[cedricd]

The identifier on the urls isn't meant to identify the actual user I think.

If you look at the examples given they're more like identifiers to something else -- an order id or subscription id.

Wouldn't tracking something like an order (but not the user directly) be ok with GDPR?

[Y-bar]

They are using (in the example) an order number as a proxy to identify and track the actual user. From the article: "Simply look up the user from the identifier, note the anonymous id, and replace the anonymous id with a real user in the data."

At this point the tracking of the online identifier has certainly passed the threshold into tracking an individual for reasons not directly related to the service.

https://gdpr.eu/article-4-definitions/

"1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"

The order number in this case falls under "an identification number" and "an online identifier" at the very least.

"2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;"

What is happening is at the very least processing, recording, storing, dissemination, combination of that data.

[garciasn]

A company may store both customer data and order data and keep them under GDPR, because a particular customer provided it knowingly. The important piece is when a customer asks to be removed, the company must remove their customer data (e.g. their name and address) but the order information can remain orphaned in order to do analyses on revenue, orders, etc. The right to be forgotten is ONLY about customer data, not related anonymized identifiers that tie back to the previous customer's order history.

[tatersolid]

Actually even the personal details associated with the order often must be kept even if a person requests their removal. The GDPR doesn’t trump other financial, consumer protection, and anti-fraud laws.

Example: if you buy a lawnmower, the seller may he required to notify you of any safety recalls for many years (depending on location). GDPR does not change this requirement for saving personal contact data with the order data, even if the buyer later says “forget me”.