[iteria]

A lot of times, it's not even spying on users. It's not wanting to put in the time and effort to determine if you are in compliance or not. So you block all of Europe and you get around to it if you ever have the resources or care. You might have been in compliance the whole time, but why chance it when IP blocking is easy. That's basically every local US newspaper right after the GDPR passed. Hell, I've worked for companies where I literally know we're not tracking users and we're pretty secure, but we block the EU because no one has the time to check if there was something specific we needed to do. My current company had to rarchitect their entire to deployment pipeline specifically for the EU, not because we changed literally anything, but the laywers found that there was about our cloud host provider that the GDPR disallowed because it was hosted on US soil. We have 1 EU client. I assume if they weren't so big we would have dropped their contract.

[janosdebugs]

My wife and I run a small (2 person) business in the EU. The largest hurdle was finding a hosting provider (VPS) that wouldn't transfer data outside the EU so we wouldn't have to add SCCs to our privacy policy. As a business owner, I'd say the balance is still positive, it forces some self-reflection on data gathering practices.

Not sure about the "hosted on US soil" part, if you are a US company, the data gets transfered anyway when you view it.