24th of May 2018 might not be the best time to choose to launch anything while intentionally having ditched thinking about your T&Cs and Privacy Policy...
I'm happy to be blocked from products that aren't compliant. There will usually be other alternatives. This is better than unknowingly using something that could cause me problems later.
I don't even take it as an aggressive negative, unless it is explicitly expressed as such. You can just be honest and say "I can't accept your custom at this time because X, and we have other priorities that would make addressing X to everyone's satisfaction a problem for the foreseeable future".
That _helps_, but I'm a British/EU citizen, living in Australia, who regularly VPNs through servers in Singapore, Tokyo, and the US.
I'm still protected by GDPR.
(Personally, I reckon that's quite an overreach by EU lawmakers, but that's what they've chosen to do, in response to equivalent or worse "overreach" by internet companies trading in personal information...)
That actually makes sense (not something that's expected to be true of laws...)
So by my reading of the advice linked there:
If an individual is in the EU, they're covered by GDPR - whether they're a citizen or not.
If a company is based in or does business in the EU, all it's users are covered by the GDPR - whether they're in the EU or not, and whether they're an EU citizen or not.
That's much less over-reachy than I'd thought. The EU arguably does have the right to make laws about how you treat people within it's borders - whether they're citizens or not. (A death threat against a Chinese person in Paris should be prosecutable under French law by French police/authorities). The EU definitely does have the right to make laws about how businesses in the EU or who have offices/presence in the EU treat people everywhere. (A London company discriminating against a homosexual Saudi citizen should be prosecutable under British law by British authorities, even if it's not illegal to so discriminate in Saudi Arabia).
I think it's even less reachy than that - if a foreign multinational has a subsidiary in the EU, I don't think the parent company is covered by the GDPR unless they directly deal with subjects in the EU. So they can compartmentalize the parts of the company that must deal with the GDPR, by redirecting every EU user to the EU subsidiary.
Sure, and I know it's mostly scaremongering, but "4% of zero, or 'up to 20 million euros'" is up to 20 million euros.
A better motivator, in my opinion, is that disclosing up front what data you're going to capture, and what you're going to do with it, and obtaining consent for that from users - is "the right thing to do". Unless your business model is "fucking over the users", those are not scary things to do, and will likely lead you to make better decisions about what you collect and how you store it, and reduce your and your users exposure in the worst case.