[kcartlidge]

This is so wrong.

All data that is collected whilst a user is anonymous was done so under the condition of anonymity. Breaking that anonymity by assigning unknown-user data to the now-known user is retroactively changing that user's consent without getting their agreement. Like saying "I know you chose not to be tracked, but now we've had some interaction with you we don't think you meant it". But on what basis?

Not only is this morally/ethically incorrect, it is probably illegal as it is a clear violation of data collection laws. Consent was not given for those prior activities to be tracked. Current consent does not change that.

Edit: Even the suggestion that the stitching together of the data could use the non-PII that was obtained does not get around the fact that permission was not given and by joining the sessions/activity that way you would in fact be de-anonymising (non-PII gets associated with PII).