> A recent definition of the German authorities clarifies that with „cookies“, they don’t interpret it narrowly as the specific browser technology but any kind of beacon or mechanism for tracking[:] LocalStorage, Web Storage, reading of any kind of serial numbers, ETags, TLS Session IDs (if used for tracking), and any other method for fingerprinting such as font profiling.
To be fair, even the original wording[1] isn’t specific to cookies, only to client-side storage or code—which is also not the precise cause of the problem, but includes all the things you’ve listed:
> (24) Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user's terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.
> (25) However, such devices, for instance so-called "cookies", can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. [...] Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.
(Emphasis mine.)
Interesting that this also uses the phrase “legitimate purpose”, but in a much broader sense to what the GDPR will eventually use. I did not realize that.
[1] https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX...
