I mean, trust your council over some random guy on the internet (me), but I would seek a second opinion on this from a technilogically savvy lawyer.
There are absolutely implementations available that will allow you to have a hash, not tied to other data, sitting in your opt-out list that you than check other hashes against. No PII in the mix.
If I got the hash database I could absolutely test whether specific people were in it, and I could probably reverse a large number of them with dictionary based attacks.
There are no completely robust options where you can claim that this data cannot compromise personal privacy, so I guess from a legal perspective it doesn't stop it being PII.
