GDPR covers any interaction of people or organizations in the EU.
So non-EU consumers are covered once they're visiting the EU (citizen of a member state or not), and potentially (untested, not spelled out explicitly) when they use a VPN with an endpoint in the EU (because they're then likely talking to data centers under the control of the European subsidiary).
> they don't have to afford the same protection to non-EU users
Given that "EU user" is murky like that, I'm not sure if any company goes through the trouble of differentiating which action happened from inside or outside the EU beyond raw GDPR blocking that refuse service entirely for accesses from within the EU.
GDPR covers any interaction of people or organizations in the EU.
So non-EU consumers are covered once they're visiting the EU (citizen of a member state or not), and potentially (untested, not spelled out explicitly) when they use a VPN with an endpoint in the EU (because they're then likely talking to data centers under the control of the European subsidiary).
> they don't have to afford the same protection to non-EU users
Given that "EU user" is murky like that, I'm not sure if any company goes through the trouble of differentiating which action happened from inside or outside the EU beyond raw GDPR blocking that refuse service entirely for accesses from within the EU.