[Y-bar]

Why do you talk about consent with regards to cookies only? GDPR deals with so much more with regards to tracking and identifiable information.

For example this quote from the article: "Add a unique identifier to all urls on your site when you know who the user is."

I don't see how our legal would allow us to do this with European customers without explicit opt-in consent since this kind of tracking and data processing cannot be deemed a legitimate requirement for the core function of the service.

If the same service can be given to the visitor without the unique identifier in the URL, then I see no way to avoid asking for consent.

https://gdpr.eu/recital-30-online-identifiers-for-profiling-...

[gizdan]

Because most people haven't read GDPR or similar laws, and play it by the ear. Considering GDPR is often called the cookie law means people who dom't read the law, and don't hire lawyers end up doing things like this.

What is the EU going to do anyway? I've yet to see any meaningfull challenge from EU about GDPR.

[cedricd]

The identifier on the urls isn't meant to identify the actual user I think.

If you look at the examples given they're more like identifiers to something else -- an order id or subscription id.

Wouldn't tracking something like an order (but not the user directly) be ok with GDPR?

[Y-bar]

They are using (in the example) an order number as a proxy to identify and track the actual user. From the article: "Simply look up the user from the identifier, note the anonymous id, and replace the anonymous id with a real user in the data."

At this point the tracking of the online identifier has certainly passed the threshold into tracking an individual for reasons not directly related to the service.

https://gdpr.eu/article-4-definitions/

"1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"

The order number in this case falls under "an identification number" and "an online identifier" at the very least.

"2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;"

What is happening is at the very least processing, recording, storing, dissemination, combination of that data.

[garciasn]

A company may store both customer data and order data and keep them under GDPR, because a particular customer provided it knowingly. The important piece is when a customer asks to be removed, the company must remove their customer data (e.g. their name and address) but the order information can remain orphaned in order to do analyses on revenue, orders, etc. The right to be forgotten is ONLY about customer data, not related anonymized identifiers that tie back to the previous customer's order history.

[tatersolid]

Actually even the personal details associated with the order often must be kept even if a person requests their removal. The GDPR doesn’t trump other financial, consumer protection, and anti-fraud laws.

Example: if you buy a lawnmower, the seller may he required to notify you of any safety recalls for many years (depending on location). GDPR does not change this requirement for saving personal contact data with the order data, even if the buyer later says “forget me”.