What Does GDPR Mean for Solo Founders?
The EU data protection law that applies to you even if you're a one-person business across the globe.
GDPR in Plain English
GDPR stands for General Data Protection Regulation. It's a law created by the European Union that tells businesses how they must handle people's personal data. Personal data is any information that can identify a person — like their name, email address, phone number, IP address, or even cookies stored in their browser.
Here's the part most solo founders miss: GDPR doesn't care where your business is based. If you collect any data from people who live in the EU, the law applies to you — even if you're a freelancer in the US, Canada, or Australia running a one-person operation from your kitchen table.
GDPR was created to give people more control over their personal information. Before it existed, companies could collect and share your data pretty freely. GDPR changed that by setting clear rules every business must follow.
Why Solo Founders Should Pay Attention
You might think GDPR only matters to big companies like Google or Facebook. Not true. If you have an email list, a website that uses analytics, run paid ads, or sell a product online — you likely collect personal data, and GDPR may apply to you.
The stakes are real. Violations can result in fines of up to €20 million or 4% of your global annual revenue, whichever is higher. For a solo founder making $60K a year, that could mean a $2,400 fine — or worse if your revenue grows. The EU has fined smaller businesses, not just giants.
💡 Key Insight
GDPR compliance isn't just for EU businesses. If even one person from the EU visits your website or buys your product, the rules apply. The good news: following GDPR best practices actually builds trust with all your customers, everywhere.
The Core Rules Solo Founders Need to Follow
GDPR has many details, but these are the four rules that matter most for small operators:
Lawful Basis
You need a valid reason to collect anyone's data. The most common reason for solo founders is consent — the person explicitly agreed to give you their data.
Right to Erasure
If someone asks you to delete their data, you have to do it. This is sometimes called the "right to be forgotten." You also need to delete data you no longer need.
Other important rules: you must tell people what you're doing with their data (via a privacy policy on your website), and if there's a data breach that could harm people, you have to report it to authorities within 72 hours.
A GDPR-Compliant Email Signup Form
Here's what a simple, GDPR-friendly email signup looks like. Notice it doesn't just dump an email field in — it explains why you're collecting the email and gets clear permission.
<!-- GDPR-compliant email signup -->
<form>
<label>
<input type="checkbox" name="consent" required>
I agree to receive marketing emails from My Site.
I understand I can unsubscribe at any time.
</label>
<input type="email" placeholder="your@email.com" required>
<button type="submit">Subscribe</button>
</form>
<p style="font-size: 0.7rem; color: #8b90a0;">
We collect your email to send updates. Unsubscribe anytime.
Read our <a href="/privacy">Privacy Policy</a>.
</p>
Key things that make this GDPR-friendly: a clear checkbox with an explicit consent statement, a link to the privacy policy, and no pre-checked boxes. Under GDPR, silence or pre-ticked boxes do not count as consent.
Knowledge Check
Test what you learned with this quick quiz.