It does affect US companies where either they, their staff, or their customers have sufficient ties to the EU for the EU to exert their authority, and where the GDPR applies by its own terms. Which is more US companies than many think.
Whether "not operating in the EU" is a different threshold than the above is a semantic argument that's less interesting to me than the substantive ones.
Whether "not operating in the EU" is a different threshold than the above is a semantic argument that's less interesting to me than the substantive ones.