> gpdr on the other hand is tough to enforce on companies who wholly are in the US.
If you do actual business in the EU they can block financial transactions, and if you don't do business in the EU, there isn't really any incentive to (ab)use the data GDPR covers?
Yup that's the idea, the EU is a big market and GDPR is the cost of doing business there.
As a startup though, it's absolutely part of your calculus. If you are worried about GDPR compliance, you can choose to just not launch in the EU (actually that might not be enough, I believe you may need to actively refuse EU users) until after you've proven the concept. Although with California's CCPA, depending on the specifics of your situation, you may as well just carve out some time to deal with compliance.
If you do actual business in the EU they can block financial transactions, and if you don't do business in the EU, there isn't really any incentive to (ab)use the data GDPR covers?