More accurately, "we do not have the staff or funds to figure out what every single random law around the globe requires of us, and since foreign countries are not a realistic advertising market for a local Michigan newspaper, there's really no reason for us to try."
It probably wasn't worth the effort to block foreign countries just from random unnecessary compute cost to serve a site to them, but when those countries start being serious about penalties you could face for serving their residents? Now it's justifiable to block non-US countries.
After all, using a VPN doesn't absolve companies of the GDPR.
Every site that gdpr-blocks itself is saying that they intend to extract value from your data and they don't want to tell you how.
Sometimes if you're just one person and the EU isn't a core market and you are a small business or non-profit, it's easier to just say, ok you know what, no thanks to all this for now.
"Will you sell my data?"
"This interview is over. (I'm very busy.)"
No! Of course not! It's because you don't care about Turkmenistan, to the extent you've never even bothered to look up what is and is not legal there, let alone get legal advice about it. That's a perfectly fine answer. This random Michigan newspaper doesn't care about the EU. That's a perfectly fine answer too.
Me: "No."
Use of AWS availability zones as it applies to Article 5?
Equally surprised would be the authors of very many legal books and journals, e.g. https://www.cambridge.org/core/browse-subjects/law/european-...
Also not a "European law" by any measure or understanding, that's a international organization that does police cooperation across the continent (and further), it isn't even a law enforcement agency... Not exactly sure how you could confuse that with laws, but here we are.
There are services that will do this for you. Last I checked they were typically in the neighborhood of a couple hundred Euros a year.
Whether or not GDPR applies to a site not in the EU is somewhat subjective. It comes down to whether you envisaged serving people in the EU.
If your site does not need EU visitors it can make some sense to block them. That provides evidence that you did not envisage serving people in the EU, and then you don't have to figure out if you need to be hiring a service in the EU to receive GDPR mail.
This may be true for in house ads, but there are ad networks that already are able to personalize ads and have ad inventory for such foreign countries.
Anyways, it sounds like a win-win here, they get to not care, and we get to be rejected with clear reasons why, so again, benefits all around.
The data download and removal side of GDPR seems useful for more "entrenched" use cases where you have an account and a long history on a service but... fly-by website visits should not be this heavily regulated. Blocking cookies and scripts is trivial.
If you look at it through an equity angle, needing extensions relegates the negative effects to those that are already not "well off" — the technologically illiterate who don't know what to do or know someone who does.
They refuse to allow visitors to visit their website without taking, processing and selling their data and letting those visitors know that this is happening. That they outright block me instead of doing those anyways, clearly is a good thing and in my benefit.