Another note... Per 1798.140(c)(1)(B), CCPA applies to a business that receives PII of =>50k consumers for the business’ commercial purposes. Which might not apply to access logs kept purely for diagnostic purposes.

A commercial purpose of ours is keeping the web site up.

It's not possible to one-way hash a 32-bit IP address. A hash of a 32-bit value can always be reversed because the search space is so small.

Store only the first 16 bits of the hash maybe?

Google Analytics is supposedly GDPR compliant when they store only the first 3 octets, un-hashed.

However I'm not sure myself it makes sense. Some people will be identified by just a partial IP or even a partial hash.

Who cares if it’s trivially hackable; we’re talking about a legal checkbox that you have to tick.

A reversable hash "could reasonably be linked" with the plaintext. You can't get around the law on technicalities. Judges are not computers.

I do. People treating privacy protections as "legal checkbox that you have to tick" are the reason regulations like this show up in the first place.

CCPA will probably be amended at least once more before it goes into effect. If you feel that it shouldn't apply to non-membership website operators who merely log IP address and requested URL... consider writing to your California State Assemblymember and California State Senator, and possibly to the California Attorney General who will be publishing guidance regarding CCPA.

Amusingly enough, California consumers will not have privacy rights regarding any written comments sent to the California Attorney General.