UKDPA 2018 says:
171 Re-identification of de-identified personal data
(1) It is an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data.
(2) For the purposes of this section and section 172—
(a) personal data is “de-identified” if it has been processed in such a manner that it can no longer be attributed, without more, to a specific data subject;
(b) a person “re-identifies” information if the person takes steps which result in the information no longer being de-identified within the meaning of paragraph (a).
which is pretty clear.
iOS and Android devices have an advertising ID which is unique to the device; so does Windows 10. However, unless the user willingly provides additional information identifying themselves when they hit your website, it surely counts as pseudonymised data – with Apple/Google/Microsoft as the data controller.
However, since the ID is consistent across all interactions with the same device, identifying the user (or building a data set that would permit identification of the user) would be trivial. You’ve only to take user-supplied information from site A and apply it to site B’s advertising ID tracking, right?
The Apple/Google/Microsoft terms of service forbid this – see Google Play, for example. So it’s pretty clear that any such activity would be without the consent of the controller.
“identify anonymous website visitors” gets 22,900,000 results in Google. The top 10 results are all companies offering to de-anonymise visitors to your website. Obviously I don’t know how they’re doing this, and I’m sure they’ve all had appropriate legal advice and are fully compliant with UK law as well as the Ts&Cs of the big platforms. I mean, what with it being a criminal offence and all…
A bigger picture 