Does this not violate European privacy laws?
So what if it does? They'll get hit with a fine that will be the equivalent of 6 hours of revenue as they continue to be bastards.
GDPR only covers PII, this is a randomly generated ID that changes on every install on the OS.
You can mix it with other info to track a user, but it's not enough to de-anonymize someone on its own.
Probably yes it does. Not that it matters when you hack a website to have some expensive jewelry sent to your home address.