Here are my questions followed by some more information.
We are using the Measurement Protocol to send custom event data to our Google Analytics account. All of the data is being sent via PHP cURL from the server. We have 3 different views setup in our account, (View #1) a view that is completely unfiltered, (View #2) another view that is filtering out internal traffic via IP addresses, and a final third view (View #3) for testing purposes.
View #2's filters have stopped working since we moved to this method of sending the event data to Google. I imagine that is because the requests are now coming from the server's IP address instead of each specific user. I have been told about a field that you can use to send the user's IP address to Google, the field is labeled "uip" however Google anonymizes this data and does seem to use it for filtering the views (what would the purpose of this field be then?).
I have a custom dimension setup in which I am sending a hashed IP address (as I am not sure if an IP is considered PII) I am then filtering the reports on those specific hashes ... however this leaves me unable to filter out IP ranges ... certain bot traffic can originate from different ranges of IP addresses and I would be unable to filter them from the reports.
I have been scouring the internet to try to determine whether or not it is a privacy concern for me to simply store the user IP (unhashed) in a custom dimension and setup our filtering rules based on that. This would allow me to create regex that filters out entire ranges of IP's. Most of the articles that say an IP is PII refer to Google's Universal Analytics Guidelines: https://support.google.com/analytics/answer/2795983 - but I have been all over those articles and I cannot see Google specifically stating anywhere whether or not an IP is PII.
Thank you for your time.
For the question of hashed vs. unhashed values - Google has two different policies on the question of hashing (as I only found out when I was researching your question).
For the question if IPs are PIIs - Google at document on "Best practices to avoid sendig PII":
which does not mention IP addresses. However Google does take some trouble to protect IP addresses (e.g. automatically anonymizing, not exposing them in the interface) so I'd suggest (based on gut feeling, not anything binding) that you do the same and at least hash them with a salted hash 8and filter by the hash).
Also part from the Google TOS there are national laws to consider (don't know where you are doing business, I live in Germany and here IP addresses are definitively PII. I think this is true for the rest of the EU as well).