While you asked about GDPR, the banners are actually required for many use cases by the EU ePrivacy Directive[1]. This use case is both more broad, and different than those afford by GDPR. However it's possible both can overlap and you can be sanctioned for both items at once.

Not every website is subject to GDPR - applicability is determined by GDPR Article 3[2]. When a site is subject to GDPR - you need a legal basis to process personal data[3] subject to Article 6[4]. Sites which use the 'consent' legal basis, thus get consent with a banner.

If you do not have a valid legal basis (such as consent) to process data, but are found to be - complaints with the relevant Data Protection Authority may be lodged and investigations may be carried out subject to Article 77[5]. In the event of an adverse decision corrective action, including fines may be levied. There are two fine structures in the GDPR, and those can be found in Article 83.[6]

Now, a site can use geofencing, to determine if you are in the EU (or other relevant location) and selectively show you a banner or not based on your believed location as is determined by a reverse IP Address lookup.

You may be re-prompted between visits depending on if the persistence mechanic you select is maintained. Some browsers delete cookies aggressively[7], and if the preference cookie is removed by the browser you will likely be issued a banner on the next visit to re-establish your preferences.

[1]https://gdpr.eu/cookies/ [2]https://gdpr-info.eu/art-3-gdpr/ [3]https://gdpr-info.eu/art-4-gdpr/ [4]https://gdpr-info.eu/art-6-gdpr/ [5]https://gdpr-info.eu/art-77-gdpr/ [6]https://gdpr-info.eu/art-83-gdpr/ [7]https://webkit.org/tracking-prevention/

If you live or work or do business in Europe then you need to talk to a lawyer. If you don't, then the GDPR doesn't apply to you so you can just ignore it with no negative consequences.

This isn't actually correct. If you collect or process process the data of European citizens, no matter where in the world you are, then you're affected by GDPR.

If I'm a US citizen in the US, hosting a website on US infrastructure, why would a rule that the EU put in place impact me?

If you sell services to EU residents then it would apply. Or otherwise generate significant revenue. If not, I would not worry too much.

It's much more complicated than that. The article 3 (https://gdpr-info.eu/art-3-gdpr/) says two possible ways to get into a territorial scope of GDPR:

- the offering of goods or services

- the monitoring of behavior of data subjects

Offering doesn't mean that it's just available and/or sellable in EU. It's more complicated than that. EDPB has a guidance on this topic: https://edpb.europa.eu/our-work-tools/general-guidance/guide... In short, document shows examples where some services are available in EU, and sellable there but personal data isn't covered by GDPR.

On the other hand, my understanding is that monitoring of behavior is always covered by GDPR.

(I am not a lawyer and this is not a legal advice)

I don’t think I dispute that the GDPR and related laws claim to apply to me if I have a website that EU residents access.

I dispute that they have jurisdiction to actually apply their laws to me, any more than the US can charge somebody with violating FCC regulations for a radio signal sent from Norway.

There are specific things like extradition treaties, trade agreements, and parallel legislation that cover existing areas where this happens. Is there one that covers application of the GDPR in the US?

The U.S. and the EU signed the Data Privacy Framework over this past summer. https://www.dataprivacyframework.gov/s/ This offers methods for EU residents to exercise claims against U.S. businesses.

Among other requirements, a participating organization must provide you:

  Information on the types of personal data collected
  Information on the purposes of collection and use
  Information on the type or identity of third parties to which your personal data is disclosed
  Choices for limiting use and disclosure of your personal data
  Access to your personal data
  Notification of the organization’s liability if it transfers your personal data
  Notification of the requirement to disclose your personal data in response to lawful requests by public authorities
  Reasonable and appropriate security for your personal data
  A response to your complaint within 45 days
  Cost-free independent dispute resolution to address your data protection concerns
  The ability to invoke binding arbitration to address any complaint that the organization has violated its obligations under the DPF Principles to you and that has not been resolved by other means

https://www.dataprivacyframework.gov/s/article/My-Rights-und...

> There are specific things like extradition treaties, trade agreements, and parallel legislation that cover existing areas where this happens. Is there one that covers application of the GDPR in the US?

Nope. Extradition only covers the case where you go to some other country and commit a crime there, then return to the US. If the crime you committed there is serious, and is also a crime here, then extradition can apply. There are other conditions as well, but the key is that it has to be a crime in both places.

Europeans can claim that you must follow their laws until they are blue in the face but it won’t magically become true. You can safely ignore it. Enjoy competing against European businesses without having to pay any of the same costs.

Even if you do not have to comply with GDPR, 12 States have passed data privacy regulations to date. You may still need to comply with data protection law regardless if you qualify for various State laws.

Even if State law doesn't apply - you have have HIPAA, GLBA, SOX etc.

All irrelevant to the question. But it of course true that we have plenty of our own laws to follow.

Simply you block everyone from EU visiting your web or put a disclaimer you don't provide services for EU citizen

Why though?

If Norway passed a law saying that all US websites have to include a disclaimer saying Norway is the best country, it would be pretty clear that it doesn't affect me, because Norwegian law doesn't apply to people who aren't in Norway and aren't Norwegian citizens.

I put up a website. If people from the EU visit my website, why does EU law apply to me? Opening a brick and mortar bakery in the US doesn't make me subject to EU food regulations just because somebody from Europe flies over and buys a cake.

Exactly. Plenty of people from the EU will claim that an EU law must be followed by US citizens, usually for magical reasons (or because they have been told that it is so). It just isn’t true.

What distinguishes online interaction from physical interaction in terms of jurisdiction and law enforcement?

> Has anyone been taken to court for violating GDPR because they didn't put tell their users that they'd be serving up cookies?

It can already be quite expensive to make rejecting the cookies too difficult: https://www.bbc.com/news/technology-59909647

After that Google fortunately turned their monstrosity of a UI maze into a single click.