The non-compliance of the EU cookie law as a finding in a penetration test report?

I don't know of any technical security impact relating to not adhering to EU cookie laws.

Ultimately I think this is mostly down to the discretion of the assessor and the context of the assessment. Privacy issues are security-adjacent and come with similar PR impacts, and may even be judged to infringe upon the rights of the individual, so I think in some cases such findings may be useful.

For me the question isn't so much whether these things should be reported to the client, as whether or not they should be in the pentest report itself. There are other communications channels that can be used to relay this information. It may well be that this was discussed and the client asked that it be put into the report. It could even be that compliance concerns were one of the key drivers to having the assessment done in the first place. Some scopes explicitly include looking for findings that might embarrass the company or its associates (content injection is a fun one here).

I have reported everything from functionality problems to typos (albeit serious ones with vulgar consequences) to clients when doing pentesting work, when appropriate, because ultimately my job is to help improve their system. I don't think it hurts to include this kind of thing in a report because it can always be removed and filed separately at the client's request.


A vulnerability is something that leaves you open to the possibility of being harmed. Being prosecuted or sued for violating the law is a form of harm. Therefore, not complying with the law is a vulnerability. It really is this simple.


This is a security issue for the users.

Non-compliance of cookie-related laws includes that cookie data is being built about you while on the site, after you have clicked 'opt-out'. If the site does not acknowledge the GDPR (privacy laws) then some degree of personal identifying information about the user is being leaked into the site's domain, stored, and used in ways that amount to tracking. This includes:

  • if a banner pops-up saying that cookies are being used and "click OK to accept"
  • if no notification is made to the user, but tracking is performed
  • if no option nor preferences are given to the user, yet tracking is performed.
  • and others

Cookies are one obvious thing to test for, and it is perhaps the only reliable way to test for tracking, since backend techniques would be invisible unless a specific personalization feature remains consistent across pageviews

For some corp's that I have been part of, some lawyers argue that cookies are not illegal as long as they do not connect session data with a personal identifier.

Regardless, this would be a likely vector for errors or misrepresentation, and thus I would expect it to show up in a report dealing with user security.


tl;dr: people don't seem to understand user privacy is a security issue for the user.