That is not quite completely true - In many cases you can associate it to a user based on their activity too. For example, they might logon which would link the IP to an identity.
Yes, but the IP itself is not personal without the connection to other information. I do think considering IP address personal is a bit of a reach, especially given the common case of ephemeral addresses.
All the residential IPv4 addresses have been the same for years, until I switched ISP or moved. Ever since I've lived alone that IP address 100% maps back to me as a person, and I'm not the only person in Europe living on my own. Pretending this situation doesn't exist and forms a privacy risk would be madness.
There's nothing wrong with receiving IP addresses on your website, though. You can log IP addresses and use them for detecting fraud and other kinds of abuse without requiring consent. Third parties can do the same, as long as they follow the law and as long as you clearly document what information you're sharing/making users share in your privacy policy.
You can't use personal information for tracking and ad purposes without consent, though, and you can't partner up with other companies that do it for you. It doesn't matter if you're tracking IP addresses, cookies, passive fingerprints, or some kind of supercookie; you need a legitimate reason or explicit consent to process that kind of information.
> Yes, but the IP itself is not personal without the connection to other information.
By this argument, isn't the same true of a physical home address?
> I do think considering IP address personal is a bit of a reach, especially given the common case of ephemeral addresses.
Except that isn't strictly "the common case". DHCP leases are often for long-ish periods of time on fixed line broadband services. The IP for my home router, for example, has been the same for weeks or months at a time.
