GDPR is an EU law. It doesn’t automatically apply to people in the US. That’s the only reason I replied - your original framing left an implied suggestion that it might commonly or by default apply to US citizens, without discussing under what conditions. Arguing that you don’t have to be an EU resident leaves the misleading impression that the EU doesn’t have to be involved. I think it’s important to note that the EU part is required somewhere in the company-customer relationship for GDPR to have any say in the matter, and it’s important specifically because this is a common misconception and the misconception is being abused in some cases to coerce compliance where it’s not legally required. I know this as a US business owner that gets emails from US companies on behalf of US citizens that are demanding certain actions and rights under GDPR, without a legal basis to do so.