This is how I understand GDPR as well. Just hashing the IP address along with other static values is too easy to reverse and not considered anonymization under GDPR.
For https://plausible.io we added a daily salt to the hash for this exact reason. By deleting the salt at the end of each day, the hash becomes impossible to reverse and visitor data can be considered anonymous.
We lose unique visitor tracking beyond one day, but for most sites this is a small price to pay to remove annoying consent banners.
Website owners are still sending visitors IP-addresses your way. They have to trust you to do the hashing and deleting the salt (and pepper?) and not delivering data to others (4th party).
I thought that "CNAME cloacking" was already addressed by uBlock and most similar tools last year already? I don't think it's a very effective method to bypass them.
In goatcounter the whole CNAME thing was just intended as a cute "shortcut" so you can have "stats.example.com"; I assumed that all adblockers would deal with that correctly, and it was never intended as a way to bypass them (and certainly never advertised as such).
As for "selling IP address", how do you know "blog.example.com" isn't just collecting and selling that? Or HN for that matter?
For https://plausible.io we added a daily salt to the hash for this exact reason. By deleting the salt at the end of each day, the hash becomes impossible to reverse and visitor data can be considered anonymous.
We lose unique visitor tracking beyond one day, but for most sites this is a small price to pay to remove annoying consent banners.