I don’t know the legal implications, if any, of IP blocks. But I can tell you from experience that the bigger a site is, the more likely there will be robotic activity that can be blocked easily and effectively via IP address. IP address is not, IMHO (but IANAL) privacy details - it is just a number that is part of the web traffic.
I would actually venture to say that if we don’t have some blocking options based on IP address, we will in short order end up in a situation where we have some variant of:
- Attempts to create tons of accounts (which will never be verified via email because they’re all fake, but still overload the system)
- Attempts to crack our authentication system
- Attempts to pull data (aka web scraping) at speeds that cause server problems (i.e., the “good” ones like Google, Bing, etc. moderate their speed to avoid problems, but not the bad guys. And the bad guys do not care about robots.txt either)
All of which can at least partially be solved with (semi-)automated IP blocks.
I am not talking about User blocks. Those may or may not be IP-based but arguably should NOT be IP-based because if there is truly a User problem then blocking via the account is the way to solve it anyway as blocking by IP only works until they move to a different device.