Analysis of GDPR Article 4(1) and Recital 30 establishes that online identifiers are explicit forms of personal data when they allow the identification of a natural person. The regulation text notes: “an identifier could be ‘a name, an identification number, location data, an online identifier’” (GDPR, Art. 4(1)). Recital 30 further clarifies that these include data “provided by devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags” (GDPR, Recital 30).
Results indicate that online identifiers have become increasingly significant due to the proliferation of digital technologies. Key findings from empirical literature and regulatory guidance include:
- Internet Protocol (IP) address: IP addresses assigned to devices are widely recognized as personal data under GDPR, since they can identify individuals directly or indirectly.
- Internet cookies: Persistent cookies can store unique values tied to user activity, enabling profiling and tracking. The Article 29 Data Protection Working Party (WP29) confirms cookies as online identifiers (WP29 Opinion 02/2013).
- Beacons and pixel tags: These mechanisms collect data about website visits and user interactions, often in conjunction with cookies or device information.
- Mobile ad identifiers: Unique advertising IDs on smartphones enable cross-app and cross-site user tracking.
- Device fingerprints: Methods of aggregating browser and device characteristics to uniquely identify hardware/software configurations.
- RFID tags: Small electronic devices storing data that, when combined with other information, may enable identification.
The aggregation of such identifiers over time, especially when combined with other data points (e.g., account credentials, device metadata), poses a significant risk for re-identification—even when individual identifiers do not, on their own, reveal a person’s identity. This aligns with the “singling out” criterion discussed in the CJEU Breyer case (C-582/14), which clarified that dynamic IP addresses may constitute personal data under certain circumstances.
In summary:
- Online identifiers under GDPR encompass a wide range of technical markers, including but not limited to IP addresses, cookies, device fingerprints, and RFID tags.
- These identifiers are classified as personal data when they can directly or indirectly lead to the recognition or singling out of an individual.
- The combination of online identifiers with other unique markers increases the likelihood and risk of identification, necessitating robust compliance and privacy protection strategies.
