Again. You could literally try and read the law. After all, it's only been around for 9 years.
--- start quote ---
(1) The protection of natural persons in relation to the processing of personal data is a fundamental right.
...
(6) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally.
...
(14) The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.
...
(15) In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system.
...
(26) The principles of data protection should apply to any information concerning an identified or identifiable natural person.
...
(32)
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
You keep saying to read the law, but did you? "The law literally doesn't talk about cookies." It does:
> (30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.
That is why: "In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used."
That it also applies to things "such as" RFID tags isn't really that interesting. The salient part is identifiers. Because fingerprinting turns that into a mess.
Is your browser user agent string an "identifier"? It generally isn't unique, and requiring explicit consent to process it would cause a lot of trouble, but that and a few other things you could say the same thing about are collectively enough to be uniquely identifying.
Which is something different which they apparently hadn't considered and it's not clear how it's supposed to work. Do they become an identifier as soon as you have enough of them to uniquely identify someone? How do you even know when that threshold is passed? Does it require you to actually use them as an identifier, or is it enough just to have them because then they could be used retroactively? What if you provide a non-identifying subset of them to a third party in another jurisdiction who collects others from someone else and then combines them without explicitly notifying you?
