[Msurrow]

Its pretty simple I think. You can collect, store, process, track, do whatever with data as long as that data cannot be used to identify the single individual person that produced that data.

If on the other hand the data you want to collect or track can identify a person, you should ask this person if (s)he is okay with it before you do it.

Seems fair enough to me. And it could be me your website was tracking.. or, you that my website was tracking

[Nextgrid]

One thing to watch out for with this reasoning is that there are a lot of data points which are innocent by themselves, but can produce a high-accuracy fingerprint when combined together. For example, browser, language, screen resolution, timezone, etc. By themselves none of these would identify anyone uniquely, but the combination might be enough to target a single user with very high accuracy.