As with all legal questions (IANAL): it depends. Can you demonstrate legitimate interest for "using" those parts of the IPv4 address? If yes, then no.
The IPv4 address combined with a timestamp identifies the typical person almost uniquely. Tracking this data over time allows narrowing it down further. This makes it PII for all intents and purposes.
Anonymizing an IP adress by truncating it is a form of processing. So technically you are "processing PII" which makes this subject to the GDPR. If the result is sufficiently anonymous, any data that is attached to further is probably not considered PII unless that additional data helps de-anonymizing the truncated IP. I guess you could have situations where the first two parts of the IPv4 are sufficiently unique in your data set for it still to be sufficient to uniquely identify a person (e.g. when you know that only one IP had these first two parts in the given context) but that's a freaky edge case.
PII or not, the more important question is what legal basis you have for storing and processing it. Consent is one mechanism and it's what requires "banners" - or really: consent forms, as the legally required default action is "reject all non-essential" even if most implementations blatantly ignore this and pretend otherwise - and note that "essential" here means "not requiring consent".
So if you have a different mechanism, you're golden, although truncating still makes sense given that it complies with the requirement for "data minimization" (i.e. being frugal in what you collect). "Legitimate interest" could for example be security-based. You should also make sure to only store this data as long as actually necessary and err on the side of that duration being shorter than longer.
Thanks. It's a bit unfortunate. I essentially only want to keep a visitor count. So I have to show the the same banner (at least to be on the cautious side) as the guy who is sharing my data with their 732 "partners"? :-/
Somewhere in the original article it was mentioned that even hashing is not enough to make data non-PII. I assume then that's also out of questions?
Think about it the other way around. Is that visitor counter essential for your site? No. It’s cool. It’s interesting to know how many have visited, but that’s it. Now all you need to do is asking visitors if it’s okay to record their visit for the purpose of cool statistics. There is no requirement in the law to have a banner, or legalese speak. The only thing that actually matters is that you ask for consent in a way that actually shows why you want to track them.
Poof. What if I don't keep the IP at all and just the timestamp? Essentially "Someone visited at 23:12 January 20th", nothing else stored. Still banner needed?
The IPv4 address combined with a timestamp identifies the typical person almost uniquely. Tracking this data over time allows narrowing it down further. This makes it PII for all intents and purposes.
Anonymizing an IP adress by truncating it is a form of processing. So technically you are "processing PII" which makes this subject to the GDPR. If the result is sufficiently anonymous, any data that is attached to further is probably not considered PII unless that additional data helps de-anonymizing the truncated IP. I guess you could have situations where the first two parts of the IPv4 are sufficiently unique in your data set for it still to be sufficient to uniquely identify a person (e.g. when you know that only one IP had these first two parts in the given context) but that's a freaky edge case.
PII or not, the more important question is what legal basis you have for storing and processing it. Consent is one mechanism and it's what requires "banners" - or really: consent forms, as the legally required default action is "reject all non-essential" even if most implementations blatantly ignore this and pretend otherwise - and note that "essential" here means "not requiring consent".
So if you have a different mechanism, you're golden, although truncating still makes sense given that it complies with the requirement for "data minimization" (i.e. being frugal in what you collect). "Legitimate interest" could for example be security-based. You should also make sure to only store this data as long as actually necessary and err on the side of that duration being shorter than longer.