The advice I have bookmarked (which I'll admit is not a legal opinion or the source legislation) says:
‘specific website content’ means that you should not make ‘general access’ subject to conditions requiring users to accept non-essential cookies – you can only limit certain content if the user does not consent;
and
the term ‘legitimate purpose’ refers to facilitating the provision of an information society service – ie, a service the user explicitly requests. This does not include third parties such as analytics services or online advertising.
As I read/understand things, unless the service you're providing is "being tracked by advertisers or analytics", you cannot block ac cess to users based on then not consenting to being tracked for advertising/analytics.
Pretty sure "They'd be supposed to drop EU users, under some interpretation of the law." is correct there, and that if Gitlab wants to have tracking consent as a mandatory requirement for using their source control service, they'd need to stop selling it in EU completely.
Good luck trying your luck with international law.
,,You may be wondering how the European Union will enforce a law in territory it does not control. The fact is, foreign governments help other countries enforce their laws through mutual assistance treaties and other mechanisms all the time. GDPR Article 50 addresses this question directly. So far, the EU’s reach has not been tested, but no doubt data protection authorities are exploring their options on a case-by-case basis.''
The EU could certainly stop them from doing business there. Beyond that, you can't be sure they could collect fines. It may depend on the technical details of what the fines are about, and how big they are. America has human rights that privacy regulations like California's CCPA are careful to waltz around.
If at all, then only as long as they're conducting their business with EU customers entirely from the US. As soon as they're putting servers in a colo in the EU, there's something that EU authorities could confiscate to cover outstanding fines.
You cannot conduct business in the EU unless you have a VAT number issued by any of the member (still 28) states. You cannot sell anything in the EU w/o VAT, it'd be illegal. The company =must= pay the collected VAT to the respective member state(s).
So they have to register in the EU to conduct business (and issue VAT receipts). This requires some assets and people to be responsible.
The only way to conduct business outside is a small shipments (less than 22e) that would be free of VAT and customs clearance.
The advice I have bookmarked (which I'll admit is not a legal opinion or the source legislation) says:
‘specific website content’ means that you should not make ‘general access’ subject to conditions requiring users to accept non-essential cookies – you can only limit certain content if the user does not consent;
and
the term ‘legitimate purpose’ refers to facilitating the provision of an information society service – ie, a service the user explicitly requests. This does not include third parties such as analytics services or online advertising.
As I read/understand things, unless the service you're providing is "being tracked by advertisers or analytics", you cannot block ac cess to users based on then not consenting to being tracked for advertising/analytics.
Pretty sure "They'd be supposed to drop EU users, under some interpretation of the law." is correct there, and that if Gitlab wants to have tracking consent as a mandatory requirement for using their source control service, they'd need to stop selling it in EU completely.