I keep seeing this argument. But the reason I don't see this happening is the giant amount of fraud out there. Sure ad fraud is an arms race, but if you can't do js fingerprinting, cookies, etc it would be impossible to verify ad impressions are real humans, not bots. And actual clicks from real humans would be impossible to differentiate - not coming from the same bot clicking over and over again (can't store ip, cookie, etc I'm not sure how you'd distinguish).
To fight fraud you can use some short-term temporary tracking without saving data for a long time, without linking cookies and IP to email or real name, without exchanging data with other companies (like Google), without buying or selling data to data brokers.
To show ads you don't have to report about all of your site visits to Facebook and Google.
Sure you could store IPs, as you can also use cookies. I think there's a hysteria regarding GDPR. It won't break the web. Perhaps we need to give it some time to settle in and then draw our conclusions.
