@scottalanmiller still not US.
It is a grey area:
"More controversially, the GDPR also will apply to businesses established outside the EU if their processing activities relate to the offering of goods or services to individuals in the EU or to the monitoring of such individuals’ behavior. This provision expands the territorial scope of the GDPR well beyond the EU, essentially making it global law. There are some limits in place on the GDPR’s reach—the regulation makes clear that having a commerce-oriented website that is accessible to EU residents does not by itself constitute offering goods or services. Rather, a business must show intent to draw EU residents as customers, for example, by using a local language or currency."