[legitster]

Here's an issue we ran into when implementing GDPR: marketing software keeps a database of people who have opted out, so even if that email address shows up again, we don't risk spamming them. But if they opt out now, under GDPR we have to delete them completely, even from the opt-out list. So we can't remember not to email or track you.

The author also points out the double set of cookies, which is how most sites deal with tracking. One set of cookies that do not collect PII, that just tell the other set of cookies to turn on or off.

I respect that the writers of GDPR did not confer with the industry insiders beforehand. However, with how poorly some of it understands the technology (implementation of cookies is a great example), I wish they would have had a bit more understanding and drafted a better bill.

[turbohz]

Uh? Couldn't a hash be used for that?

[legitster]

According to our council, even encrypted or hashed data was still counted as PII as those are security measures, not privacy measures.

[ziddoap]

I mean, trust your council over some random guy on the internet (me), but I would seek a second opinion on this from a technilogically savvy lawyer.

There are absolutely implementations available that will allow you to have a hash, not tied to other data, sitting in your opt-out list that you than check other hashes against. No PII in the mix.

[MattPalmer1086]

If I got the hash database I could absolutely test whether specific people were in it, and I could probably reverse a large number of them with dictionary based attacks.

There are no completely robust options where you can claim that this data cannot compromise personal privacy, so I guess from a legal perspective it doesn't stop it being PII.