14 days after requesting my personal data from Goodreads (December 31, 2019), they replied to me with this email:

Hi there,

Thank you for taking the time to write in. For many years, individuals from around the world have had the opportunity to come to Goodreads and join the world’s largest community of readers. **As a business based in the United States, Goodreads complies with laws in the jurisdictions where it operates.** We are always considering how to reach more readers and improve the experience for our users, and if Goodreads expands its operations to the EU we will comply with all relevant laws and policies, including GDPR.

Sincerely,
The Goodreads Team 

Is it legal for Goodreads to tell me that they don't have to comply with GDPR? Contents →

What does the GDPR say?

Article 3

Article 3 of the GDPR says:

This Regulation applies to the processing of personal data of **data subjects who are in the Union by a controller or processor not established in the Union**, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.

The question whether Goodreads should be compliant with GDPR boils down to:

• whether Goodreads "offers services" to EU citizens
• whether Goodreads monitors behavior of EU citizens in the EU

This Article 3 excerpt is hard law.

Recital 23

Next, there is a recital on this topic. But a recital is not "hard law". As far as I know (not a lawyer!), it only helps with interpreting a law

Recital 23: "Applicable to Processors Not Established in the Union if Data Subjects Within the Union are Targeted"

In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. 
2. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, **it should be ascertained** **whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.** 
3. Whereas **the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union**, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, **is insufficient to ascertain such intention**, factors such as the **use of a language or a currency generally used in one or more Member States *with the possibility of* ordering goods and services in that other language,** or **the mentioning of customers or users who are in the Union**, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.