Most businesses have websites that use browser tracking ‘cookies’ or capture some private information from customer/visitors, a visit by an EU Citizen could bring you into the scope of the GDPR…and you would not even know, until its too late.
Natural persons may be associated with online identifiers…such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them. What this essentially tells us it that cookies, where they are used to uniquely identify the device, or in combination with other data, the individual associated with or using the device, should be treated as personal data.
This position is also reinforced by Recital 26, which states that where data can reasonably be used, either alone or in conjunction with other data to single out an individual or otherwise identify them indirectly, then it is personal data.
Use of pseudonymous identifiers (like strings of numbers or letters) which is what cookies typically contain to give them uniqueness, still makes them personal data.
This will certainly cover almost all advertising/targeting cookies; lots of web analytics cookies; and quite a few functional services like survey and chat tools that record user ids in cookies.