[detaro]

> Note, I think, you also need to be GDPR compliant for EU users when they are not in the EU.

No, location is what matters. Of course one could argue if IP is a reliable indicator of location, given VPNs, potentially faulty GeoIP databases, ...

[bulatb]

Geoblocking EU users makes it fairly clear you don't intend to serve[0] them, at least in my opinion. If the only reason you could be in scope is offering your service in the Union, and you do your best to avoid that, you should probably be out of scope.

We'll see what the regulators think.

[0] From Recital 23: "[When deciding whether processing is in scope under Article 3(2)], it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union."

[detaro]

I'd agree with that. Someone somewhere is probably going to complain about an instance where it failed, but I honestly would be surprised if regulators made a big deal out of it.