The rules of the game
Last August, I tweeted about the obstacle course required to refuse Decathlon's surveillance. To date, it is my most successful tweet, with 1,760 retweets and over 1 million impressions. Clearly, this was not enough to get a response from Yann, Decathlon's community manager. A few months after this episode, what has changed? Let us look at it in detail.
As soon as you arrive on the Decathlon website, you are greeted by a banner: “Cookies: The rules of the game”:
Decathlon rules, those of the law?
You are used to these dark patterns and instinctively click the "Refuse and close" button at the top right? I did too... Read the text carefully:
Some partners do not ask for your consent to process your data and rely on their legitimate business interest. You can revoke your consent or object to data processing based on legitimate interest at any time. by clicking on “Find out more”
Who are these partners? Mystery... How can you object to data processing based on legitimate interest? Decathlon's text is inconsistent because there is no "Learn more" button. Let us try anyway by clicking "Configure your cookies":
“Of course, the ball is in your court, it’s up to you to accept or refuse certain cookies to choose which ones stay on the field.”
The banner does not mention legitimate interest; you can still click "Refuse all". Let us continue the investigation by clicking "See our partners":
The long list of Decathlon partners.
Decathlon likes sharing your personal data and works with no fewer than 26 partners: AB Tasty, AT Internet, Awin, Bing (Microsoft), Content Square, Dynamic Yield, Easyence, Epsilon, Google, Hotjar, iAdvize, Idealo, Kelkoo, Lucky Orange, Meta (Facebook), Mobsuccess, Ogury, Pinterest, Rakuten Advertising, RTB House, SpeedCurve, Target2Sell, Teads, Teester, Valiuz and Verizon Media.
Here too, you can click "Block" for "All partners"; you will not see any mention of legitimate interest. These partners rely on your consent. The mystery remains as to which "partners" rely on legitimate interest. At first glance, it seems that simply clicking "Refuse and close" at the top right of the initial banner is enough.
Via the Consent String Decoder website, I nevertheless check my consent string, a character string that encodes my choices and must be respected by Decathlon's partners:
The variables purposeConsents and purposeLegitimateInterests are empty: no Decathlon partner has a legal basis to process my personal data.
After refusal, you are still tracked by iAdvize
After clicking "Refuse and close", I launch Charles Proxy to observe the requests sent by my browser:
Surprise! Decathlon is not the only recipient of my personal data.
iAdvize therefore follows your browsing, thanks to the parameters url, sourceVisitorId and deviceId. The cookieConsent parameter is also questionable: it is set to unknown! What is iAdvize? A conversational window on the Decathlon website, designed to encourage purchases:
Sporty by iAdvize, always available to observe your behavior!
If I return to the cookie banner to check my choices, via "Cookie management" (and not "Personal data") at the bottom of the page:
Lots of love for “unnecessary cookies”.
Then, if I click "Manage my cookies" and search for my choice for iAdvize:
I did refuse iAdvize surveillance; Decathlon therefore ignores my choice.
Note that Decathlon and iAdvize could argue that iAdvize does not set cookies when you click "Refuse and close". Except that iAdvize identifies you via the identifiers sourceVisitorId and deviceId. A fingerprint is indeed a user identifier, and your consent is required:
The CNIL is explicit about the application of the ePrivacy directive: "fingerprinting" is covered.
Registration, with a mysterious partner but strong commitments
Do you now want to order from Decathlon? You will need to register:
As a team! Decathlon offers you its offer with “its partners”.
You have already refused surveillance by 26 partners, so why is Decathlon talking to you about “partners” again? It seems that the reference is more to the sellers on its marketplace, but we would have liked Decathlon to be more explicit. Enter an email address, then a password:
One more “partner”, Valiuz (remember this name for the rest).
You do not necessarily want to receive Decathlon newsletters via the mysterious partner "Valiuz", so do not check the box and simply click "Confirm and continue":
The phone number is mandatory, and of course, it is only to contact you about your order ;-)
You can also enter your favorite sports. On the same page, Decathlon explains how your data is used, starting with account creation:
With strong words:
Where does your data go? At our place, and that's it! It is rare that we appreciate that our email is sold to other brands. Rest assured, this is not house policy. Your data is only intended for Decathlon: our logistics service, our customer relations center, etc.. If our subcontractors process your data, they only do so for statistical purposes, deduplication or correction, and on the instructions of DECATHLON.
Decathlon uses the same language to explain how your data is used for communications:
We note the athlete's confidence:
Finally, if despite the interest we have in protecting your data you are not satisfied, you can file a complaint with the CNIL.
These commitments concern account creation and Decathlon communications. But as we saw earlier, with your consent (except for iAdvize), Decathlon can share your personal data with no fewer than 26 partners for various purposes: "Personalized ads", "Audience and content performance measurement" and "Content personalization".
Some of your personal data is therefore not intended only for Decathlon...
Looking for privacy settings
Being suspicious, I want to check whether Decathlon has properly protected my account, with the most privacy-friendly options enabled. To do this, I go to "My dashboard":
The quickest access to privacy settings?!
In the "Manage my Decathlon account" section of the menu, hidden under "Preferences", I discover two interesting entries: "Browsing history" and "Personal data":
Victory?
Let's click on "Browsing history":
Always “improving the on-site experience”.
When you uncheck the option, Decathlon explains that you will no longer see articles you have already viewed:
This “Browsing History” option is indeed well hidden.
If I now click on "Personal data", I land on the page "Your data & Decathlon". To make sure I do not miss any options, I click the "Security" entry in the "My dashboard" page menu. And there, surprise: a second dashboard:
“Manage all your data in one place!” If you find it ;-)
There, you can give Decathlon a little more information, including your body measurements:
Surveillance capitalism is attacking your body.
The idea? Offer you products and services adapted to your body type:
Decathlon supports you in your discipline. Tempting, isn't it?
Next, let's look at the "Communication Preferences":
Obviously, almost all communications are pre-checked.
If you click "Unsubscribe from all information", you will be asked if you are really sure:
After all these efforts, they wonder whether you really want to miss their commercial communications.
Finally, let us go to the "Data Usage" entry in the menu:
Another relevant page concerning your privacy, well hidden, isn't it?
If you click "Edit" for "Partner websites and applications", you will see a more or less empty page, depending on your accounts:
Always partners, and yet “Your data is only intended for Decathlon”.
I have no "Partner Websites and Applications", so no additional sharing of personal data. If you now click "Edit" for "Deduction of preferences by Decathlon":
The option is pre-checked, a classic!
If you remember, I have already deactivated my browsing history as well as all communications. How can Decathlon continue to "infer" my preferences? Mystery... Let us now click "Modify" for "Share with Valiuz":
A new pre-checked option, to share your data with “a group of brands”.
Decathlon's commitment at registration bears repeating:
Where does your data go? At our place, and that's it! It is rare that we appreciate that our email is sold to other brands. Rest assured, this is not house policy. Your data is only intended for Decathlon: our logistics service, our customer relations center, etc. If our subcontractors process your data, they only do so for statistical purposes, deduplication or correction, and on the instructions of DECATHLON.
So it is not company policy, but it is still what Decathlon does, for your most interesting personal data: purchasing habits, address, household composition, contact details. You may have refused everything, but this sharing is activated by default, with a mysterious group of brands. Also, via @Eriatolc, you will learn that Decathlon automatically enrolls you in its loyalty program.
Speaking of Valiuz, it's a partner that I had already blocked:
A partner already blocked, but with whom Decathlon still shares your personal data.
The text of the consent banner is interesting, because Valiuz allows itself to do a lot with your personal data:
VALIUZ helps personalize advertising banners distributed online (on the websites of alliance members, external sites, social networks), promoting the products and services of third-party advertisers (audience extension). Your data is never transmitted to the advertisers concerned. VALIUZ constitutes audiences (list of people with common points) based on your browsing data and the information you have transmitted to the alliance companies, and these audiences are exposed to online advertisements that match their profile.
On the page "Your data & Decathlon", in the section "OUR COMMUNICATIONS ARE ADAPTED TO YOUR SPORTS LIFE", you can find out a little more about this "audience extension":
Valiuz sells advertising campaigns based on your profile, on websites that do not belong to the alliance ("audience extension"). A very nice business!
Learn more about Valiuz
To better understand what Valiuz does, I clicked the link "Learn more about Valiuz" from Decathlon's "Sharing with the Valiuz program" page. Here I am on the Valiuz website, and here is the list of alliance members: Auchan, Boulanger, Kiabi, Leroy Merlin, Norauto, Flunch, 3 Brasseurs, Alinea, Top Office, Saint Maclou, Tape à l'oeil, Jules, Electro Depot, Rouge-Gorge, Nhood, Chronodrive, Grain de Malice, Bizzbee, Decathlon, Oney, "and many more to come!"
On the page "How it works", Valiuz sells you on the usefulness of its targeted emails:
"I am a family with 2 children, who have a strong interest in fresh & hi-tech products for cooking."
Valiuz also sells you on the usefulness of its targeted SMS and notifications:
"I am a customer who only buys in store and never online, and visits my usual shopping area on Saturdays."
But Valiuz also seeks to reassure you:
Your data is, and will never be, resold or exchanged between Valiuz partner brands. Only Valiuz has access to the data transmitted to it by its partners.
Valiuz has created a common pool of your personal data across the different partner brands, to better exploit it:
Valiuz allows Decathlon and other partner brands to better target you.
What about the unique identifier created by Valiuz? The page "My rights" gives a little detail:
I hope you are reassured: all your identifying data (your email address, postal address or phone number) is hashed before being compared between brands. For the clever ones among you who use an email alias system such as SimpleLogin, Valiuz will find you using your phone number (required at registration) and your postal address (recommended if you have ordered).
By the way, the hash of your email address is probably already known to the major platforms and to all of adtech. Is it “secure”, as Valiuz says?
“Valiuz ensures maximum security”.
We can doubt it. Go take a look at "Have I been pwned" and check your email address: it is likely to have leaked (just like your phone number). If that is the case, someone with access to the leak will be able to trace your email address from its hash.
Still on the “My rights” page, you can object to the use of your information related to your purchases (in store and online) within the framework of Valiuz:
Enter your email so you are not monitored via your email.
Why give your email address? This would be the only way to “unsubscribe”:
This email address must be known to one of the members of the alliance, in order to allow us to identify the customer profile concerned. It will only be used to send you an automatic confirmation message and will be pseudonymized (i.e. it will be transformed into information of type 1a2b3c4d5e6f which we will compare with our data to take your request into account).
In practice, you can also uncheck the “Sharing with the Valiuz program” option in your Decathlon account. But you will have to do this with every other brand in the Valiuz alliance for which you have an account, assuming they offer the option:
Objecting to sharing my Decathlon data with Valiuz vs objecting to the Valiuz service globally.
During my test last August, it was possible to object to the processing of browsing information, at the cost of a magnificent dark pattern:
When it's 'OFF', it's 'ON'.
So how can you block the processing of your browsing information? We return to the initial consent banner:
The obstacle course.
To refuse the Valiuz cookie, you must use the cookie management tool available on our partners’ websites.
Phew! So it was already done, right from the start of this article. It would nevertheless have been useful to let users refuse this surveillance directly from the Valiuz site, for all alliance sites. You must now click "Refuse all" on the consent banner of each alliance site.
And note that when Valiuz combines information related to your purchases (in store and online) with information from your browsing, that is a lot of information:
To better profile you, Valiuz also collects “data freely accessible to the public (open-data) or from databases provided by third parties (example: INSEE).”
Another bonus: your browsing information and the matching with data held by alliance members is not handled directly by Valiuz. It is carried out via the French adtech company Mediarithmics:
“Your data is only intended for Decathlon”, new episode.
What are the legal bases for Valiuz processing?
Difficult question, if we go by the available information:
Valiuz is based on consent (via Decathlon’s cookies banner) for:
- The personalization of advertising banners distributed online (on the websites of alliance members, external sites, social networks), promoting the products and services of third-party advertisers (audience extension). VALIUZ constitutes audiences (list of people with common points) based on your browsing data and the information you have transmitted to the alliance companies, and these audiences are exposed to online advertisements that match their profile.
Valiuz relies on its legitimate interest for the rest, namely:
- To carry out non-individual statistical analyses allowing its partner companies to better understand their customers' expectations and respond to them by developing their activity.
- To improve the quality of customer information from its partner companies and thus contribute to their updating (example: identify people whose postal address is obsolete, to stop sending them communications).
- To segment the customer databases of its partner companies and thus help improve the relevance of the communications they send to you.
We better understand this articulation in the section “What is the service provided by VALIUZ” on the page “Alliance personal data and cookies policy":
Legitimate interest in advertising profiling, consent for browsing data and display of targeted advertising.
So the enigmatic message in the consent banner on the Decathlon website now makes sense:
Some partners do not ask for your consent to process your data and rely on their legitimate business interest. You can revoke your consent or object to data processing based on legitimate interest at any time by clicking “Learn more”
Except that objecting to data processing based on legitimate interest was a little more complicated than clicking "Learn more"; this banner is particularly dishonest. More generally, Decathlon seems to have a problem with the notion of consent, as shown by the page "Your data & Decathlon", section “OUR COMMUNICATIONS ARE ADAPTED TO YOUR SPORTS LIFE”:
"[...] if and only if the persons concerned have consented [...]", but we still rely on legitimate interest.
Behind Valiuz, the Mulliez group
Who is behind this “Valiuz” alliance? If you are not familiar with French-style capitalism, you will not necessarily guess that Auchan, Decathlon or Leroy Merlin belong to the very wealthy Mulliez family. The article "Valiuz, the data project with 150 million loyalty cards from the Mulliez group" (which you can read using your browser's "reader" mode), written in 2019, gives some information:
- Valiuz already reached 29 million French households.
- It therefore brought together more than 150 million loyalty cards.
- This is not the only alliance, 3W.RelevanC (Casino) brought together 31 million consumers, the article also mentions RetailLink from Fnac-Darty.
- Mediarithmics sends user profiles to the Data Management Platforms (DMPs) of the various alliance members, so other adtech players recover your enriched personal data.
- Currently limited to the Mulliez galaxy, the initiative could open up to other groups in the coming months, particularly in verticals where AFM member entities are not present, such as telecoms.
If you remember, Valiuz said:
Your data is, and will never be, resold or exchanged between Valiuz partner brands. Only Valiuz has access to the data transmitted to it by its partners.
Valiuz also offers a cashback app, to siphon off your banking transactions
Valiuz retrieves your online and in-store purchase histories from alliance members. But why not recover all your banking transactions? Obviously, if you care even a little about your privacy, you will not use this type of app, but Valiuz offers a "cashback" app called Naomi:
Automatically accumulating rewards, interesting, isn't it?
When registering, Naomi asks you for access to your bank account:
“Your banking connection information simply allows us to identify your purchases to pay out your winnings.”
Naomi does not in fact have access to banking credentials, "only" to all of the customer's banking transactions:
Privacy and security, why worry?
The Naomi app's "personal data protection policy" is interesting. We note that statistical studies on your banking transactions are based on the legitimate interest of Naomi, aka Valiuz:
Still the famous pseudonymization, now with all of your banking transactions.
Given the sensitivity of the data collected, you will not necessarily be reassured to read that Naomi uses subcontractors for many actions:
“statistical studies, segmentation and advertising profiling based on data”, carried out by unnamed subcontractors.
The icing on the cake: Naomi works with the kings of surveillance capitalism, Google and Facebook:
The famous "pixels", very effective tracking vectors.
But bank transactions are not precise enough. Naomi wants to know exactly what you bought, and therefore suggests that you scan receipts:
Naomi thus retrieves purchase details: product type, stores, date, amount.
Note that, unlike Decathlon, the legal basis for profiling for the Valiuz alliance is consent:
Lucky you: purchases or payments that are sensitive or do not correspond to a purchase are not shared by Naomi.
As the Valiuz Twitter account puts it so beautifully:
Valiuz, knowing you better to talk to you better.
Surveillance capitalism is recruiting
Convinced by this glowing article, you decide to go to the Valiuz page on Welcome to the Jungle and read job offers. If you are in operations, you could be a Programmatic Account Manager, for example:
“Specialized in the implementation of economic models around data”.
If you have a salesperson's soul, you could be a Sales Manager - Retail Media:
"Valiuz Media, the most powerful retail offering on the market: 18 complementary brands, 55 million registered customers, 1.7 billion omnichannel transactions, 3,520 stores in France."
But why work at Valiuz, you ask?
“[...] the largest customer database in France” sounds like a dream, right?
The final word, on Valiuz's homepage, with “Our values”:
“We do not sell your information.”