New Service Blocks EU Users so Companies Can Save Thousands on GDPR Compliance
bleepingcomputer.comDisclaimer: This is not legal advice.
Blocking EU visitors by IP doesn’t eliminate the need to comply with GDPR, because GDPR jurisdiction isn’t based on where the service thinks think the user is (whether from IP geocoding or another source).
If an EU resident is using a VPN, or using an IP that incorrectly geocodes to a non-EU country, or behind a private corporate network and NAT that egresses traffic in a non-EU country, GDPR still applies. Any site with more than trivial traffic will have some users with those characteristics.
Experts debate whether explicitly requiring users to confirm that they aren’t in the EU - say, a country dropdown - is even a solution. If an EU resident visitor lies, they may well still be protected by GDPR (and the EU is large enough for enforcement to matter even if a site doesn't have an EU presence).
It is much easier and better mandate a physical address during a forced registration.
At that point, it's quite easy to inform EU residents that they are unable to continue do to regulations rather than rely on some type of spoofed IP or VPN