Say I use a DDoS prevention service (like cloudflare). They get my user data, and also have to be under scope of GDPR as well. And since IP isn't indicative of EU citizenship status, a company had better apply GDPR to everything rather than just a subset.
In the end, this law makes a "We respect the privacy of your data" subset of providers, and provides a great way for us users to identify bad actors (Google, FB, Amazon, etc).
And that's what Cloudflare chose to do. We are treating all customers the same regardless of location.
"Of the companies I spoke with for this story, both Cloudflare and Mozilla will be GDPR compliant no matter where their customers are located." https://www.fastcodesign.com/90171699/what-is-gdpr-and-why-s...
The GDPR is becoming a "I'm doing the right thing" checkbox. At least with the European rule, we data-drained Americans can rely that these services might cost more, but we retain our rights.
Lack of will have to be scrutinized. Smaller places may make the determination based upon reasonable answers, or be malicious. Facebook/Google/Etc wouldn't exist in their current forms if there was strong privacy rules in place.