I recently had my donation-driven site ruined by bots, it's a constant battle. I (jokingly) proposed we should amend the fax spam law to take this into consideration:

https://www.karlbunch.com/random/website-protection-act/

555 gigabytes of bandwidth in a week! We're paying more for egress than compute and storage now. I've tried robots.txt and finally gave in and started setting up aggressive WAF rules.

I like the idea, but in S227(g)(1) - "training shall compensate the server operator for the bandwidth and compute resources consumed" - bandwidth can be defined in finite terms for the size of the data pulled, but "compute resources consumed" is arbitrary.