Does GDPR apply to me if my business isn't in the EU?

GDPR can still be relevant if people in the EU/UK use your site or service. Many non-EU businesses choose to follow GDPR-style practices for all visitors to keep things simple, rather than maintaining separate rules per region.

Do I need a cookie consent banner?

If you use non-essential cookies (analytics, advertising, personalization) and have visitors from regions like the EU/UK, a consent mechanism is generally expected before those cookies are set. Our free cookie banner snippet tool can help you get started.

What's the easiest first step toward compliance?

Start with an accurate privacy policy and cookie notice that reflect what your site actually does today. From there, add a cookie consent banner if you use non-essential cookies, and revisit your policies whenever your tooling changes.

← Back to blog

GDPR vs CCPA: What Small Website Owners Need to Know

GDPR and CCPA/CPRA are the two privacy laws small site owners hear about most often. Neither requires a law degree to understand at a basic level — here's what each one actually expects.

Published 2026-06-13

Not legal advice. This article is for general informational purposes only and does not constitute legal advice. Consult a qualified lawyer for advice specific to your business and jurisdiction.

Two different laws, two different regions

The General Data Protection Regulation (GDPR) is an EU and UK law that applies to how personal data of people in the EU/UK is collected and processed — regardless of where the business itself is based.

The California Consumer Privacy Act, as updated by the CPRA (often referred to together as CCPA/CPRA), is a US state law that gives California residents specific rights over the personal information businesses collect about them.

If your site has any visitors from the EU/UK or California — which most public websites do — both laws are worth understanding at a basic level.

Who needs to think about GDPR

GDPR applies based on whose data you process, not where your company is registered. If EU/UK residents can use your site or sign up for your service, GDPR principles are relevant. Key ideas include:

Having a clear legal basis for collecting and using personal data
Telling people what you collect and why (your privacy policy)
Letting people access, correct, or delete their data on request
Getting consent for non-essential cookies and tracking
Being careful about transferring data outside the EU/UK

Who needs to think about CCPA/CPRA

CCPA/CPRA mainly targets businesses that meet certain size or data-volume thresholds and that do business with California residents. Even smaller sites often choose to follow its core principles voluntarily, since they overlap heavily with GDPR-style practices. Core ideas include:

Disclosing what categories of personal information you collect and why
Telling users if you 'sell' or 'share' personal information (broadly defined, including some advertising/analytics arrangements)
Providing a way for users to opt out of that sale/sharing
Honoring requests to know, delete, or correct personal information

A practical checklist for small sites

You don't need to become a privacy lawyer to make meaningful progress. A reasonable starting point for most small websites and apps:

Publish a clear, accurate privacy policy that lists what you collect and why
Publish a cookie notice if you use analytics, ads, or tracking cookies
Only enable non-essential cookies after consent where required (e.g. EU/UK visitors)
Provide a working contact email for privacy requests
Avoid collecting more data than you actually need
Review and update your policies whenever you add new tools (analytics, ads, payment providers, new features)

Frequently asked questions

Does GDPR apply to me if my business isn't in the EU?: GDPR can still be relevant if people in the EU/UK use your site or service. Many non-EU businesses choose to follow GDPR-style practices for all visitors to keep things simple, rather than maintaining separate rules per region.
Do I need a cookie consent banner?: If you use non-essential cookies (analytics, advertising, personalization) and have visitors from regions like the EU/UK, a consent mechanism is generally expected before those cookies are set. Our free cookie banner snippet tool can help you get started.
What's the easiest first step toward compliance?: Start with an accurate privacy policy and cookie notice that reflect what your site actually does today. From there, add a cookie consent banner if you use non-essential cookies, and revisit your policies whenever your tooling changes.

Ready to put your legal pages in place?

Free preview · $9 for the full watermark-free pack (HTML, Markdown & PDF)

Generate my Trust Pack

Explore generators

Privacy Policy GeneratorCreate a GDPR/CCPA-style privacy policy in minutes. Terms of Service GeneratorSet the rules for using your website or app. Cookie Policy GeneratorExplain your use of cookies and tracking technology. Refund Policy GeneratorDefine clear refund and cancellation terms. Website Trust PackGet all legal pages for your website in one go. EULA GeneratorCreate an End User License Agreement for your software, app, or digital product. Accessibility Statement GeneratorShow your commitment to accessible design with a clear accessibility statement. Website Disclaimer GeneratorCover 'no professional advice', 'as is', and external links disclaimers for your site.

More from the blog

Cookie Consent Laws Explained (EU, US, UK)Cookie banners aren't just a EU thing — but the rules are different depending on where your visitors are. Here's what GDPR, PECR, and CCPA/CPRA actually require. Do I Need a Privacy Policy for My Website?Forms, cookies, analytics, payments — most sites collect more personal data than their owners realize. Here's how to tell if you need a privacy policy and what it should say.

See it in action

Curious what the generated documents look like? View a sample Trust Pack for an example business.