I guess according to GDPR this counts as tracking nontheless. GDPR does not specifically mention cookies or anything technical. An identifier is enough (does not have to be a uuid). IP, location, browser etc already counts. This probably would count as storing something like a cookie on the client.