookie types to allow.
What happens if someone requests their data be deleted?
You must comply within 30 days. This means removing them from your email list, deleting their account data, and removing their information from any systems you control. Have a process ready before requests come.
What's the difference between GDPR and CCPA?
GDPR (EU) is broader: it requires consent before collecting data. CCPA (California) focuses on disclosure and opt-out rights. You must tell users what you collect and let them opt out of sales. GDPR is generally more strict.
Terms Related to GDPR
CCPA
The California Consumer Privacy Act, a state law giving California residents rights over their personal data, including...
Read definition ComplianceCookie Consent
Permission from website visitors before setting non-essential cookies on their devices, typically obtained through a con...
Read definition Email MarketingDouble Opt-In
A subscription process requiring email confirmation before adding someone to your Email List, they sign up, then must cl...
Read definition CompliancePrivacy Policy
A legal document explaining what personal data your business collects, how you use it, who you share it with, and what r...
Read definition ComplianceADA Compliance
Making your website accessible to people with disabilities, as covered by the Americans with Disabilities Act and interp...
Read definition ComplianceCAN-SPAM
The Controlling the Assault of Non-Solicited Pornography And Marketing Act, a US law regulating commercial email since 2...
Read definition