That doesn't feel wholesome to me. I'm a software engineer in the US. I don't know German case law or if German case law can/will be used in, say, Spain.

The law says anyone in the EU (or is it EEA?) that you're interacting with.

Article 3:

> 2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

> (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(This also seems to mean a forum with no monetary value at all, but that's another issue.)

A forum with a few european users obviously goes beyond incidental contact.

The thing is, if you want to do business in the EU, you better know the legal system there. The US forces people in the EU to adhere to their legal system all the time.

> A forum with a few european users obviously goes beyond incidental contact.

Why? That's such a silly thing to assume. It's possible I've targeted no one by location or nationality.

> The thing is, if you want to do business in the EU, you better know the legal system there.

How is a silly forum a business?

> It's possible I've targeted no one by location or nationality.

It's not about targeting but about offering services to people in the EU. A silly forum that has a few EU users is beyond incidental/accidental contact and will have to adhere to the EU laws.

A silly forum may not be a business but atleast under german law it can be classified as business-like or otherwise commercial even if you don't make any money on it.

This is the problem. We've went from one guy's "It's a non-commercial entity that has incidental EU users" to your "It's a business-like entity that has beyond incidental contact" with the same facts. They've made a law that applies extraterritorially which requires knowledge of European cultural context to interpret correctly!

Business-like and non-commercial are not mutually exclusive.

Atleast under german law, you are business-like if you offer a website beyond personal interest (ie, a webpage about you, your family or your hobby). A forum is certainly business-like.

The same forum can still be non-commercial, you don't have to make any money to fall under business-like.

In total, a non-commercial entity, which is business-like, and has more than incidental EU users will fall under GDPR.

>They've made a law that applies extraterritorially which requires knowledge of European cultural context to interpret correctly!

I'm sorry, the US made extraterritorial laws that require US cultural context to interpret correctly. You don't get any special treatment here.

EU people can buy my courses. And maybe once per year someone does. Does that mean I should shut off access to EU billing addresses or even EU visitors?

No, if all the data you keep around from EU visitors is strictly for the conduction of business or a legal requirement (taxes for example) then you don't need to do anything (maybe add a text that you do save these things for business purposes). Once the data is no longer needed you should delete it within a certain timeframe (a month or so).

If you save data beyond what is strictly necessary to conduct business, like doing analytics, then you will need to ask your EU users if they are OK with that. If you don't want to do that you can simply exclude EU users from any analytics.

So, in practice this probably means that google analytics, woocommerce, etc will come up with some compliance box and I should enable it for the EU region I'm guessing.

Or exclude them from google analytics. Wouldn't be a giant effect.