“The GDPR expressly calls out that individuals “may be associated with” online identifiers such as IP addresses and cookie identifiers, and that these may – particularly when combined with other information – be used to identify individuals and to create profiles connected with them.
The Regulation doesn’t go as far as expressly stating that all information linked to a particular IP address or cookie ID must necessarily be treated as “personal data”. Rather, the test under the definition of “personal data” is whether a natural person “can be identified, directly or indirectly, in particular by reference to an identifier such as… …an online identifier”. So those who say they can offer data or serve ads on a “unique user” basis may be on the back foot in seeking to argue they are not processing personal data, even if they don’t know the names of the individuals involved.” – Osborne Clarke, February 2nd 2016
The team at Osborne Clarke have complied this brilliant article on GDPR and its implications. Using a combination of UK and European based legal experts they have given much needed interpretation and guidance to these new laws and tackled some of the most vague and contentious issues so far.
Of particular note are the sections on GDPR’s geographic scope, legitimate interest, and advice on successfully implementing changes to privacy policies.