Territorial Scope

The geographical reach of privacy laws, determining which organizations and processing activities fall under specific legal frameworks based on location, targeting, or data subject residence. GDPR Article 3 has broad territorial scope applying to: organizations established in the EU (regardless of where processing occurs), and organizations outside the EU that offer goods/services to EU residents or monitor EU residents' behavior. This means a U.S. business with no EU presence could be subject to GDPR if it targets EU customers. CCPA applies to for-profit entities doing business in California that meet threshold criteria and process California residents' personal information. Most state privacy laws follow similar residence-based approaches. Territorial scope creates compliance complexity—multinational organizations often face overlapping obligations from multiple jurisdictions. Organizations should: assess their territorial exposure under each relevant framework, implement appropriate representative and contact mechanisms for jurisdictions where they're subject to law, consider whether to comply with strictest applicable standards universally, and maintain documentation demonstrating compliance basis.