Crumbled Cookie Exploring E-commerce Websites Cookie Policies with Data Protection Regulations
Nivedita Singh, Yejin Do, Yongsang Yu. Imane Fouad, Jungrae Kim, Hyoungshick Kim
TL;DR
The paper tackles the privacy risks of cookie-based tracking on e-commerce sites under GDPR/CCPA by introducing CookieCruncher, a crawler-based tool that analyzes $11{,}223$ cookies from $360$ sites across $18$ countries. It reveals a high prevalence of third-party and tracking cookies, with substantial risks to XSS and CSRF arising from misconfigured attributes and long-lived lifecycles, including masquerading cookies on maestro websites. The study demonstrates that even in GDPR-like regions, substantial cookie privacy violations persist, driven by intricate attribute interdependencies and cross-site data sharing with ad-tech ecosystems. The findings underscore the need for more precise regulatory guidance on cookie attributes, improved consent mechanisms, and policy innovations to curb cross-site tracking and protect user privacy in the evolving web landscape.
Abstract
Despite stringent data protection regulations such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other country-specific regulations, many websites continue to use cookies to track user activities. Recent studies have revealed several data protection violations, resulting in significant penalties, especially for multinational corporations. Motivated by the question of why these data protection violations continue to occur despite strong data protection regulations, we examined 360 popular e-commerce websites in multiple countries to analyze whether they comply with regulations to protect user privacy from a cookie perspective.