Digital-footprint literacy
What Counts as an Online Identifier?
The hidden tags that follow you around the web — IP addresses, cookie IDs, advertising IDs and device fingerprints — explained calmly, with why they count as your own personal data under UK GDPR.
In short
An online identifier is any digital tag that can single you out online — such as an IP address, a cookie ID, an advertising ID or a device fingerprint. UK GDPR treats these as personal data when they can be linked back to you, alone or combined with other information, even if your name never appears.
What an online identifier actually is
An online identifier is a piece of digital information that can be used to recognise a particular person, device or browser as they move around the web. You never type it in and you rarely see it, but it travels alongside the ordinary things you do — loading a page, opening an app, watching a video — and lets a service tell one visitor apart from another.
The UK GDPR names online identifiers directly. It explains that a person can be identified not only by obvious details like a name, but also by identifiers such as those provided by their devices, applications, tools and protocols. In other words, the law expects that a tag with no name attached can still point back to a real individual.
That is the heart of why this matters for your own footprint. An identifier does not need to spell out who you are to count as information about you. If it can single you out — on its own, or once it is joined with other details a service holds — it generally falls within the definition of personal data, and the rights that come with it apply.
The common identifiers, and what each one does
Most online identifiers fall into a handful of familiar types. Knowing them by name makes a privacy notice or an access response far easier to read, because you can recognise what is being described rather than skimming past the technical words.
None of these is sinister in itself — many keep you logged in, remember your language, or stop a video restarting from scratch. The point is simply that each one can act as a thread connecting your activity over time, which is exactly why the law treats them as your data.
- IP address — the number your connection uses to reach the internet; it can suggest your rough location and link sessions together.
- Cookie ID — a small file a website stores in your browser, often used to remember you between visits.
- Advertising ID — a resettable identifier on phones and tablets that apps use to recognise a device for advertising.
- Device fingerprint — a profile built from your screen size, fonts, browser and settings that can recognise a device without any cookie at all.
- Account, customer or session IDs — reference numbers a service assigns to you behind the scenes.
Why this matters for your own footprint
When an identifier is stable enough to follow you across pages, sessions or services, it stops being a neutral technical detail and becomes part of the picture an organisation holds about you. That is also how parts of the data-broker ecosystem work: identifiers collected in one place can be matched to records elsewhere, building a fuller view of a person over time. Understanding this is calmer than it sounds — it is simply how the modern web keeps track of visitors, and recognising it puts you in a stronger position.
The practical upside is that an online identifier is something you can ask about. Because it counts as your personal data, you can request a copy of what an organisation links to it, question why it is held, and decide for yourself whether to route a data-rights request about it. The system can suggest what is worth looking at; the choice of what to do stays entirely yours.
This article is general information and not legal advice. For guidance on a specific situation, consider speaking with a qualified professional or your supervisory authority, the Information Commissioner's Office (ICO).
Frequently asked questions
Is an IP address an online identifier?
Yes. The UK GDPR gives IP addresses as a clear example of an online identifier. Whether a particular IP address is personal data in a specific case depends on whether it can be linked back to an identifiable person, on its own or combined with other information an organisation holds.
Is an online identifier the same as personal data?
An online identifier is a type of personal data whenever it can be used to single you out, directly or indirectly. It does not have to include your name. If a cookie ID, advertising ID or device fingerprint can be connected to you as an identifiable individual, it generally counts as your personal data.
Can a website recognise me without cookies?
Sometimes, yes. A device fingerprint can recognise a browser or device from a combination of settings — screen size, fonts, language and configuration — without storing a cookie. This is one reason clearing cookies does not always reset how a service recognises you.
Can I ask an organisation about the identifiers it holds for me?
You can. Because online identifiers can be your personal data, your UK GDPR right of access lets you ask an organisation what it holds and how it is used. Our DSAR guide walks through how to put that request together, and the decision to send it stays with you.
Related terms
This is general information, not legal advice. For guidance on your own situation, consider speaking with a qualified professional.
Reviewed by OSINTA's founding lawyer — 2026-06-27.
Want to see what's linked to you?
OSINTA helps you understand your own digital footprint and exercise your own rights — you stay in control of every step.