If I read correctly, GDPR does apply when non-EU companies market services specifically to people from the EU. For example a US based hotel deploying a targeted marketing campaign in the EU. I could be wrong.
Yes, you're right; the distinction I was making is that it's about their presence in the EU, not their citizenship. In fact, an American citizen living in the EU is also covered, whereas an EU citizen living in the US is not.
An in fact, it's even less than that: the site only has to care if they target people in the EU (not necessarily exclusively) or if they're tracking behaviours. Simply being accessible online doesn't mean it has to comply, whereas e.g. accepting Euro payments probably does.
An in fact, it's even less than that: the site only has to care if they target people in the EU (not necessarily exclusively) or if they're tracking behaviours. Simply being accessible online doesn't mean it has to comply, whereas e.g. accepting Euro payments probably does.