1. Introduction

In the evolving landscape of information security, compliance and technical controls are no longer separable. Regulatory breaches can result in the unauthorized processing of personal data — a fact that carries security implications, not merely legal ones.

This article explores why legally non-compliant behavior (e.g. pre-consent tracking) may constitute a legitimate security vulnerability, and how frameworks like ISO/IEC 27001, GDPR, and ePrivacy support this view.

2. Defining “Security” in 2025

ISO/IEC 27000 series define information security as: > “The preservation of confidentiality, integrity and availability of information.”
But Annex A of ISO/IEC 27001:2022 expands this with controls on:
- A.8.9 — Personal data privacy
- A.8.11 — Data masking and consent handling

→ Hence, violations of data protection laws fall within the scope of organizational security failures.

Example scenario:

A webpage loads trackers (e.g. Google Analytics, WebSockets) before displaying or acting on cookie consent.
Data is sent to 3rd parties.
No explicit user action occurred.

From a legal viewpoint:

ePrivacy Directive Art. 5(3) prohibits access to terminal equipment before consent.
GDPR Art. 6(1) requires lawful basis for processing personal data.

From a security viewpoint:

Unauthorised data flows = confidentiality breach.
Deliberate circumvention of consent banners = technical control failure.

4. Firefox Blocks It. Chrome Allows It.

When Firefox’s Enhanced Tracking Protection actively blocks connections, it signals:

The behavior is not just “non-compliant” — it's considered privacy-invasive by design.
The line between “non-security bug” and “security-relevant flaw” starts to blur.

5. Regulatory Action as a Precedent

CNIL (2022) fined Google €60M for loading trackers before consent.
ICO (UK) emphasized that analytics without consent is “likely unlawful.”
Such findings imply the technical implementation itself constitutes a breach.

6. Reframing Security Impact

Security is no longer only about XSS or RCE.

It is about control — who has it, who lacks it, and whether that lack is intended or negligent.

7. Conclusion

There’s a growing case to treat non-consensual data flows as security vulnerabilities, not just legal infractions. The boundary between compliance engineer and security researcher is fading.

8. References

ISO/IEC 27001:2022 (Annex A.8)

https://www.iso.org/standard/82875.html
ePrivacy Directive (2002/58/EC), Article 5(3)

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058#d1e691-48-1
GDPR (EU 2016/679), Article 6(1)

https://gdpr-info.eu/art-6-gdpr/
CNIL Decision No. SAN-2021-023 & SAN-2021-024 (Google & Facebook, December 2021)

https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046280956/
ICO Guidance on Analytics Cookies and Consent (PDF)

https://ico.org.uk/media2/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf
Firefox Enhanced Tracking Protection (ETP) Documentation

https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop
million-euros-french-data-protection-authority
ICO Guidance on Analytics Cookies and Consent

https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/#analytics
Firefox Enhanced Tracking Protection (ETP) Documentation

https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop

Is Legally Non-Compliant Behavior a Security Vulnerability?

1. Introduction

2. Defining “Security” in 2025

4. Firefox Blocks It. Chrome Allows It.

5. Regulatory Action as a Precedent

6. Reframing Security Impact

7. Conclusion

8. References

Subscribe to my newsletter

IRORI

IRORI

Is Legally Non-Compliant Behavior a Security Vulnerability?

1. Introduction

2. Defining “Security” in 2025

3. Consent Bypass ≠ Harmless

4. Firefox Blocks It. Chrome Allows It.

5. Regulatory Action as a Precedent

6. Reframing Security Impact

7. Conclusion

8. References

Subscribe to my newsletter

IRORI

IRORI