Absolutely agree, effectively the EU can't touch small companies, they'd only be able to touch you if you generated any revenue in the EU that they could intercept.
As for "the EU has zero jurisdiction over anything that happens outside the EU, ever, or any entities outside the EU, despite any claims to the contrary" again, this isn't true if you conduct any business in the EU. Even for a company domiciled outside the EU, they could compel your payment processors to seize all payments to you from EU entities, for instance. The degree to which they'd fight pushback would depend on how serious the violation was and the size of the company, but you can be sure for instance that even if say Google had no EU presence at all, that the EU would make sure they complied with the GDPR or else ban them from the EU entirely.
In your situation, you actually have a good defence if there ever was an EU citizen trying to use the GDPR against you, because by taking efforts to not allow sales outside the US, you can argue that your services were never for sale to EU citizens. I guess if your TOS also said your service wasn't available to EU citizens, it would be even more watertight.
But just FYI for this:
> In my personal (business) case, we literally cannot comply with GDPR and also BSA/AML, FinCen, Reg E, KYC, etc, simultaneously. Our "business requirements" can last 7+ years, and our customers' wishes have no bearing on them.
I don't know the requirements of all those other things, but contrary to what a lot of people believe - you CAN store whatever you need to if there is a justifiable business reason for it, and you don't have to delete it even if a customer requests you to if there is a valid business requirement, such as regulatory or statutory compliance. The GDPR just compels you to be transparent with the data subject about what data is stored in those cases.
Almost every business in the EU is required to hold tax records of sales for 5 years, and so obviously these must be retained even after a customer stops being a customer and even if they request deletion of their PII data. What the GDPR requires is that you only keep the minimum required data to fulfill those statutory requirements, and delete anything else, and also not to use that data for any other purpose. Regular data should be deleted as soon as it is no longer needed.
I haven't studied the CCPA in depth, but my understanding is that it's very similar in scope to the GDPR and that complying with one would get you almost all the way to compliance with the other.
I also understand the general reaction against being told what to do by some other extra-territorial entity, but in today's society of cross-border trade, it's usually inescapable, apart from when they directly contradict - e.g. requirements to only store data in one territory.
The EU can theoretically sanction entities with establishment inside the EU, for actions outside the EU. I'm not sure if GDPR allows this, but (as a terrible example), I've read of laws to punish foreign travel for underage sex tourism. However entities with no such establishment cannot be punished judicially by the EU because there is no mechanism.
The EU could block network traffic to an offending extraterritorial entity, which might cause them to suffer losses (e.g. advertising volume if nothing else), but the EU cannot fine or arrest the entity or its officers as punishment.
I think we largely agree at the root of things. There's some imprecision in language around words like "apply" and "relevant".
I have only dug this deeply on GDPR because we, as a corporation, want to comply with the most consumer-friendly policies that we are able to. Obligations (e.g. CCPA because we are in the US) are table stakes, but we aim for more. Our lawyers tell me to stop worrying about the GDPR at all, and I am confident that they are correct legally (and financially), but as we all know it is more efficient to design systems that do things properly at the outset (or at least under minimal time pressure), instead of urgently retrofitting later.
As for "the EU has zero jurisdiction over anything that happens outside the EU, ever, or any entities outside the EU, despite any claims to the contrary" again, this isn't true if you conduct any business in the EU. Even for a company domiciled outside the EU, they could compel your payment processors to seize all payments to you from EU entities, for instance. The degree to which they'd fight pushback would depend on how serious the violation was and the size of the company, but you can be sure for instance that even if say Google had no EU presence at all, that the EU would make sure they complied with the GDPR or else ban them from the EU entirely.
In your situation, you actually have a good defence if there ever was an EU citizen trying to use the GDPR against you, because by taking efforts to not allow sales outside the US, you can argue that your services were never for sale to EU citizens. I guess if your TOS also said your service wasn't available to EU citizens, it would be even more watertight.
But just FYI for this: > In my personal (business) case, we literally cannot comply with GDPR and also BSA/AML, FinCen, Reg E, KYC, etc, simultaneously. Our "business requirements" can last 7+ years, and our customers' wishes have no bearing on them.
I don't know the requirements of all those other things, but contrary to what a lot of people believe - you CAN store whatever you need to if there is a justifiable business reason for it, and you don't have to delete it even if a customer requests you to if there is a valid business requirement, such as regulatory or statutory compliance. The GDPR just compels you to be transparent with the data subject about what data is stored in those cases.
Almost every business in the EU is required to hold tax records of sales for 5 years, and so obviously these must be retained even after a customer stops being a customer and even if they request deletion of their PII data. What the GDPR requires is that you only keep the minimum required data to fulfill those statutory requirements, and delete anything else, and also not to use that data for any other purpose. Regular data should be deleted as soon as it is no longer needed.
I haven't studied the CCPA in depth, but my understanding is that it's very similar in scope to the GDPR and that complying with one would get you almost all the way to compliance with the other.
I also understand the general reaction against being told what to do by some other extra-territorial entity, but in today's society of cross-border trade, it's usually inescapable, apart from when they directly contradict - e.g. requirements to only store data in one territory.