Netlogic Consultancy and services LTD

Get Quote

Who Steals My Cookie: The Ugly Truth Behind Website Cookies

Who Steals My Cookie: The Ugly Truth Behind Website Cookies

As users, we’re bombarded daily with cookie consent banners. As InfoSec and IT professionals, we know those pop-ups are more than UI noise; they’re signals of a deeper, ongoing tension between data utility, user privacy, and regulatory compliance.

Cookies have become powerful tools for both functionality and surveillance. And as global privacy regulations tighten, failing to understand what cookies collect and how that data is handled can result in more than just a slap on the wrist.

This post unpacks the technical, legal, and privacy dimensions of website cookies, with a lens on GDPR, PDPA (Indonesia), CCPA, and what it all means for InfoSec practitioners. eum fugiat quo voluptas nulla pariatur.

What Exactly Are Cookies?

At their core, cookies are small text files stored in a user’s browser. Created by websites, they allow the site (or third parties) to store information about the user’s visit.

Types of cookies:

  • Session Cookies – Deleted when the browser closes
  • Persistent Cookies – Remain for a set period (used for remembering logins or settings)
  • First-Party Cookies – Set by the site being visited
  • Third-Party Cookies – Set by other domains (e.g., advertisers, analytics providers)

While they seem harmless, cookies can track behaviour across multiple websites and over long periods. That tracking becomes the foundation for behavioural profiling, targeted advertising, and even risk scoring, all without users truly understanding what’s being collected.

What Data Do Cookies Really Harvest?

Here’s the technical breakdown of data often harvested using cookies and associated scripts:

  • Device identifiers (browser fingerprinting, OS type, screen resolution)
  • IP addresses (can imply location)
  • Clickstream data (mouse movements, clicks, scrolls)
  • Referrer URLs (what site brought the user)
  • Session history and site interaction patterns
  • Login status and authentication tokens
  • Shopping cart contents, even when not logged in
  • Language preferences and UI settings

Third-party cookies often used for advertising or retargeting combine this data with off-site behaviour to build profiles that can include sensitive inferences: interests, financial status, health concerns, political leanings, and more.

Privacy Laws: Consent, Compliance & Consequences we should be aware of?

GDPR (EU/EEA)

The General Data Protection Regulation requires explicit, informed consent for any cookies that process personal data, including analytics and advertising cookies.

  • Consent must be granular (by purpose)
  • Consent must be opt-in, not assumed
  • Proof of consent must be maintained
  • Users must be able to withdraw consent at any time

GDPR is reinforced by the ePrivacy Directive, which focuses specifically on how data is stored/accessed on a user’s device making cookie compliance a dual obligation.

PDPA No. 9 of 2022 (Sri Lanka)

Sri Lanka’s Personal Data Protection Act, enacted in 2022, introduces a structured legal framework for processing personal data, including tracking via cookies. While enforcement has been phased in gradually, the law is now a key consideration for both public and private sector organisations operating in Sri Lanka.

Key principles relevant to cookies:

  • Consent is required for collecting and processing personal data, especially when it’s not strictly necessary for service delivery
  • Transparency obligations mandate that data subjects be informed about what data is collected via cookies, for what purpose, and with whom it is shared
  • Data Subject Rights include the ability to access, rectify, erase, and object to processing even in cookie-based tracking scenarios
  • Data Controllers and Processors must implement safeguards to protect personal data collected via web technologies, and ensure third-party processors (like analytics platforms) are also compliant
  • The Act applies to data processed in Sri Lanka or related to individuals in Sri Lanka, regardless of where the processing entity is located

In essence, cookies that track or profile users beyond what is strictly necessary for functionality are covered under Sri Lanka’s PDPA, aligning it with global standards like GDPR.

CCPA & CPRA (California, USA)

The California Consumer Privacy Act takes a slightly different approach:

  • Requires notice at collection and description of how cookies are used
  • Provides opt-out rights for data sales, which may include sharing via cookies
  • Mandates a “Do Not Sell or Share My Personal Information” link for qualifying businesses

Unlike GDPR, CCPA does not require prior consent but still emphasises user control and transparency.

What InfoSec & IT Professionals Must Know

Even if you’re not in legal or compliance, cookie usage is your concern. Why?

  1. Cookies are attack vectors – Poorly configured cookies can leak session data or be hijacked via cross-site scripting (XSS)
  2. 3rd-party scripts leak data – Every analytics pixel or ad script might share user data with dozens of parties
  3. Improper consent flows – Regulatory risk – Misleading or non-functional cookie banners can trigger fines
  4. Consent needs logging – You must prove user consent was captured and honoured

InfoSec teams must treat cookie behaviour as part of their threat model, especially in high-privacy or regulated industries.

Practical Steps for Compliance and Control

Here’s how InfoSec and IT teams can take control:

  • Audit all cookies and trackers – Use browser inspection tools, automated scanners, or Content Security Policies (CSPs)
  • Use consent management platforms (CMPs) – Ensure granular, compliant user choice with full logging
  • Harden cookie security – Always set Secure, HttpOnly, and SameSite flags where applicable
  • Review 3rd-party integrations – Minimize use of trackers, and sandbox risky scripts
  • Implement data minimization – Don’t collect what you don’t need

Privacy by design isn’t a marketing slogan it’s a security architecture principle

Final Thoughts: Cookies Are Not Just a Legal Issue

Website cookies are where legal risk, technical complexity, and user trust collide. For InfoSec and IT professionals, they offer a unique challenge one that blends browser-level behavior with backend compliance systems.

Next time you see a cookie banner, look past the checkbox and ask yourself:

Who’s stealing your cookie… and what are they really doing with it?

How Netlogic Consultancy Can Help

Understanding the privacy implications of cookies and ensuring compliance with evolving data protection laws such as Sri Lanka’s PDPA, the GDPR, or CCPA requires more than technical know-how. It demands a clear, strategic approach rooted in legal awareness and risk management.

That’s where Netlogic Consultancy comes in.

We provide independent, expert advice to help organisations:

  • Assess privacy risks related to cookie usage and tracking technologies
  • Interpret and apply data protection laws like the PDPA to your digital operations
  • Evaluate third-party services (e.g. analytics, marketing tools) from a compliance standpoint
  • Develop internal policies and governance frameworks for data privacy and user consent
  • Support compliance roadmaps that align with regulatory requirements and organisational goals

We do not implement technology, but we partner with your internal teams or chosen vendors to ensure that any technical solutions are strategically aligned, risk-informed, and legally sound.

With Netlogic Consultancy, you gain a trusted advisor on privacy, compliance, and responsible data use without the guesswork.

Leave a Reply

Your email address will not be published. Required fields are marked *