What's anyone supposed to do about it? GDPR didn't exactly provide funding to help anyone get compliant and it's hard to argue that GDPR compliance is a priority for a struggling local media site. It's a bummer, but I think it was inevitable in the way the law is structured.

Doesn't take much money or effort to just not sell my data.

I have no reason to assume they are selling user data. I wish complying with GDPR were as simple as not selling user data.

> What's anyone supposed to do about it?

Show a basic level of respect for your users' privacy whether or not it's not a legal requirement.

Put your business at risk of total destruction unless a court believes that you show a basic level of respect, etc.

Is there evidence that they aren't besides not being confident about GDPR compliance? There's a lot more to GDPR than not selling data.

If you just aim to provide static content, i.e. public web pages and articles I think you’d really have to “go out of your way” to break GDPR (which in this case is likely tons of ad network code among other shady things).

Does your web server create logs that contain IP addresses (as most do by default)? Now you’re processing PII according to GDPR. Do you include any assets at all that are hosted by a third party who therefore have access to IP addresses? Do you have the necessary DPA with them plus your web host?

Do you have a compliant privacy policy, data retention policy, breach notification policy? Have you named a data privacy officer? Do you have a written process for erasure requests?

You’re probably right that the ads are a problem but ain’t nobody getting GDPR compliance for free.

GDPR compliance is no different from any other kind of compliance. If you're a big publication then you've got more than enough legal people walking around the office to make sure you aren't accidentally printing something that can be construed as libel, to ensure that you're paying your taxes correctly, to check new employee contracts, etc.

Besides, most websites need to update their privacy policy to be accessed in California anyway. The Californian privacy protection rules aren't as strict as the GDPR, but they are very similar. I don't really buy the "it's expensive to comply" argument a lot of American companies seem to use because of this.

The companies want to collect and trade your personal information to the highest bidder, the GDPR got in their way and now these companies are acting out.

Does the site also give that error if you are in California? To meet the requirements for CCPA, a news site (that isn't doing anything untoward) is most likely also going to be GDPR compliant.

For US-based news sites they might well only get a few European visitors. I only ever get this problem for trending stories like this.

If a US site does not have any presence in the EU and is not selling anything to the EU visitors, why would they even bother adding the blocking? They can... do nothing instead. (Or disable buying subscription to the EU)

Fear that it'll haunt them should they ever enter the EU, probably.

GDPR doesn't depend on whether you're selling something. Just visiting the website from the EU is enough to require the business to comply with the privacy laws.

It does depend on whether the law of the country applies for any reason though. Unless you're saying they should also comply with whatever CCP, Thailand, Iran, and many other countries have to say about allowed online content?

This is already the case. Yes, you have to comply with CCP laws for _China residents_ if you want to have your website available in China. It doesn't say you have to apply the laws to all people around the world. But GDPR vs. China isn't a perfect comparison, because GDPR isn't blocking any content. It is not even _about_ the content. It's about following the privacy rights that I as an EU resident have and you as an US company might be breaking.

China has the jurisdiction over the Chinese resident, their ISP and other local infrastructure. It doesn't have jurisdiction over foreign companies and foreign companies don't have to comply with anything. (Unless they want to do business with Chinese residents or operate in China) Same applies to the EU situation.

You may want to be nice to the foreign visitors otherwise and comply with the foreign laws, but that's it.

> Unless they (...) operate in China

Exactly. If you're operating in the EU, you are bound by the EU laws. But "operating" doesn't mean you have to sell something:

> The GDPR applies to US businesses, regardless of their size in terms of revenue or staff, if at least one of the following two conditions are met:

> 1. The company offers good or services (even in the absence of commercial transactions) to EU/EEA residents.

> 2. The company monitors the behavior of users inside the EU/EEA.

So yes, if the news website in this thread tracks me without my consent, they are violating my rights and the EU laws. I am not sure how realistic enforcing this law actually is, though, unless they have a EU branch (what you described as jurisdiction).

Source: https://termly.io/resources/articles/gdpr-in-the-us/

The website you linked brings up 2 out of 4 examples where the EU data is collected, the business is not aimed at the EU residents, and says (verbatim) "GDPR does not apply". Same reasons seem to apply to the context discussed here (news site aimed at the US region). Specifically:

> Although such a website would likely track the user behavior of EU/EEA citizens, as the website would attract native speakers of several European languages, the GDPR does not apply here because:

> the service does not target EU/EEA residents, and

> the tracked user behavior is not occurring within the EU/EEA.

Nice catch - I didn't expect the examples to somehow contradict the general statement from the same section. TIL.