> You aren't doing business unless you're accepting payments/selling/shipping things to people in the EU.

This is false.

If you offer a free product and one of the companies you publicly list as a user has a presence in the EU, then you need to be compliant.

If your signup page has been localized to Estonian, you also probably need to be compliant.

"Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union."

> Don't accept euros as currency.

I see multiple comments mentioning this. Do American banks restrict which currencies your credit card can be charged in? As far as I've been able to tell, my bank lets me pay in any currency I'd like, and they will convert the amount to SEK before charging my account.

> If the bank processes the payment, but you've collected no information, you can't run afoul of the law (since you have no information).

Don't have server logs with IP addresses? Don't collect an email for the user to use to log in? Don't receive customer support recieve from these users?

> You aren't doing business unless you're accepting payments/selling/shipping things to people in the EU.

I wonder how ads play into all this. E.g. are people who watch an ad on YouTube considered YouTube customers? Are they considered customers of the ad company?

My concern is that we will see more (non-EU) companies implement something where users "pay" for services/features by watching ads. I do also wonder how it then affects the ad companies if they collect personal information about the user. Does the user count as a "customer" if the ad company is the one paying?

The simple answer to that is that the advertisers pay you to show ads to EU users because they want to get money from EU users; so these advertisers are/have to be GDPR compliant, especially if they're using user information to target ads, and they'll have to be sure that this user information is legal for them to use.

The advertising networks are clearly doing business in EU as they're getting paid by these advertisers - so all the major advertising networks will have to be GDPR compliant. So in this regard, the ads (and user info used for these ads) shown to EU users will (in practice) have to be GDPR compliant even if your site doesn't care about it, because everyone who'd want to pay for these ads has to be compliant.

> advertisers pay you to show ads to EU users because they want to get money from EU users; so these advertisers are/have to be GDPR compliant

This is the part I'm not sure is true.

Sure, if the ad agency's company motto is "delivering ads to EU users since XXXX", they obviously have to be compliant, but what if they are a US-based ad agency and none of the companies selling them ad space are in the EU? How many layers does one need to circumvent this?

I'm not talking about ad agencies, but about the actual advertisers. Why would a company buy ad impressions if they're not selling to these users?

Almost every ad I see is from some company that is actually eager to sell stuff to me, so they're doing business in EU, and have to be compliant.

All advertisers who care about me won't be allowed to buy my data from US-based ad agencies, so even if such US-based agencies can gather the data, it's worthless, since noone would buy that.