GDPR can apply to your WordPress site even if you have never set foot in Europe, hold no EU bank accounts, and run your servers from a basement in Kansas. Article 3(2) extends the regulation’s jurisdiction to any business worldwide that either offers goods or services to people in the EU or monitors their online behavior. Where you incorporated your company and where your hosting provider operates are irrelevant to this analysis.
But “can apply” does not mean “always applies.” The critical question is whether your site targets EU individuals or merely happens to be accessible from Europe. This distinction — established through CJEU case law, EDPB guidelines, and Recitals 23 and 24 — determines whether you face potential fines of up to €20 million or 4% of global annual turnover, or whether you can operate without European regulatory concern.
Two Independent Tests Determine GDPR Jurisdiction
Article 3(2) establishes two separate pathways through which a non-EU website falls under European data protection law. Either one alone triggers full GDPR obligations.
The offering goods or services test under Article 3(2)(a) asks whether your site demonstrates a “manifest intention” to serve EU individuals. Recital 23 makes clear that mere website accessibility from the EU is not enough. The EDPB’s Guidelines 3/2018 on territorial scope compile a non-exhaustive list of factors indicating targeting intent: using EU member state languages beyond English, displaying prices in euros, mentioning EU customers or users, employing EU country-code top-level domains like .de or .fr, offering shipping to EU countries, listing phone numbers with EU international dialing codes, running paid advertising campaigns targeting EU audiences, referencing international or EU clientele, and offering services specifically available to EU residents.
No single factor is decisive. The EDPB applies a totality-of-circumstances analysis, examining whether the overall picture reveals intentional EU engagement.
The monitoring behavior test under Article 3(2)(b) operates differently and does not require the same degree of demonstrated intent. Recital 24 defines monitoring as tracking individuals on the internet “including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”
Specific monitoring activities identified by the EDPB include behavioral advertising, geo-localization for marketing purposes, online tracking through cookies or fingerprinting, personalized analytics services, and market surveys based on individual profiles.
The EDPB is equally clear that any online collection or analysis of personal data of individuals in the EU would not automatically count as monitoring. The word monitoring implies a specific purpose for collecting and reusing behavioral data. Passive aggregate data collection without individual profiling likely falls short of this threshold.
This distinction matters enormously for WordPress site owners. A US-based blog running Google AdSense places behavioral advertising cookies on every visitor including those from the EU, creating targeted ad profiles. That activity fits squarely within the monitoring definition. A site using only basic server logs and no tracking cookies has a strong argument that no monitoring occurs even if EU visitors arrive.
When Global Accessibility Does Not Trigger GDPR
The mere accessibility doctrine is the most important safe harbor for non-EU site owners. Its origins lie in the CJEU’s landmark Pammer and Hotel Alpenhof decision (Joined Cases C-585/08 and C-144/09, 2010), which interpreted consumer jurisdiction rules but has been explicitly adopted by the EDPB for GDPR territorial scope analysis.
The Court established that the mere accessibility of the trader’s or intermediary’s website in the Member State in which the consumer is domiciled is insufficient to establish targeting. The Court noted that internet communication has an inherently worldwide reach and that the EU legislature deliberately rejected a proposal equating website accessibility with directed commercial activity.
Under the combined framework of Recital 23, Pammer, and the EDPB Guidelines, a non-EU WordPress site likely falls outside GDPR scope when it uses only the operator’s own language, accepts only local currency, offers no EU-specific shipping or services, runs no EU-targeted advertising, uses no EU country-code domains, makes no mention of EU customers, and does not deploy behavioral tracking cookies on visitors.
The EDPB’s own example reinforces this principle: when goods or services are inadvertently or incidentally provided to someone in the EU, the related processing falls outside GDPR’s territorial scope.
A US food blogger writing in English about American recipes, accepting no orders, and using privacy-respecting analytics has minimal GDPR exposure even though European readers occasionally visit. The site is accessible worldwide but does not target Europe. The moment that same blogger adds a WooCommerce store shipping to Germany, displays prices in euros, or runs Facebook Ads targeting French audiences, the calculus shifts dramatically.
Real-World Scenarios for WordPress Site Owners
The US blogger with AdSense and passive EU traffic occupies a gray zone. The blog itself — English-only, US-focused content, no EU-specific features — does not satisfy the offering goods or services test. However, Google AdSense places behavioral advertising cookies on all visitors including EU users, creating targeted ad profiles. This arguably constitutes monitoring under Article 3(2)(b).
The practical enforcement risk is extremely low. No EU regulator has pursued a small non-EU blogger for incidental AdSense tracking. But the technical legal exposure exists. The cleanest solution is implementing a cookie consent mechanism that blocks AdSense scripts for EU visitors until consent is given, or switching to contextual non-behavioral advertising.
The Canadian WooCommerce store shipping internationally triggers GDPR unambiguously. Offering shipping to EU countries is one of the strongest indicators of targeting under the EDPB’s guidelines. WooCommerce collects extensive personal data from EU customers: names, addresses, payment details, email addresses, and order history. Full GDPR compliance is required including a comprehensive privacy policy, cookie consent, data processing agreements with payment processors and shipping providers, and mechanisms for data subject rights.
The Australian membership site with global audience falls under GDPR when it accepts EU signups. Membership sites collect and store personal data including names, emails, payment information, login history, and potentially behavioral data. The site actively accepts registrations from EU residents, which constitutes offering a service to them. Full compliance is required including clear consent mechanisms at signup.
The Indian freelancer with a portfolio site presents a spectrum of exposure. A simple portfolio in English without forms or data collection beyond basic server logs has minimal GDPR exposure. A contact form collecting names and emails from potential EU clients combined with language suggesting worldwide availability starts to look like offering services to EU data subjects. If the freelancer actively solicits EU clients by mentioning European projects, accepting euros, or advertising on EU platforms, GDPR applies to that processing.
The US SaaS company with a WordPress marketing site almost certainly falls under GDPR. Lead capture forms collecting names, emails, and company information from EU visitors constitute offering services. Marketing automation tools like HubSpot and Mailchimp, behavioral tracking through GA4, heatmaps, and retargeting pixels, and newsletter signups all process EU personal data. The combination of active global marketing and behavioral tracking creates clear GDPR obligations.
Nonprofits with international donors face GDPR requirements when processing EU donors’ data. Collecting donation information including names, emails, addresses, and payment details from EU residents constitutes processing personal data in connection with offering a service. Email updates and fundraising communications to EU donors require explicit opt-in consent.
The Google Analytics Question
Whether Google Analytics on a non-EU site triggers GDPR for EU visitors is one of the most frequently asked and most nuanced questions in this space. The answer depends on two separate legal analyses operating in sequence.
First, does the site fall under GDPR at all? If a non-EU site does not target EU visitors per the Recital 23 and Pammer analysis and Google Analytics is its only connection to EU data subjects, the strongest legal argument is that GDPR does not apply. The EDPB has stated that mere online data collection does not automatically equal monitoring. Standard analytics measuring aggregate traffic patterns differs conceptually from behavioral profiling.
However, Google Analytics is not simple aggregate measurement. GA4 sets cookies including _ga and _ga_* that assign unique identifiers to visitors. It tracks individual user journeys across pages and sessions. It collects IP addresses and device characteristics. It enables behavioral analysis that goes well beyond counting page views.
Several EU data protection authorities in Austria, France, Italy, Denmark, Finland, Norway, and Sweden ruled Google Analytics non-compliant during 2022. These decisions targeted EU-based websites and focused on Chapter V data transfer violations rather than Article 3(2) monitoring scope, but they established that GA4’s data collection constitutes personal data processing.
The Austrian DPA’s January 2022 decision found that Google Analytics cookies constitute personal data because unique online identifiers enable singling out individuals under Recital 26. The French CNIL reached the same conclusion in February 2022, ordering a website operator to stop using Google Analytics under current conditions.
Neither decision addressed whether a non-EU site’s passive analytics on incidental EU visitors triggers GDPR jurisdiction. That question remains unresolved in case law.
The EU-US Data Privacy Framework adopted in July 2023 substantially resolved the data transfer issue for Google Analytics since Google is a certified participant. But the framework does not address whether GA4’s tracking constitutes monitoring under Article 3(2)(b).
For non-EU site owners seeking maximum safety, cookieless analytics alternatives eliminate the issue entirely. Plausible Analytics starting from $9 per month and EU-hosted, Fathom Analytics from $14 per month, and self-hosted Matomo at no cost provide meaningful traffic insights without setting cookies or collecting personal data. These tools remove both consent requirements and GDPR scope concerns.
Enforcement Reality for Non-EU Businesses
The enforcement picture reveals a sharp divide based on whether you have a European presence.
Against non-EU companies with EU presence, enforcement works effectively. Meta has accumulated over €2.2 billion in GDPR fines enforced through Meta Platforms Ireland Ltd. Amazon received a €746 million fine enforced through Amazon Europe Core. LinkedIn was fined €310 million through LinkedIn Ireland. The EU establishment provides a target for collection.
Against non-EU companies without EU presence, enforcement is largely symbolic. The Clearview AI saga is the defining case study. EU data protection authorities in Italy, France, Greece, and the Netherlands collectively imposed approximately €100 million in fines on this US-based facial recognition company. Clearview has not paid a single euro, has not deleted European data despite explicit orders, and has not appointed an EU representative. Greece’s DPA acknowledged the impasse: “Due to the fact that Clearview has no economic activity in Europe, we cannot proceed with the envisaged actions for the registration and collection of the fine.”
EU regulators are developing new tools to address this gap. The Dutch DPA is investigating whether Clearview’s directors can be held personally liable. NOYB filed a criminal complaint in Austria against Clearview’s managers under Article 84 GDPR and Austria’s Data Protection Act, which criminalizes certain violations. Criminal proceedings can leverage European Arrest Warrants if directors travel to the EU. These remain experimental enforcement pathways.
The Article 27 representative requirement offers a more immediate compliance concern. Non-EU entities subject to GDPR must designate a representative established in the EU to serve as a local contact point for data subjects and supervisory authorities. In May 2021, the Dutch DPA fined LocateFamily.com, a US-based people-search website, €525,000 solely for failing to appoint an EU representative plus €20,000 per fortnight of continued non-compliance. This was the first enforcement action exclusively for Article 27 non-compliance, demonstrating that even procedural obligations carry real financial consequences. Representative services cost roughly €1,000 to €15,000 per year depending on business size and complexity.
Private claims under Article 82 may pose the greater threat to small non-EU operators. Spain’s AEPD has issued over 932 fines with many targeting small businesses and individuals. Romania has fined both companies and individual employees. Under Article 82, individual EU data subjects can claim compensation directly. The CJEU confirmed that mere loss of control over personal data constitutes compensable damage. Awards of €10,000 have been made. Mass litigation risk from private claims may ultimately pose a greater threat than regulatory fines for smaller operators.
How Your Country Affects the Analysis
US businesses face the most complex landscape. The EU-US Data Privacy Framework adopted July 10, 2023 allows certified US companies to receive EU personal data without Standard Contractual Clauses or additional safeguards. Over 3,400 US organizations have self-certified. The framework survived its first legal challenge when the EU General Court dismissed Philippe Latombe’s annulment action in September 2025, but Latombe appealed to the CJEU in October 2025. This is significant because the CJEU invalidated both predecessor frameworks: Safe Harbor in 2015 and Privacy Shield in 2020. The DPF’s long-term durability remains uncertain, with Norway’s DPA and Germany’s Federal Ministry advising businesses to maintain exit strategies. US WordPress site owners targeting EU audiences should certify under the DPF but also prepare alternative data transfer mechanisms.
UK businesses must navigate a parallel regime. When the UK left the EU, the GDPR was retained in domestic law as the UK GDPR, enforced by the Information Commissioner’s Office. A non-EU site targeting both EU and UK residents must comply with both regimes separately and may need to appoint both an EU representative and a UK representative. The EU renewed the UK’s adequacy decision in December 2025, extending it until December 2031.
Canadian businesses benefit from a simpler position. Canada received an EU adequacy decision in 2001 for organizations subject to PIPEDA, renewed in January 2024. EU-to-Canada data transfers for PIPEDA-covered processing can occur without additional safeguards, a significant advantage over US, Australian, and Indian businesses. However, PIPEDA adequacy does not exempt Canadian businesses from GDPR compliance itself. If a Canadian WooCommerce store targets EU customers, it must comply with GDPR independently.
Australian and Indian businesses both lack adequacy decisions. Australia’s Privacy Act 1988 has long been considered insufficient due to its small business exemption for businesses under AUD 3 million turnover and its narrower individual rights. India’s Digital Personal Data Protection Act 2023 faces similar concerns. In April 2025, the European Data Protection Supervisor declined a request to transfer data to India, citing concerns about broad government exemptions, the Data Protection Board’s lack of independence, and absence of necessity and proportionality tests. Both countries’ businesses must rely on Standard Contractual Clauses or other Article 46 safeguards for EU data transfers.
Seven Misconceptions That Lead Site Owners Astray
GDPR only applies to EU companies is the foundational error. Article 3(2) explicitly extends jurisdiction based on who is targeted, not where the business is located. The EDPB emphasizes that GDPR jurisdiction is less related to the location where a business is incorporated and more to the scope and location of business activity.
I don’t sell to the EU so I’m exempt ignores the monitoring test entirely. Article 3(2)(b) can trigger GDPR even without any commercial relationship with EU individuals. Behavioral tracking cookies, retargeting pixels, and profiling-based analytics directed at EU visitors create independent GDPR obligations.
I’m too small for EU regulators to care is contradicted by enforcement data. Spain has issued 932 fines with many against small businesses. Romania fined an individual employee €150 for failing to honor a deletion request. In 2023 alone, 13 individuals were publicly penalized. Private compensation claims under Article 82 have no minimum threshold.
Using US hosting means GDPR doesn’t apply confuses server location with legal jurisdiction. Article 3(1) applies regardless of whether the processing takes place in the Union or not. The EDPB confirms that the location of the processing itself is irrelevant to determine the geographical scope. US hosting actually creates additional compliance concerns under Chapter V’s international data transfer rules.
My WordPress site is personal so GDPR doesn’t apply misunderstands the household exemption under Article 2(2)(c). The CJEU held in Lindqvist (C-101/01) that publishing personal data on a website made available to an indefinite number of people does not qualify. A publicly accessible WordPress blog with Google Analytics, ad banners, or affiliate links falls outside this exemption. The exemption covers truly private communications like a password-protected family photo album, not a public blog.
GDPR only applies if I actively collect personal data overlooks the breadth of the definition. Under Article 4(1) and the CJEU’s Breyer decision (C-582/14), even dynamic IP addresses constitute personal data. Every web server that logs access from EU visitors processes personal data. Cookie identifiers, device fingerprints, and analytics tool unique identifiers all qualify. If your WordPress site has web server logs, it processes personal data.
Mere website accessibility triggers GDPR errs in the opposite direction. The EDPB, echoing Recital 23 and the Pammer case law, explicitly states that a website merely being accessible from the EU does not establish GDPR jurisdiction. This misconception leads some non-EU site owners to implement unnecessary compliance measures for sites that genuinely do not target European audiences.
What Non-EU WordPress Site Owners Should Do
The decision framework starts with two questions. Does your WordPress site demonstrate a manifest intention to offer goods or services to EU individuals? Check for EU languages, euro pricing, EU shipping options, EU-targeted advertising, EU country-code domains, or mentions of EU customers. Does your site monitor the behavior of individuals in the EU through cookies, tracking pixels, behavioral advertising, or profiling-based analytics?
If both answers are no — your site is in English, serves a domestic audience, runs no EU-targeted ads, and uses no behavioral tracking — GDPR likely does not apply. Document this assessment and revisit it when your site’s features or audience change.
If either answer is yes, you have three strategic options.
Full GDPR compliance is achievable even for small WordPress sites at modest cost. A minimum viable approach using free tools includes WordPress’s built-in privacy policy generator, a free cookie consent plugin like Complianz or CookieYes, and WordPress’s native data export and erasure tools. A recommended compliance stack costing $250 to $500 per year includes a premium cookie consent plugin, privacy-focused analytics like Plausible, and GDPR-compliant form plugins. WooCommerce sites need additional attention: data processing agreements with payment processors and shipping providers, checkout consent mechanisms, and customer data management tools built into WooCommerce since version 3.4.
Geo-blocking EU visitors provides an alternative for sites that prefer to avoid GDPR entirely. Cloudflare’s free plan allows DNS-level blocking of EU country traffic, the most efficient method since it stops requests before they reach your server. WordPress plugins like iQ Block Country or Wordfence Premium offer application-level blocking. Limitations exist: VPN users bypass blocks easily, GeoIP databases are only 95 to 99.5 percent accurate, caching plugins often conflict with geo-blocking plugins, and if an EU user does get through you may still process their data without compliance measures in place. Geo-blocking demonstrates good faith but is not a legal guarantee.
Eliminating tracking technologies may be the most practical middle path for many sites. Replace Google Analytics with a cookieless alternative like Plausible, Fathom, or self-hosted Matomo. Switch from behavioral advertising like AdSense to contextual advertising. Use WordPress’s built-in comment consent checkbox added in version 4.9.6. These changes reduce GDPR exposure without requiring full compliance infrastructure or blocking legitimate traffic.
The Monitoring Test Operates Independently
GDPR’s extraterritorial reach is neither unlimited nor toothless. Article 3(2) creates a framework where intentional targeting and purposeful monitoring — not mere global accessibility — determine jurisdiction. The Pammer doctrine and EDPB Guidelines provide clear criteria for distinguishing between a site that happens to be reachable from Europe and one that actively courts European users.
The enforcement gap for non-EU companies without European presence is real. Clearview AI’s unpaid €100 million in fines proves that. But this gap is narrowing as regulators explore personal director liability, criminal complaints, and practical market consequences. The Article 27 representative requirement and private compensation claims under Article 82 create immediate enforceable obligations that smaller businesses cannot safely ignore.
The most underappreciated insight is that the monitoring test operates independently of the targeting test. A US site that makes no effort to reach European customers but deploys Google Analytics, Facebook Pixel, and retargeting cookies on every visitor including the occasional EU one has a harder argument for exemption than many site owners assume. The EDPB’s statement that not all data collection equals monitoring provides some comfort, but the line between passive analytics and behavioral profiling is thinner than it appears.
For non-EU WordPress site owners, the highest-leverage compliance action is often the simplest: replace tracking-based tools with privacy-respecting alternatives and the most complex GDPR questions simply disappear.
— Comments 0
No comments yet. Be the first to share your opinion!
Comments are closed for this post.