> ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
If the tracking id cannot be correlated to a name, identification number, precise location data (not country level), then it's not PII as far as the law is concerned. The criteria is clear: "relating to an identified or identifiable natural person". There is no way that simply a session ID stored in a cookie can be traced to an identity IRL.
I fell that I know what I'm talking about as I designed and implemented an customer authentication system for a medium-sized company that is based in EU, needs to respect GDPR, and I worked closely with their lawyers and operations to make sure we are fully GDPR compliant, and we passed the relevant audits.
The word indirectly in "who can be identified, directly or indirectly" seems like it opens everything up. A session ID isn't directly PII, but it can be linked a user account and from there someone's name, address, etc.
Which is still not PII. More importantly, 3rd party advertising cookies CANNOT be linked to a user account if you don't have code that stores them in your environment. CAN has a very limited meaning, whereas it requires all the preconditions to be true (i.e. I'm storing both 3rd party cookie ID, AND session ID, AND the tables have a correlation), it does not mean "COULD if more code was written".
> and from there someone's name, address
Only if you ask for AND store those. If you're asking for example for a real name and address for an e-commerce transaction, and you're passing them to the card processor, and not saving them anywhere, not even in logs, then you're not storing PII, and you CANNOT link tracking cookies and session ID to data.
Don't get me wrong, I'm still using Firefox containers, and uBlock Origin, and pi-hole, so I totally don't like to get tracked, even if anonymous. But the tendency on HN to label anything that could be used to track a user as PII is actually damaging, because it creates false expectations about how the law actually works and how much somebody is protected.
> ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
If the tracking id cannot be correlated to a name, identification number, precise location data (not country level), then it's not PII as far as the law is concerned. The criteria is clear: "relating to an identified or identifiable natural person". There is no way that simply a session ID stored in a cookie can be traced to an identity IRL.
I fell that I know what I'm talking about as I designed and implemented an customer authentication system for a medium-sized company that is based in EU, needs to respect GDPR, and I worked closely with their lawyers and operations to make sure we are fully GDPR compliant, and we passed the relevant audits.