GDPR Art. 13(1)(e) requires disclosure of recipients or categories of recipients — which maps directly onto the first-party/third-party distinction in cookie usage. When third-party cookies are listed alongside first-party cookies in an undifferentiated table, users cannot assess the cross-site tracking implications. Third-party cookies set by Google or Meta persist across every site where those providers' scripts run; first-party cookies are domain-scoped. ePrivacy Art. 5(3) consent must be informed about this distinction because the scope of data access differs materially. CCPA §1798.135 similarly requires disclosure of whether personal information is 'sold or shared' with third parties — a concept that maps directly onto third-party cookie tracking.
Info because the failure is a presentational gap in an existing policy rather than an active tracking violation, but it reduces the quality of the informed consent obtained and limits users' ability to understand the privacy implications of third-party processing.
Split the cookie policy table into two sections using the thirdParty field from COOKIE_REGISTRY. Add explanatory prose about what third-party tracking means for cross-site data collection.
// app/cookies/page.tsx — two-section layout
<section>
<h2>First-Party Cookies</h2>
<p>Set directly by {siteHostname}. Not shared with other domains.</p>
{/* COOKIE_REGISTRY.filter(c => !c.thirdParty) */}
</section>
<section>
<h2>Third-Party Cookies</h2>
<p>
Set by external services loaded on our pages. These providers may also
collect data on other sites where their scripts run. Each provider is
subject to its own privacy policy.
</p>
{/* COOKIE_REGISTRY.filter(c => c.thirdParty), include provider + privacyPolicyUrl column */}
</section>
Filter COOKIE_REGISTRY by thirdParty: true | false and render the provider's privacy policy URL as a link in the third-party table.
ID: cookie-consent-compliance.cookie-policy.first-third-party-distinction
Severity: info
What to look for: Read the cookie policy page. Does it explain the distinction between first-party cookies (set by the domain the user is visiting) and third-party cookies (set by external services loaded on the page)? Is this distinction reflected in how cookies are grouped or labeled? Check whether each cookie entry in the policy indicates First party or the third-party provider name. Look for an explanation of what third-party cookies mean for users' privacy — that third parties can track users across sites where that provider's scripts appear. If the application uses embedded content (YouTube, Google Maps) that sets cookies, does the policy explain that those are third-party cookies outside the publisher's direct control?
Pass criteria: Count all cookies and classify each as first-party or third-party. Cookie policy explicitly distinguishes between first-party and third-party cookies, either by grouping, labeling, or explanatory text. Third-party cookies are attributed to their providers. An explanation of the implications of third-party cookies is present. 100% of cookies in the cookie policy must be clearly labeled as first-party or third-party.
Fail criteria: Cookie policy lists all cookies in a single undifferentiated list with no first-party/third-party distinction. Third-party cookies attributed to the application as if they were first-party.
Skip (N/A) when: No cookie policy page exists (already failing at cookie-policy-page). Application sets only first-party cookies with no third-party scripts.
Detail on fail: Example: "Cookie policy lists all cookies in a single table with no indication of which are first-party vs. third-party. _ga listed with 'Our analytics' as provider rather than 'Google LLC'.".
Remediation: Add first-party/third-party grouping to the cookie policy:
// Section-based approach for the cookie policy page
<h2>First-Party Cookies</h2>
<p>These cookies are set directly by our website.</p>
{/* table of COOKIE_REGISTRY entries where thirdParty === false */}
<h2>Third-Party Cookies</h2>
<p>
These cookies are set by external services that run on our pages. We do not control
these cookies directly. Each provider has its own privacy policy governing how
they use the data these cookies collect. Third-party providers may also use these
cookies to track your activity across other websites where their services appear.
</p>
{/* table of COOKIE_REGISTRY entries where thirdParty === true, with provider column */}
Filter the COOKIE_REGISTRY by thirdParty: true | false to populate the two sections automatically.