They are are using a 53-bit hash cyrb53 [1] of the string "IP address + website domain + user agent + language + validity days". It looks feasible that many of the generated IDs could be retroactively brute-force mapped back to an IPv4 address with high confidence (small chance of error due to hash collisions).
I wouldn't trust any article that purports to be about GDPR that uses the term 'PII' a term which itself isn't anywhere to be seen in the regulation!
In reality an IP address is generally not PII, but it may be personal data - the case is Breyer which was decided on pre-GDPR law but still relevant. If you could use reasonable means to identify someone from the IP address then it will be personal data. I don't really agree with the outcome of the case because it implied it was easy to contact an ISP to get them to disclose details of the subscriber information associated with the IP address. In the UK at least it would require cause, and a court order.