The word indirectly in "who can be identified, directly or indirectly" seems like it opens everything up. A session ID isn't directly PII, but it can be linked a user account and from there someone's name, address, etc.
Which is still not PII. More importantly, 3rd party advertising cookies CANNOT be linked to a user account if you don't have code that stores them in your environment. CAN has a very limited meaning, whereas it requires all the preconditions to be true (i.e. I'm storing both 3rd party cookie ID, AND session ID, AND the tables have a correlation), it does not mean "COULD if more code was written".
> and from there someone's name, address
Only if you ask for AND store those. If you're asking for example for a real name and address for an e-commerce transaction, and you're passing them to the card processor, and not saving them anywhere, not even in logs, then you're not storing PII, and you CANNOT link tracking cookies and session ID to data.
Don't get me wrong, I'm still using Firefox containers, and uBlock Origin, and pi-hole, so I totally don't like to get tracked, even if anonymous. But the tendency on HN to label anything that could be used to track a user as PII is actually damaging, because it creates false expectations about how the law actually works and how much somebody is protected.
