Crumbled Cookies: Exploring E-commerce Websites? Cookie Policies with Data Protection Regulations

Despite stringent data protection regulations, such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other country-specific laws, numerous websites continue to use cookies to track user activities, raising significant privacy concerns. This study aims to investigate the compliance of e-commerce websites with these regulations from a cookie perspective and explore potential variations in cookie policies across different countries. We conducted a comprehensive analysis of 360 popular e-commerce websites (44,323 cookies) across multiple countries, examining cookie attributes and their potential links to privacy and security breaches. Our findings revealed that 73% of third-party cookies function as tracker cookies, with around 40% breaching lifecycle regulations. Additionally, 85% are vulnerable to potential cross-site scripting (XSS) attacks, while only 349 out of 44,323 adhere to robust measures aimed at combating cross-site request forgery (CSRF) attacks. We also discovered instances of masquerading cookies, where third-party cookies disguise themselves as first-party cookies, enabling unauthorized user tracking without consent. To the best of our knowledge, this study is the first to comprehensively analyze the compliance of e-commerce websites with the GDPR, CCPA, and country-specific regulations concerning cookie policies across different jurisdictions. Our findings highlight the urgent need for uniform and consistent cookie policies across websites and jurisdictions, as well as robust enforcement mechanisms and increased transparency to ensure compliance with data protection regulations. This research contributes to the ongoing discourse on privacy protection and underscores the importance of addressing the challenges posed by insecure cookie practices in the e-commerce sector.