> Using personal data to assign a cohort counts as using personal data. Duh. The approach described in the article doesn't use any personal data, though?

Quoting the European commission:

"Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data."

I'd hazard a guess that it's the second part under which the EC might find this to be within scope.

If I gave you a list of all the last-modified headers from a day, how would you use that information to identify a person?

The definition of personal data under the GDPR is anything that can be used to uniquely identify a natural person (with sufficiently high probability). Both cookies and date-modified meet that definition identically, as do IP addresses.

That doesn't mean you can't use it at all. It just places strong restrictions on what purpodes you can use it for. The important point is just that those restrictions are the same under GDPR for all of these technologies. It doesn't matter how you uniquely identify users, what matters is what you do with that information.

They don't assign a unique date-modified to each user. They assign everyone the same date modified on their first visit of the day. I don't accept that this could be used to uniquely identify a natural person.

You may be able to look at the headers and see that a certain user made the most requests that day. That still tells you nothing about their identity.

Nothing in the technique described here allows to identify an individual directly or indirectly because 'identifiers' are not unique and really no different than standard 'last-modified' dates. Even if they were unique further data would have to be collected in order to be able to identify individuals and turn everything into personal data.

What the technique may fall foul of, though, are cookie laws.