I think this scheme still requires consent since you are processing pseudo anonymous identifiers that fall under personal information without the essential function basis. Hashing is considered insufficient under the GDPR iirc. Have you asked a lawyer about this?