For bluetooth low energy (BLE), this site mostly explains the problem:
To safeguard user privacy, manufacturers can make use of a Bluetooth Smart feature known as “LE Privacy.” This feature causes the MAC address within the advertising packets to be replaced with a random value that changes at timing intervals determined by the manufacturer. Any malicious device(s), placed at intervals along your travel route, would not be able to determine that the series of different, randomly generated MAC addresses received from your device actually relates to the same physical device. It actually looks like a series of different devices, thus, it will not be possible to track you using the advertised MAC address.
At stack overflow this might be interesting:
To my knowledge all current iPhones implements this. And also many Android (new than 8.0) devices.
And yes, this is only 24 bit of randomness. This can be assumed to be enough. Since your device changed it MAC regularly, a sniffer has a change of 1 / 16.777.216 to guess what is you next MAC.
This (24 bit) is not enough for encryption, but this is not the problem to solve here.
For more information you can also look into the bluetooth core spec section 5.4.5:
Also note that a bonded device is capable to resolving the random MAC to the permanent (public) MAC.