I get why people find this hard to believe, because it is kind of a crazy rule, but I repeat once again that this does not matter. Even if you have never sold a single product to an EU resident, and never plan to do so, the EU says as my original comment detailed that you are subject to the GDPR the instant an EU resident provides you with personal data.
(And of course, it's also the case that "selling to an EU resident" is substantially broader than "doing business in the EU" - EU residents do often travel to foreign countries and provide personal data to stores they transact with while there.)
American laws also have universal jurisdiction (for example, the Bill of Rights doesn't say, "unless you are located outside the US"). Most countries do not explicitly recognize that their laws do not have universal jurisdiction.
In practice, it is easy to pick out the situations in which there is "practical" universal jurisdiction, vs "theoretical" universal jurisdiction.
A Colorado company selling locally in Colorado falls in the "theoretical" bucket.
1. GDPR applies to EU residents in the EU. The protection does not apply to EU residents going on trips to the US.
2. Based on the examples they've presented, there is a SUPER clean solution to your concerns. Geo-blocking. Problem solved, bye bye GDPR. But don't go crying for EU citizen money, can't have it both ways.
Just read the examples they present, they're fairly well written.
SpicyLemonZest|4 days ago
(And of course, it's also the case that "selling to an EU resident" is substantially broader than "doing business in the EU" - EU residents do often travel to foreign countries and provide personal data to stores they transact with while there.)
ahmedtd|3 days ago
In practice, it is easy to pick out the situations in which there is "practical" universal jurisdiction, vs "theoretical" universal jurisdiction.
A Colorado company selling locally in Colorado falls in the "theoretical" bucket.
oblio|4 days ago
1. GDPR applies to EU residents in the EU. The protection does not apply to EU residents going on trips to the US.
2. Based on the examples they've presented, there is a SUPER clean solution to your concerns. Geo-blocking. Problem solved, bye bye GDPR. But don't go crying for EU citizen money, can't have it both ways.
Just read the examples they present, they're fairly well written.