Easy. It is already forbidden by GDPR without consent. Contrary to popular believe the GDPR does not mandate anything about cookies, it talks about personal information, if you collect it through cookies or some intricate system of pulleys and levers doesn't matter at all.
Simplified it says: if you collect personal information, you need to ask for consent. If someone doesn't consent they must not receive degraded service. Now there has been a ruling that the Do Not Track info users send you shall be honored by you (duh).
This is true regardless of how you technically do it. So UUID URLs are okay, storing which IP adresses shared an UUID link with which other IP without consent is not.
I think some in the IT world need to finally stop making excuses and stop coming up with new illegal ways of tracking users on a personal level. Just use the same creative energy for finding ways of pseudonymizing and anonymizing users (where possible — depending on what you are collecting deanonymization might always be possible).
Nobody here is talking about collecting personal information except you either. The goal is simply to track the amount of sharing various pages experience.
And how do you track that amount of data without collecting the datum of which user shared what to whom? Sure you could anonymize it etc., but by that point you already processed data that has been ruled personal data without consent.
The truth is, that we had some rulings on what is considered personal data and what isn't and IP adresses, even parts of them can be regarded as such. Now you and I might think this is silly etc., but if we write software for corporations that have to pay fines as a feaction of their total revenue not knowing that can easily ruin our lives.
And I am merely reflecting the way how these laws have been interpreted and ruled on so far in the comment section for an article on, well another ruling by a court. Legal reality, like physical reality doesn't go away if you close your eyes.
For one, it'd be a potential way to maintain a sophisticated full-conversion lifetime A/B testing setup with no PII of any sort ever hashed/retained. No IP addresses required, or anything else.
Just counting the times someone requested that particular UUID could indeed work — provided you don't store which IP requested that UUID-endpoint anywhere on your webserver or elsewhere, because then we could infer that relationship again. So this sounds like a good idea.
Is this what you originally meant?
Nontheless I hope you can see in which way the whole thing is still deeply connected to the legal question of how one can still learn about their service without tracking single users when they don't give their consent, maybe now even via DNT header.
> Nobody here is talking about collecting personal information except you either. The goal is simply to track the amount of sharing various pages experience.
Simplified it says: if you collect personal information, you need to ask for consent. If someone doesn't consent they must not receive degraded service. Now there has been a ruling that the Do Not Track info users send you shall be honored by you (duh).
This is true regardless of how you technically do it. So UUID URLs are okay, storing which IP adresses shared an UUID link with which other IP without consent is not.
I think some in the IT world need to finally stop making excuses and stop coming up with new illegal ways of tracking users on a personal level. Just use the same creative energy for finding ways of pseudonymizing and anonymizing users (where possible — depending on what you are collecting deanonymization might always be possible).