I'm in a holding pattern while my lawyer researches the EU "GDPR" laws.
It's looking like I will not be able to use 3rd party honeypots, as the GDPR requires companies to allow users to delete any data collected from there.
That means that anyone with a honeypot running on their router will be able to delete any IP's in the database that their router may have submitted.
While this may not sound like a big deal, it's ENTIRELY possible for a user to fake an update and delete the whole database.
I am looking forward to the new service. Obligatory - I am not a lawyer - but... You're over thinking this. An IP address itself is not "personally identifiable" -- until it is associated with other specific data that could be personally identifiable to a natural person (cookies, MAC, RFID, etc.). Classification of an IP as the source of infection, malicious behavior, etc. (or any of the behavior a honeypot would flag) is not at all identifiable to a natural person. Check into Recital 26 in full https://gdpr-info.eu/recitals/no-26/
Here's a piece:
"The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes."
If you get Honeypot information secondhand under general classifications of "port scanner" or "wordpress prober" or "SSH Brute Force" -- I can't think of much that could be less personally identifiable to a natural person. You don't know any personally identifiable information about their interactions with the honeypot - all you have is an IP address and a general label. They can't force you to pretend that IP doesn't exist or that you couldn't find their ISP and report them to abuse@ or that you can't make decisions based on anonymized data based on "reputation" of a network -- which (by itself) is not identifiable to a natural person.
Absolute worst case: If your lists were created with an automatic timeout or expiration that was less than the 24 hour requested removal; wouldn't that be compliant? The IP would have been removed from the list after 24 hours (requested or not) -- if they get added back for ongoing bad behavior that's their problem. The list doesn't "track" them at all; each list is an independent serial number.