1. Some procedure that allows him to answer users privacy requests ("what information about me do you have?", "Please delete my personal data from your servers.")
2. A so called "directory of procedures" which states what data you collect and who's responsible for it.
If your fail to comply with 1. the user can call upon their local data protection agency who will contact you and request the contents of 2..
At no point would he need a lawyer or spend money, even if he were based in the EU. That's not saying it's a bad idea to ask a lawyer for advice if you do handle lots of user data.
Most of this stuff has been law in Germany for years, I've dealt with the German data protection agencies many times (from both sides of the aisle).
- They helped me force my university remove personal information about me from the public uni website (by constructively explaining to them why it's a bad idea to have this information about student online in the first place).
- When someone trolled me by registering me to a dating platform which refused to delete the fake profile and spammed me for a year, one mail to the agency was enough to stop these idiots.
- When I worked with social workers, the data protection agency (after a client accused us of mishandling their data) helped us go through our communication procedures and identified some point where client privacy could easily be improved.
As a US company, if you don't want to deal with this, just don't. If you do handle user data you should, though.
I think the majority of users on HN are from the US. And going by the GDPR related comments over the past few months, it seems the litigious US stereotype really is true - a lot of people seem to be prepared to "lawyer up" at the drop of a hat!
The EU is not the USA.
The authorities have limited resources, and are only interested in large-scale privacy abuses.
