[zelphirkalt]

The conversation was about correlations and not merely about one attribute like IP addresses.

An IP address limits the location of a person significantly, unless they use VPN or so, which most people do not, so it cannot be assumed, but rather one must assume, that they do not use VPN.

Add one more attribute and through correlation you might already be able to map to an actual identity. It can happen very easily and you don't want to be an organization, which suddenly realizes, that some of their data has accidentally become personally identifying, when the next data protection audit happens.

Data also does not stay in one place only. It travels from department to department, often from organization to organization even. It has these tendencies, unfortunately. Each actor might have some data as non personally identifying, but when they sell and combine, suddenly it becomes personally identifying data.

An IP address is a very critical part in the data about users and ISPs are not to be trusted to never give their data to another actor. Many ISPs are shady businesses.