>GDPR is an EU law that applies to sites that market directly to EU citizens.
That is wrong. The GDPR does not make reference to citizenship.
It explicitly notes that it applies when either when the data subject is physically in the EU/EEA, or when the data controller/processor is based in the EU/EEA.
You’re right, I described it incorrectly. GDPR applies to “subjects (natural persons) within the Union”. As an example, EU citizens living abroad are not covered by GDPR. Americans visiting HN from the Bay Area also shouldn’t expect to have the rights that GDPR grants to subjects within the Union, right?
