1. Some procedure that allows him to answer users privacy requests ("what information about me do you have?", "Please delete my personal data from your servers.")
2. A so called "directory of procedures" which states what data you collect and who's responsible for it.
If your fail to comply with 1. the user can call upon their local data protection agency who will contact you and request the contents of 2..
At no point would he need a lawyer or spend money, even if he were based in the EU. That's not saying it's a bad idea to ask a lawyer for advice if you do handle lots of user data.
Most of this stuff has been law in Germany for years, I've dealt with the German data protection agencies many times (from both sides of the aisle).
- They helped me force my university remove personal information about me from the public uni website (by constructively explaining to them why it's a bad idea to have this information about student online in the first place).
- When someone trolled me by registering me to a dating platform which refused to delete the fake profile and spammed me for a year, one mail to the agency was enough to stop these idiots.
- When I worked with social workers, the data protection agency (after a client accused us of mishandling their data) helped us go through our communication procedures and identified some point where client privacy could easily be improved.
As a US company, if you don't want to deal with this, just don't. If you do handle user data you should, though.
