[munchbunny]

I think there are two misconceptions in this post.

1. Cookies do not automatically require consent. If you use a session cookie to remember someone's login session, that does not require consent. It's when you use that session cookie for analytics, advertising, etc. that consent enters the picture.

2. The fact that you can uniquely identify the user on an ongoing basis, even if you're not tying it to any actual personal details or an IP address, is what makes that identifier personal information. Just because you obfuscate it does not change that. A hash hides the original data but it does not change the fact that it's a unique identifier, and therefore it's still personal information.

You have to anonymize the data in such a way that you couldn't pick out the specific individual from any stored data. A lossy anonymization step is one way to do it. A hash of a browser thumbprint is not, unless that hash also pools multiple users together and mixes the data up so that you can't pick them apart again.