1. Introduction
In the evolving landscape of information security, compliance and technical controls are no longer separable. Regulatory breaches can result in the unauthorized processing of personal data — a fact that carries security implications, not merely legal ones.
This article explores why legally non-compliant behavior (e.g. pre-consent tracking) may constitute a legitimate security vulnerability, and how frameworks like ISO/IEC 27001, GDPR, and ePrivacy support this view.
2. Defining “Security” in 2025
- ISO/IEC 27000 series define information security as: > “The preservation of confidentiality, integrity and availability of information.”
- But Annex A of ISO/IEC 27001:2022 expands this with controls on:
- A.8.9 — Personal data privacy
- A.8.11 — Data masking and consent handling
→ Hence, violations of data protection laws fall within the scope of organizational security failures.
3. Consent Bypass ≠ Harmless
Example scenario:
- A webpage loads trackers (e.g. Google Analytics, WebSockets) before displaying or acting on cookie consent.
- Data is sent to 3rd parties.
- No explicit user action occurred.
From a legal viewpoint:
- ePrivacy Directive Art. 5(3) prohibits access to terminal equipment before consent.
- GDPR Art. 6(1) requires lawful basis for processing personal data.
From a security viewpoint:
- Unauthorised data flows = confidentiality breach.
- Deliberate circumvention of consent banners = technical control failure.
4. Firefox Blocks It. Chrome Allows It.
When Firefox’s Enhanced Tracking Protection actively blocks connections, it signals:
- The behavior is not just “non-compliant” — it's considered privacy-invasive by design.
- The line between “non-security bug” and “security-relevant flaw” starts to blur.
5. Regulatory Action as a Precedent
- CNIL (2022) fined Google €60M for loading trackers before consent.
- ICO (UK) emphasized that analytics without consent is “likely unlawful.”
- Such findings imply the technical implementation itself constitutes a breach.
6. Reframing Security Impact
Security is no longer only about XSS or RCE.
It is about control — who has it, who lacks it, and whether that lack is intended or negligent.
7. Conclusion
There’s a growing case to treat non-consensual data flows as security vulnerabilities, not just legal infractions. The boundary between compliance engineer and security researcher is fading.
8. References
ISO/IEC 27001:2022 (Annex A.8)
https://www.iso.org/standard/82875.htmlePrivacy Directive (2002/58/EC), Article 5(3)
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058#d1e691-48-1GDPR (EU 2016/679), Article 6(1)
https://gdpr-info.eu/art-6-gdpr/CNIL Decision No. SAN-2021-023 & SAN-2021-024 (Google & Facebook, December 2021)
https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046280956/ICO Guidance on Analytics Cookies and Consent (PDF)
https://ico.org.uk/media2/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdfFirefox Enhanced Tracking Protection (ETP) Documentation
https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop
million-euros-french-data-protection-authorityICO Guidance on Analytics Cookies and Consent
https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/#analyticsFirefox Enhanced Tracking Protection (ETP) Documentation
https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop
Top comments (0)