Post process the bloody logfile on a regular basis. You can legitimately capture IPs etc for a while, provided that it is for a good reason - fixing a problem, or gathering aggregate trends but not for direct marketing reasons against individuals who have not given consent. So, your logrotate.d/ might get a few post/pre rotate scripts, if it really bothers you.
I run a small UK based IT firm. So far I've turned down some of the logging on my HA Proxy instances and stopped logging IPs and user agents in general and a few other things. If I need to do some diags then I'll turn them on again. That's on the long term stored logs (due to backups). So far, my backups are smaller 8)
I do keep very detailed logs with IPs (actually full packet capture) in the ES cluster for IDS purposes but those are turned over (deleted) within a few hours. Less detailed logs last a lot longer.
