> Yes, restricting access when users do not consent to data collection is generally illegal.

So, if sites can't provide users with anything in return for consenting, doesn't that make consenting not a valid contract? Or does the EU not require a contract to have an exchange of value?

Not any data, personal data. You can't collect personal data unless is necessary to the service you want to offer, and only after the user gave its consent

Do EU laws apply when the target user base of a website is non-EU customers? e.g. if Verizon Wireless only operates in the US, do they have to comply with EU laws despite them not attempting to localize content for EU users (aka they get shown what US users get shown)?

The law only applies within the EU.

However, EU GDPR legislation permits the EU to do whatever it can go after noncompliant sites in any jurisdiction. The legislation also requires all new trade agreements between the EU and other countries to be GDPR-compliant. The legislation permits them to go after "noncompliant" sites for 4% of worldwide revenue. So it's quite brutally extraterritorial by design.

The interpretation of the regulation does not require large fines for small infractions by non-EU-focused sites, and indeed the regulators presently work to be eminently reasonable about such things, but the lines are fuzzy and the interpretation could change without further legislation — and even if you could defend yourself against such a case, it may be ruinous anyway.

The GDPR applies to personal data of all EU citizens and permanent residents. Even a tourist in the US who browses a website which is only available in the US.

But if the company has no offices, bank accounts or other business presence in the EU, there is no practical way to enforce it.