As far as I knoe GPDR is all about giving consent (and let the users have full retraction of his data) to any web site. But when a John goes to an SP website he is all about giving consent dont you think?
Bottom line... that little message showing on sites about consent is for EU cookie law. Not for GPDR... not even close. Consent is not enough and who actually tracks the consent setting? Most just have a javascript box popping for awareness.This is wrong and what many non-EU companies based think. Even in Canada, lots of people think PIPEDA is enough. It isn't.
Please do not take the word of some escort forum posting dude.... if you have a website and deal with European citizens (not IP location) or online traffic, I can't stress enough to reach out to your legal counsel.
I don't have access to my research notes at the moment but some main key points:
There are major changes!
1) Extented territory: Its not about IPs (or location) where the data is accessed from. Its about who accesses the information ex: your site, mobile app, 3rd party service on your site (ie Analytics, Mailchimp, etc..). The moment they are a EU citizen it triggers the extented territory. How they can fine the company is more challenging of course, but with PIPEDA in Canada trying to be more compliant with international laws, the bridge could be allowed - this part is still grey for us in Canada. Their definition is so rediculous that they mention their extended territories as being trigged even by languages available... ex: US has 1 official language. Offer content in French, German, etc.... its enough to consider you're trying to target European citizens... GPDR is in effect.
2) FInes: €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
3) What it concerns:
Right of access - upon requset, be able to provide details of what is tracked and stored and used. This includes systems you might not know are being used (do you have a webmaster, a web host, an email form, wordpress?) you better have better understanding of what steps they are taking. As you could be required to provide details on the actual user. Don't know how Google tracks users via your site? Using adwords conversion pixel? or Facebook audience building pixel? Its going to be your responsibility to make sure you're compliant.... this point alone will be a clusterfuck for a lot of small time busines operators. Take a shopify or wix site for example.... how many non technical users are there that are clients? Its not the vendors responsability anymore as you will be considered the Data Controller.
Right to erasure - If a citizen requests to be removed, you will have to and prove that it was removed
Data portability - Have the ability to export all information you have on a visitor or client (emails,tracking data, profiles). You don't think you have anything? Do you run ads on your site? The cookies they are setting and what they are collecting is part of it...
Data protection by design and by default - This defines how your systems are built... you will have to make sure that whatever tools you're using (ex: wordpress, mailchimp, facebook share button) are also under your protection.... oh and let's not forget about that vulnerable Wordpress themes... yup that will also be on you.
So my main fear isn't so much for the larger companies. And the smaller guy might be ok.
But let's take sites like merb or sps that basically hide the true operators of the site and its members/visitors. Consider a EU citizen that visits the site to simply read reviews. He has a right to exercise his GPDR right... sorry for the layout and typos and to cut short but I have to go.