I don't actually see any way that your local neighborhood restaurant, assuming your local neighborhood is not in the EU, will in any way be covered by the GDPR.
It will for the first be too small to require much record keeping.
Second, it is unlikely to be keeping any personally identifying information from someone using the site while in the EU because nobody is ordering food from a pizza place in NYC while sitting in Napoli. IP address is sometimes PII but more often not.
Thirdly, as your local restaurant does not have any business operations in the EU any potential fines levied against them would probably be unenforceable.
Those are just the top three things that spring to my mind though, pretty sure that there are other reasons the worry is nonsensical.
It doesn't matter whether you are there or not. If you are an EU citizen, and you're in the US, and you visit a US website and make an order from that website, that website is now supposedly required to obey EU law.
"GDPR requires the personal data of an individual residing in an EU country to be subject to certain safeguards and their data rights and freedoms must be protected. When an individual leaves an EU country and travels to a non-EU country, they are no longer protected by GDPR."
It was quite a common misconception when GDPR was first being formalized that it would apply to EU citizens physically located outside of the EU, indeed if you go back about 6 years you would probably find me making the same incorrect argument on HN.
"When an individual leaves an EU country and travels to a non-EU country, they are no longer protected by GDPR."
and
"If an EU citizen travelled to the United States and interacted with an EU business, which required the collection of their personal data, their data rights and freedoms would be dictated by US federal and state laws. GDPR would not apply."
true, this is inside a section where the headline refers to people 'living' in the US (which of course implies taking up a long term residence there), but the text of the body makes clear that just traveling to the US means that, as one would normally expect, the laws of the US pertain and not the laws of the EU.
It makes zero sense to suddenly say that it matters where the company is if the EU citizen isn't in the EU anymore, but it doesn't matter where the company is if the EU citizen is in the EU.
Either the EU can make a law apply to my website, or it can't. If it can, why does it not do it all the time? If it can't why does it claim it does?
I'm personally of the opinion that they can't, and I'm going to keep acting accordingly.
And I'm willing to bet so are the vast majority of other websites. If anybody sees a drastic drop in Google Fonts usage, let me know. Otherwise I'll just keep saying, "I told you so." Nobody actually believes the EU can do this.
Every time I have ever bought flowers internationally it has been through some big international floral delivery company that handles the actual contact to the local florist, hence I do not believe that any of the florists that actually delivered the flowers to their recipient was in possession of any personal information.
Thus a small florist does not operate the same way as a small local restaurant, the big international company with my personal information however will be on the hook for it and should have processes in place to handle that.
Ok, well in that case if they did that and the restaurant decided to save the personal data longer than was necessary to fulfill their legitimate business purposes then I guess they would be under GDPR. Legitimate business purposes might be (just guessing as I am not a restaurateur)- IP addresses kept for a week until profile of website visitors report for that week made, credit card and name kept until payment received.
It will for the first be too small to require much record keeping.
Second, it is unlikely to be keeping any personally identifying information from someone using the site while in the EU because nobody is ordering food from a pizza place in NYC while sitting in Napoli. IP address is sometimes PII but more often not.
Thirdly, as your local restaurant does not have any business operations in the EU any potential fines levied against them would probably be unenforceable.
Those are just the top three things that spring to my mind though, pretty sure that there are other reasons the worry is nonsensical.