They have to comply with GDPR as their website is accessible from EU countries, as long as they have data to identify a specific EU citizen.
There’s currently American laws that if not followed, States have a right to pursue a lawsuit. Many American companies shrug and wait for the paperwork. Often, it takes a few months for that paperwork, and then years before it moves through the courts. Imagine a EU company getting that paperwork. Besides the initial “I’m in the EU, I don’t have to follow your American laws”, the court case would take YEARS to materialize.
Now flip that for American companies following EU rules.
A law is only as strong as those who enforce it. Look at Twitter. How many warnings will the EU give and still not do anything about it?
I’m not saying this to wave my freedom around. This is just reality. Major American companies to this day still are lax around GDPR. So a small 1-person company is going to shrug and do whatever they want. Until they do something outrageous like terrorism or CP, they’ll at most get a strongly written letter.
And by then, they’ll just bankrupt their company and start a new one.
Again, not saying that to be a jerk. I’ve been on that side of arguing that our products should follow GDPR, watching some manager tell me fuck off, then literally nothing happening for years.