GDPR and CCPA for US Websites: Plain-English Guide

Guljar Hosen
Guljar Hosen
July 5, 2026 · 7 min read
SHARE THIS ARTICLE
GDPR and CCPA for US websites explained
Privacy laws can feel like they were written to confuse you, but for most US websites the practical steps are manageable. This guide explains GDPR and CCPA in plain English and what you actually need to do.
Key Takeaways
  • GDPR can reach US sites that serve EU visitors; CCPA covers many California consumers.
  • Consent for tracking and a clear cookie banner are central to both.
  • A real, accurate privacy policy is the minimum starting point.
  • You must be able to handle data access and deletion requests.

Who These Laws Apply To

The two laws have different footprints. GDPR is European, but it applies to any business that offers goods or services to, or tracks, people in the EU, regardless of where the business is based. So a US company with EU customers or even EU website visitors it profiles can fall under it. CCPA, and its successor the CPRA, protect California residents and apply to businesses that meet certain revenue or data-volume thresholds.

The takeaway for US owners is that geography doesn't shield you. If you sell to Europe, run ads targeting EU users, or do meaningful business with Californians, one or both laws may reach you. And California is not alone anymore; a growing number of US states have passed their own privacy laws with similar ideas.

  • GDPR follows EU users, not the business's location
  • CCPA covers California residents above set thresholds
  • More US states are passing similar laws
Map showing EU and California data privacy coverage
Let's talkLet's talk

Thinking about your next project?

Privacy Policies and Data Requests

A privacy policy is the baseline both laws expect, but it has to be true. It should explain what data you collect, why, who you share it with, how long you keep it, and how users can exercise their rights. A generic template that doesn't match what your site actually does can create more liability than protection, so it needs to reflect your real practices.

Both laws also grant individuals rights over their data, and you need a way to honor them. People can request a copy of their data, ask you to delete it, or opt out of certain uses. That means having a channel to receive requests, a process to verify who's asking, and the technical ability to find and remove someone's data across your systems.

  • Publish an accurate, specific privacy policy
  • Offer a channel for data access and deletion requests
  • Be able to verify requesters and locate their data
Privacy policy document open on a laptop
PricingPricing

See transparent, fixed-scope pricing

View PricingView Pricing
Compliance checklist being worked through on a tablet

Practical Compliance Steps

Start by mapping the data you collect and the tools that touch it, since you can't protect or explain what you don't know you have. Then implement a proper consent banner, publish an accurate privacy policy, and set up a simple process for handling data requests. Serve the whole site over HTTPS and minimize the data you collect to only what you truly need.

None of this is one-and-done. Privacy laws keep evolving and new US states keep joining, so revisit your setup periodically. For higher-risk situations, this guide is a starting point, not legal advice, and a privacy attorney is worth the money. But the technical and design work of compliance is very doable for a typical US site.

  • Map what data you collect and where it goes
  • Add a real consent banner and accurate policy
  • Set up a process for handling data requests

How NeoDimensional Helps

NeoDimensional is a US-based UI/UX design and software development agency, founded by Guljar Hosen. We handle the technical side of privacy compliance: proper consent banners that actually block trackers, data-request workflows, and sites built to minimize the data you collect.

If you're unsure whether your site meets GDPR or CCPA expectations, book a free call. We'll review your setup and build the pieces you're missing.

  • Consent banners that truly block trackers
  • Data-request workflows built in
  • Sites designed to minimize data collection
NeoDimensional team implementing privacy compliance on a site
Get startedGet started

Ready to build something great?

Start your projectStart your project

Frequently Asked Questions

Probably not, but check whether you track or market to EU visitors at all. GDPR follows the user, not your address, so even EU site visitors you profile can bring you into scope.

No. The banner has to offer real choices and your site must honor them by not loading blocked trackers. You also need an accurate privacy policy and a way to handle data access and deletion requests.

Yes. NeoDimensional is a US-based UI/UX and software development agency that implements compliant consent banners and data-request workflows. Book a free call to talk it through.

Guljar Hosen
WRITTEN BY

Guljar Hosen

Founder of NeoDimensional LLC

Guljar Hosen is the founder of NeoDimensional, a US-based UI/UX design and software development agency. He writes about design, development, and building digital products that ship and convert.

Work with Guljar