[gcanyon]

I think the point being made is that there are two classes of information: 1. That which helps distinguish a single human being as distinct from another. 2. That which provides you with some useful knowledge about that human being.

Knowing an IP address can distinguish user A from user B, but unless you know something else about A vs. B, what's the point?

[withinboredom]

I'm not sure what point you're making.

Knowing an IP address is useless information, until you have a database linking IP addresses to geolocation. Knowing my address is useless information, until you have a map. Knowing my name is useless, until you have Google. Knowing my user id is useless, until you have a leaked database (or other vulnerability).

These are all PII, because they're useless until you have some other information, and then they deanonymize you.

[glitchc]

There's a lot of confusion here. You need to read the GDPR carefully. The GDPR is the only source that explicitly mentions IP, and even they distinguish IP as "personal data", not "personally identifiable data." No other privacy legislation on the planet considers IP to represent any kind of PII.

I will reiterate my point. It is impossible to operate the internet or any other network where a server must distinguish between two or more client without some kind of identifier for session management. Just think about it.

[withinboredom]

I am literally face palming so hard right now. I also wish I'd seen this reply earlier.

The GDPR never mentions "personally identifiable data" as that is a US term. In the GDPR, it only says "personal data" which is the exact same thing according to the GDPR.