x.com

#02

Privacy Audit — Episode #02

2026-03-096.1/10 overall

TL;DR

🔍

Pre-consent fingerprinting across 5 APIs

Canvas, WebGL, MediaDevices, and WebRTC fingerprinting all fire before any consent interaction — a clear ePrivacy Art. 5(3) violation from X's own vendor.js bundle.

✅

Reject button actually works

Clicking 'Refuse non-essential cookies' prevents all marketing cookies (guest_id_ads, guest_id_marketing, personalization_id) from being set. Only a preference-recording cookie is added.

🤔

guest_id declared as 'authentication' — lasts 396 days

X's cookie policy classifies guest_id as an authentication cookie, yet it's set pre-consent for unauthenticated visitors with a 13-month lifespan. That's tracking in disguise.

Score breakdown

6.4

Consent

6.4 / 10

Legal Pages

8 / 10

7.8

Cross-Border

7.8 / 10

7.8

Dark Patterns

7.8 / 10

6.1

Security Headers

6.1 / 10

3.7

Cookie Management

3.7 / 10

3.7

Pre-Consent Tracking

3.7 / 10

Full audit deck

Loading deck…

GDPR compliance

Article	Topic	Status	Finding
Art. 6(1)(a)	Valid consent	partial	Banner present with accept/reject but pre-consent cookies and fingerprinting undermine the consent framework
ePrivacy 5(3)	Cookie consent	fail	5 cookies set before any consent interaction including guest_id (396 days) and __cuid (400 days)
ePrivacy 5(3)	Device fingerprinting	fail	Canvas, WebGL, MediaDevices, and WebRTC fingerprinting all fire pre-consent from X's vendor bundle
Art. 7(3)	Consent withdrawal	fail	No consent revocation mechanism found — no way to withdraw cookie consent after accepting
Art. 7(1)	Demonstrable consent	partial	Custom banner records choice but no TCF consent string or standardised audit trail
Art. 13/14	Transparency obligations	partial	11/13 Art. 13 elements present but legal basis per purpose and legitimate interests are vague
Art. 25	Data protection by design	fail	Pre-consent fingerprinting and tracking cookies indicate tracking-by-default rather than privacy-by-default
Art. 44-49	International transfers	pass	DPF participant (EU-US, Swiss-US, UK Extension), SCCs referenced, JAMS dispute resolution available
Art. 12	Clear communication	pass	Privacy policy written in accessible language with clear section structure

Recommendations

critical

Remove pre-consent fingerprinting

Canvas, WebGL, MediaDevices, and WebRTC fingerprinting fire from vendor.js before any consent interaction. Under ePrivacy Art. 5(3) and EDPB Guidelines 2023, fingerprinting requires prior consent.

ePrivacy Art. 5(3) · EDPB Guidelines 2023; AEPD multiple decisions

critical

Implement consent revocation mechanism

No way to withdraw cookie consent after accepting. GDPR Art. 7(3) requires withdrawal to be as easy as giving consent. Add a persistent 'Cookie Settings' link in the footer.

GDPR Art. 7(3) · EDPB Guidelines 05/2020; CNIL multiple decisions

high

Gate pre-consent tracking cookies behind consent

guest_id (396d) and __cuid (400d) are set before any consent interaction. Either defer to post-consent or reduce lifespans if truly essential.

ePrivacy Art. 5(3) · CNIL: Amazon EUR 35M (2020); Microsoft EUR 60M (2022)

high

Disclose all cookies in cookie policy

personalization_id, guest_id_ads, and __cuid are not listed in the cookie disclosure table. Reclassify guest_id from 'authentication' to its actual purpose.

GDPR Art. 13 · CNIL: Criteo EUR 40M (2023)

medium

Add granular consent toggles

Current binary accept/reject provides no category-level control. Add toggles for analytics, advertising, and personalisation.

GDPR Art. 7 · EDPB Guidelines 03/2022 on dark patterns

medium

Add missing security headers and SRI

Add Referrer-Policy: strict-origin-when-cross-origin and Permissions-Policy. Implement SRI on external scripts (currently 0/6 coverage).

Security best practice · OWASP Security Headers guidance