IPs are PII even before you inevitably link them to something in your logs. If you can make a case that you absolutely don’t store them anywhere, they’re just transiently handled by your network card, maybe you get away with it but only because someone else along the stream covers this for you (your hosting provider, your ISP, etc.)
Source: I have been cursed to work on too many Data Protection Impact Assessments, and Records of Processing Activities together with actual lawyers.
Basically we are in agreement: IP addresses, by themselves, are not PII, only when they are linked to other information (a cookie, a request log) then it consitutes processing.
So, apologies if I was not precise on my comment, but I still stand by the idea: you don't need to a consent screen that says "we collect your IP address", if that's all you do.
Not really, no. I don’t think I can make it more clear than I, or the law, already did: IPs are PII no matter what. Period. It’s literally spelled out in the law.
The misconception is that you need explicit consent for any kind of processing of PII. That is not the case. The law gives you alternatives to consent, if you can justify them. Some will confuse this with “must mean IPs aren’t PII”, which is not the case.
Source: I have been cursed to work on too many Data Protection Impact Assessments, and Records of Processing Activities together with actual lawyers.