Traffic source does not equal the geographical position of a person issuing the request. Geographical position of a person does not equal their legal status.
Blocking users on a two-level-deep assumption is wrong.
GDPR says it applies to companies outside the EU who are offering goods and services to people in the Union. One of the recitals explains that there is an intent component to this. The company had to envisage such offerings.
Even though blocking by traffic source is not always accurate, I’d expect that it would still greatly help show that the site did not envisage offering goods and services to people in the EU.
That's not how GDPR works but it is a common misconception and I can't really blame non-EU businesses for not taking the time to understand a foreign law when blocking is so easy.
What do you mean? That's pretty much how it works. You load up Homedepot website and they along with a bunch of 3rd parties that they partner with will start collecting data about you and storing it. You can't do that to someone from the EU without getting permission along with other restrictions.
For Homedepot to comply with GPDR, they would have to treat EU and non-EU users differently, or they could just block EU. Since you're not trying to sell anything to EU users, blocking them makes things easier.
I believe the California law came after the EU one. And it's still easier to just block EU traffic rather than spending several weeks implementing GDPR cookie popups.
And if you decide to treat everyone the same way, you likely end up with a higher bounce rate for the existing US customers. Hence, blocking.
GDPR doesn't care about where people are located right now. From the GDPR point of view you still have to treat EU-residents in a special way, even if they're located in US right now.
But EU has less of the leverage if company refuses to do business in EU — that's true.
> treat EU-residents in a special way, even if they're located in US right now.
This part of GDPR has always seemed completely unpracticable/unenforceable to me. How would a non-EU company even know that one of their customers is an EU resident and only temporarily visiting? Most services in the US aren't asking for my passport, at least.
Practically, I'd assume that this will be interpreted by courts to only apply to companies "intentionally doing business with/commercially targeting EU residents", which is already the case for similar scenarios (e.g. that's how, to my understanding, German law requiring all sites to provide an imprint has been interpreted by courts).
In any case, I suppose we'll have to wait for precedent; I'm not aware of any at the moment.
No, it isn't. see article 3, section 2 of the regulation. You need to offer goods or services to EU citizens for the law to be in effect. If home Depot doesn't operate in Europe, doesn't market to Europeans, doesn't ship to Europe, and doesn't offer any services to Europeans, then they are not impacted by gdpr.
The first part of section 2 says the data subjects need to be in the Union. A European moving to America and shopping at home Depot doesn't (alone) require them to be GDPR compliant.
> 2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
> (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
> (b) the monitoring of their behaviour as far as their behaviour takes place within the Union
Did I quote the correct section? Doesn't collecting all the analytics fall under section B? I'm not a lawyer of course, but it seems pretty reasonable to me that if you have interest in the EU market, blocking them is easier than figuring out if GDPR applies to you or not.
Or you could just not spy on your users of course, but I guess I'm too pessimistic to see that as an option a company would choose.
It took my team six months to get our company GDPR-compliant, and that included hiring three external consultants with extensive knowledge of GDPR and its implementation across the various EU countries we did business in. We were a short-term car rental company, we did not earn money with user-tracking, advertising or selling user data. But we did process drivers licenses, user data, trip data. We had to re-write big parts of our car-tracking module because having it tied to the current driver (customer) automatically made it personal data, which can be requested on demand when the customer wants to. It also limited us on what we could log to our logging server and store in a database.
I can understand that an American company does not want to make such an investment when there is literally 0 added business value, as EU customers don't shop at that company.
So if I order something on Home Depot, the shipment is delayed, and I want to check on that (or even just find the support phone number, some sites block all HTTP requests from foreign IPs!) while I'm traveling out of country, I just don't get to do that without a VPN due to GDPR?
They are an American business that does not deal with other countries outside North America. Why would they care about the world outside of "ol' Merica?"
And they are fine with that just like large numbers of retail chains in Europe, Africa, Asia, South America, Australia, New Zealand, etc. which don't have a presence in the US or other countries outside their own or their own economic region. Home Depot does operate stores outside the US in Mexico and Canada.
Standing up and maintaining a distribution network is non trivial, especially for bulky goods that aren't practical for mail order shipping. Home Depot doesn't contract out locally sourced production like your examples do.
