The actual law is about any kind of personal data, including but not limited to fingerprinting web/app users, which can be associated with a real human.

European fear of harms caused by malicious use of databases of personal data go back to actual harms caused by such databases when they were still paper-based and the first transistors had not even been demonstrated.

They're also on the way out because Google is moving to turn Chrome into a massive tracking black box on it's own.

There's no need to use cookie-based fingerprinting if you control ~97% of the browser market and you can just install the tracking tools directly in the software used and keep them active with maliciously crafted (dark pattern) popups.