Who does GDPR apply to?

GDPR applies to any organization processing personal data of EU residents, regardless of where the organization is based. A US company with no physical EU presence must comply if they have EU customers, EU website visitors, or EU subscribers on their email list. Geographic location of your business is irrelevant; location of the people whose data you process is what matters.

The regulation applies to both data controllers (organizations that determine purposes and means of processing-typically the brand sending email) and data processors (organizations processing data on behalf of controllers-like your ESP). If you're a SaaS company using Mailchimp to email EU customers, both you and Mailchimp have GDPR obligations, though different ones.

Practical scope: if you cannot guarantee excluding EU residents from your digital presence, and few organizations can-assume GDPR applies. Even if you think your audience is purely domestic, EU residents traveling or living abroad may encounter your forms. Treating GDPR as optional based on assumed audience geography is risky; treating it as the global baseline for email consent is safer and increasingly aligned with emerging privacy laws worldwide.