That's not how GDPR works but it is a common misconception and I can't really blame non-EU businesses for not taking the time to understand a foreign law when blocking is so easy.
What do you mean? That's pretty much how it works. You load up Homedepot website and they along with a bunch of 3rd parties that they partner with will start collecting data about you and storing it. You can't do that to someone from the EU without getting permission along with other restrictions.
For Homedepot to comply with GPDR, they would have to treat EU and non-EU users differently, or they could just block EU. Since you're not trying to sell anything to EU users, blocking them makes things easier.
I believe the California law came after the EU one. And it's still easier to just block EU traffic rather than spending several weeks implementing GDPR cookie popups.
And if you decide to treat everyone the same way, you likely end up with a higher bounce rate for the existing US customers. Hence, blocking.
GDPR doesn't care about where people are located right now. From the GDPR point of view you still have to treat EU-residents in a special way, even if they're located in US right now.
But EU has less of the leverage if company refuses to do business in EU — that's true.
> treat EU-residents in a special way, even if they're located in US right now.
This part of GDPR has always seemed completely unpracticable/unenforceable to me. How would a non-EU company even know that one of their customers is an EU resident and only temporarily visiting? Most services in the US aren't asking for my passport, at least.
Practically, I'd assume that this will be interpreted by courts to only apply to companies "intentionally doing business with/commercially targeting EU residents", which is already the case for similar scenarios (e.g. that's how, to my understanding, German law requiring all sites to provide an imprint has been interpreted by courts).
In any case, I suppose we'll have to wait for precedent; I'm not aware of any at the moment.
No, it isn't. see article 3, section 2 of the regulation. You need to offer goods or services to EU citizens for the law to be in effect. If home Depot doesn't operate in Europe, doesn't market to Europeans, doesn't ship to Europe, and doesn't offer any services to Europeans, then they are not impacted by gdpr.
The first part of section 2 says the data subjects need to be in the Union. A European moving to America and shopping at home Depot doesn't (alone) require them to be GDPR compliant.
> 2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
> (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
> (b) the monitoring of their behaviour as far as their behaviour takes place within the Union
Did I quote the correct section? Doesn't collecting all the analytics fall under section B? I'm not a lawyer of course, but it seems pretty reasonable to me that if you have interest in the EU market, blocking them is easier than figuring out if GDPR applies to you or not.
Or you could just not spy on your users of course, but I guess I'm too pessimistic to see that as an option a company would choose.
It took my team six months to get our company GDPR-compliant, and that included hiring three external consultants with extensive knowledge of GDPR and its implementation across the various EU countries we did business in. We were a short-term car rental company, we did not earn money with user-tracking, advertising or selling user data. But we did process drivers licenses, user data, trip data. We had to re-write big parts of our car-tracking module because having it tied to the current driver (customer) automatically made it personal data, which can be requested on demand when the customer wants to. It also limited us on what we could log to our logging server and store in a database.
I can understand that an American company does not want to make such an investment when there is literally 0 added business value, as EU customers don't shop at that company.
