Online Identifier

An online identifier is any data that can identify or make identifiable a natural person in the online environment. Under the GDPR, online identifiers are explicitly recognized as personal data when they can single out individuals or link them to other information. Common examples include IP addresses, cookie identifiers, RFID tags, device IDs (like IMEI or MAC addresses), advertising identifiers (like Apple's IDFA or Google's GAID), user account numbers, and social media handles. The significance of online identifiers has grown with digital tracking capabilities—even seemingly random strings can become identifying when combined with other data points through profiling. The GDPR specifically mentions that processing online identifiers may create risks to individuals' rights and freedoms, particularly when combined with unique identifiers received from devices, applications, or tools. This classification means businesses must apply GDPR protections to online identifiers, including lawful basis requirements, transparency obligations, and security measures. The distinction matters because many companies previously considered such identifiers as anonymous or non-personal, but modern tracking and analytics capabilities have made that assumption outdated.