Yeah, and to a degree that theyre willing to eat the cost of maintaining a much more complicated privacy structure (and, inherently, code base) to not roll it out everywhere.
I don't think that maintaining different strategies in different areas is the more costly procedure.
The assumption you're making here is that GDPR is one and done. In all likelihood, most major jurisdictions are going to introduce privacy laws at some point. If you don't build your international service to allow for different rules in different jurisdictions you're going to have to follow the strictest of those laws. Heck, I'd put money on some countries forcing some web services to record some data for law enforcement purposes and other countries barring facebook from recording the same data for privacy reasons.
So really, you have to build this system in a way that can be tailored to each market you operate in.
The assumption you're making here is that GDPR is one and done. In all likelihood, most major jurisdictions are going to introduce privacy laws at some point. If you don't build your international service to allow for different rules in different jurisdictions you're going to have to follow the strictest of those laws. Heck, I'd put money on some countries forcing some web services to record some data for law enforcement purposes and other countries barring facebook from recording the same data for privacy reasons.
So really, you have to build this system in a way that can be tailored to each market you operate in.