[grabeh]

Heh, apologies for not being more insightful! I was simply rebutting your point over the GDPR applying once you’ve made a few sales to customers in the EU which is not the case on those facts alone.

Obviously each case should be dealt with on its own facts to assess the application of GDPR. In the example you give, GDPR may well apply. Some companies may be worried, others may see it as an opportunity.

I know lots of US SaaS companies are embracing GDPR rather than being worried about it. Clearly if you are looking to get business from EU customers but want to argue GDPR doesn’t apply due to the fact you are not strictly speaking targeting EU users then that might present an issue for certain potential EU customers (or maybe they could offer a cost discount because they haven't had to go through a GDPR compliance exercise). On that basis lots of companies outside the EU are pro-actively looking to comply with GDPR.

Arguments over the appropriateness of extra-territoriality applicability are a separate matter of course!

[someguy2018]

Assuming you actually do something with your user's data -- and virtually every online business does -- then I think it is true that GDPR comes into play as soon as you have a single EU user. How you market the service is no longer relevant.

I wish it were as easy as saying the law doesn't apply if your business doesn't target EU business. Unfortunately I don't actually think it's possible to escape GDPR. Even refusing to serve all EU IP Addresses wouldn't be completely effective.

I'm sure lots of companies view this as an opportunity. Especially the big ones with experience with compliance issues, in-house counsel, etc. It's going to be tougher on the small guy.