That's literally the definition, it's in the name. If it can be used to personally identify you in any way, it's PII. Yes, IP addresses are PII and there's nothing that prevents you from storing PII for reasonable amounts of time (i.e., to process a packet, a purchase, or fulfill a contract). Where you get into trouble with various laws is when you store them for other purposes (such as in logs) and use them in ways they weren't intended (such as analytics) -- especially if you don't tell the person you're using it in that way. That last part is usually the basics of what is required. Not disclosing it is a sure way to find yourself in hot water, eventually. Most regulators don't seem to care atm, or are targeting big companies. I'm not a lawyer, but I've worked on software in this field, so take what I say with a grain of salt.
I think the point being made is that there are two classes of information: 1. That which helps distinguish a single human being as distinct from another. 2. That which provides you with some useful knowledge about that human being.
Knowing an IP address can distinguish user A from user B, but unless you know something else about A vs. B, what's the point?
Knowing an IP address is useless information, until you have a database linking IP addresses to geolocation. Knowing my address is useless information, until you have a map. Knowing my name is useless, until you have Google. Knowing my user id is useless, until you have a leaked database (or other vulnerability).
These are all PII, because they're useless until you have some other information, and then they deanonymize you.
There's a lot of confusion here. You need to read the GDPR carefully. The GDPR is the only source that explicitly mentions IP, and even they distinguish IP as "personal data", not "personally identifiable data." No other privacy legislation on the planet considers IP to represent any kind of PII.
I will reiterate my point. It is impossible to operate the internet or any other network where a server must distinguish between two or more client without some kind of identifier for session management. Just think about it.
I am literally face palming so hard right now. I also wish I'd seen this reply earlier.
The GDPR never mentions "personally identifiable data" as that is a US term. In the GDPR, it only says "personal data" which is the exact same thing according to the GDPR.
