It's not like if the US laws didn't have any extraterritoriality.
This is a disingenuous argument. The US has never passed a law that is this easy to violate outside of its own borders, is this ripe for abuse, and carries such enormous penalties and burdens for essentially everyone in the world that wants to operate a website. In fact, no country has ever done this before.
> The US has never passed a law that is this easy to violate outside of its own borders, is this ripe for abuse, and carries such enormous penalties and burdens for essentially everyone in the world that wants to operate a website.
The US has clearly passed many laws that meet all those criteria but the last (and with much harsher, often criminal rather than merely financial, penalties), so unless you believe that operating a website is somehow a unique class of activity deserving special protection from extraterritorial application of laws, this is a pointless comparison.
And there's actually a number of US laws affecting website operators that arguably meet all three criteria, as other comments point out.
> The US has never passed a law that is this easy to violate outside of its own borders
The US has a law requiring US citizens living and working outside of the US to file taxes in the US. Not doing that is a crime. You'll probably argue that this is different, since it concerns American citizens, but it isn't different, because it's a US law that is very easy to violate outside of its borders.
Lol, the US has FATCA which makes it very difficult for fin-tech startups to work with americans. I'm an e-resident of Estonia, and almost all financial services state they cannot serve US clients.
Except that FATCA's sole purpose was to raise money, and the US isn't even compliant itself. FATCA is a whole different ball game to GDPR, and I don't recall the complaints from Americans when EU instituions were forced to implement it. In addition, the costs for implementation of FATCA were huge. Most people are halfway there with GPDR compliance already, unless they're doing something they really shouldn't have been doing.
GDPR is not a money making mechanism but a way of forcing compliance. I think that's the difference that many US people don't seem to understand.
Also I was responding to the comment that the US has never done anything like this, which is completely false, US people tend to forget what it's like for the rest of the world.
It's not like if the US laws didn't have any extraterritoriality.