[gnud]

If you save IPs to use for fraud detection, then under the GDPR you can't use them for _ANYTHING_ else, and you need a sensible rule for how long you keep them.

Most of those checkboxes are not worth anything under GDPR, because people don't give a clear, informed consent when they have no chance of understanding what is being asked.

The law is not the problem. Lack of enforcement is.