The GDPR might assert that they're bound, but an Oklahoma-based business with no business presence or assets inside the EU isn't bound by EU law. This is pretty much the foundation of national sovereignty.
How would an EU enforcer actually enforce the GDPR in this case? Unless there's been a violation of a trade agreement, any attempt to apply EU law to a US-based company operating on US soil is going to be utterly impotent.
Geo location for IPs is a very inexact science so they almost certainly are processing EU citizens' data. Hell I can access it with a VPN while sat in the EU so yep, they are liable if they store anything about me (apparently IP addresses are considered PII in terms of GDPR too)
No idea how they'd enforce it - various murky-references to "international law" are floating around. I guess these sort of things are covered in trade treaties etc like with patents and copyright etc.
I understand what the GDPR _says_, but I'm saying that there's a vast difference between "what it asserts it can enforce" and "what can actually be enforced". A law that can't be enforced doesn't mean much.
Governments enforce their laws with the threat of depriving you of your assets or personal liberty. In order to do that, they have to first have the power (via unchallenged jurisdiction) to deprive you of assets or liberty. In this case, unless the EU can get the US to enforce EU law on US soil, or to extradite offenders to the EU, the GDPR has no teeth.
How would an EU enforcer actually enforce the GDPR in this case? Unless there's been a violation of a trade agreement, any attempt to apply EU law to a US-based company operating on US soil is going to be utterly impotent.