One of the less publicized features of the European General Data Protection Regulation (GDPR) is that US companies can be held liable even if they do not actively trade with Europe. This is because the regulation is about the collection and storage of European personal information, not about business.
Any U.S. company that operates a website that collects user information (a log-in form, or perhaps a subscription application) could unwittingly collect protected European PII. That makes the company liable — there are GDPR requirements over how it is collected (including explicit user consent, secure collection, and limitations on what is collected). Whether European regulators could do anything about that liability if the US company has no physical presence in Europe is a different matter.
