The trick is: the publisher/intermediary have even more information about you, but they call you User-A instead of your name, so they can sell your history, zip, DNA, etc... just pretend not labeling the data with your name or some other personal identifiable information already listed in a Law somewhere makes everything fine.
History, ZIP and DNA already are personally identifiable information (PII). Pseudonymisation is in general not enough to avoid the GDPR and similar laws. And pseudonymisation would require the removal or obfuscation of all PII to the point that it is impossible to reconstruct the identity of the user.
There's no specific list of information regarded as PII, it's PII if it can be used to identify the user, even if only in combination of the other PII.
The GDPR is really quite broad there, other laws may be more lenient. However, the GDPR is not yet very strictly enforced or tested in court.
> Pseudonymisation is in general not enough to avoid the GDPR and similar laws.
fortunately, "undermining the spirit of the law in order to continue to make a profit" is generally frowned upon in the EU, and lawmakers don't take too kindly to it. sometimes I get the feeling that in the US it's almost acceptable to publicly brag about doing this, like it's even more "socially" acceptable.
This is true to every advertiser or data seller, Including obvious ones like Google, FB, Amazon... and less obvious ones like your ISP, Apple, etc.
The industry call it persistent ID (as opposed to cookie, which are transient ID): https://digiday.com/marketing/wtf-persistent-id/ (random result, i do not endorse it)
The trick is: the publisher/intermediary have even more information about you, but they call you User-A instead of your name, so they can sell your history, zip, DNA, etc... just pretend not labeling the data with your name or some other personal identifiable information already listed in a Law somewhere makes everything fine.