There are two situations in which the GDPR purports to apply extraterritorially to companies that have no contact to the European Union. The first situation, described in Article 3(2)(a) of the GDPR, occurs when a company that has no contacts with the European Union “offer[s] goods or services” to a person that is located in the European Union. The second situation, described in Article 3(2)(b) of the GDPR, occurs when a company that has no contacts with the European Union “monitor[s]” the “behaviour” of someone “as far as their behaviour takes place within the Union.”1

While the GDPR implies that merely having an internet website that is accessible to European Union residents is not enough for the GDPR to attach, there is uncertainty about whether a European supervisory authority might attempt to apply the GDPR to a website that is accessible to European Union residents. Some companies have attempted to mitigate that risk by geofencing their websites – i.e., blocking any individual from visiting their website from a European IP address.

In order to help companies understand and benchmark industry practices, BCLP randomly selected a sample of 33% of the Fortune 500 companies identified as being predominantly within the “retailing” sector and then visited their homepages from a server with an IP address in the United States and from a server with an IP address in Europe.2 As of January 13, 2020, 25% of Fortune 500 retailers had blocked their websites from being visited by European IP addresses.3