In fairness, you're probably right about them not requiring a DPO. I thought that was required for any organization over a certain size, but it seems it's required for any sized organization that tracks people with a certain amount of enthusiasm. A court would have to determine if they meet that criteria, I guess.
However, with response to this:
>but their US site seems like it would be out of scope for GDPR according to Article 3, because it is not offering goods or services to data subjects in the Union.
You're referring to Article 3.a. The argument on whether the US site is offering services to EU citizens if it does not take active steps to forbid VPNs or place "are you currently in the EU?" gates in place is something only a court could rule on.
However, more importantly, you're skipping over 3.b.
>the monitoring of their behaviour as far as their behaviour takes place within the Union.
That's unquestionably happening for anyone in the EU that uses a VPN to connect to their US website. Hence, their GDPR obligation is not discharged if they are under EU jurisdiction.
The GDPR does not lay out a set of ways to handle EU citizen data. If you ctrl-f search "citizen" in the GDPR document[1] you'll get no hits. It lays out the way /companies are expected to handle personal data/. Americans may not realise this, but they have the right under EU law to file GDPR requests against EU companies. They may even be able to file them against American companies, although which companies are or are not in scope gets complex at that point and I really don't know enough about who is incorporated or has subsidiaries where to know which companies that would work against if it came down to lawyers in courtrooms.
The point is, if a company falls under the territorial scope, they have to extend GDPR rights to /everyone/, because it's not about who you're allowed to track, it's about how you're allowed to use tracking technologies.
[1] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...
