There's a HUGE important aspect that you're missing: The IP Address is NOT the only thing that makes this data into personal data.
Google Analytics generates a visitor ID by rolling a random number and storing it in a first-party cookie. This is how GA tells that two visits a week apart came from the same user. This value has been ruled to constitute Personal Data. This is a very big deal, and only a little bit surprising.
> The IP Address is NOT the only thing that makes this data into personal data.
Can you cite a reference for that? I fully believe that Google is using cookies for this, but that doesn't mean that the legal authority here isn't making the judgment on IP address alone. I believe a recent GDPR decision against Google Fonts was based on IP address alone. [0]
The Google Fonts case was decided based on the transmission of the full IP address in a jurisdiction (Germany) where there are ways to identify a user by means of that address. CNIL's press release follows a decision by the Austrian data protection authority where the Google Analytics cookies were at issue.
If you can read German, you can look at the Austrian decision directly, the complainant has uploaded it at [1] and the relevant section is D.2 b) starting at page 27.
> In this context, a unique identifier is assigned to each visitor. This identifier (which constitutes personal data) and the associated data are transferred by Google to the United States.
This is an accurate description of GA's pseudonymous identifier. It is not accurate as a description of an IP address. And if CNIL meant the IP Address, they would have said so, as they did in other rulings.
Google Analytics generates a visitor ID by rolling a random number and storing it in a first-party cookie. This is how GA tells that two visits a week apart came from the same user. This value has been ruled to constitute Personal Data. This is a very big deal, and only a little bit surprising.