The rules of the game
Last August, I was tweeting on the course from hell to refuse Decathlon's surveillance. To date, this is my most successful tweet with 1760 Retweets and over 1 million impressions. Obviously, this was not enough to be entitled to a response from Yann, the CM of Decathlon. A few months after this episode, what have changed? Let's study this in detail.
As soon as you arrive on the Decathlon website you are greeted by a banner “Cookies: The rules of the game”:
Decathlon rules, those of the law?
You are used to these dark patterns and instinctively, you click on the "Refuse and close" button at the top right? I did this too... Read the text carefully:
Some partners do not ask for your consent to process your data and rely on their legitimate business interest. You can revoke your consent or object to data processing based on legitimate interest at any time. by clicking on “Find out more”
Who are these partners? Mystery... How to oppose data processing based on legitimate interest? Decathlon's text is inconsistent because there is no "Learn more" button. Let's try nevertheless by clicking on "Configure your cookies":
“Of course, the ball is in your court, it’s up to you to accept or refuse certain cookies to choose which ones stay on the field.”
The banner does not mention legitimate interest, you can still click on "Refuse all". Let's continue the investigation by clicking on "See our partners":
The long list of Decathlon partners.
Decathlon likes to share your personal data and works with no less than 26 partners: AB Tasty, AT Internet, Awin, Bing (Microsoft), Content Square, Dynamics Yield, Easyence, Epsilon, Google, Hotjar, IAdvize, Idealo, Kelkoo, Lucky Orange, Meta (Facebook), Mobsuccess, Ogury, Pinterest, Rakuten advertising, RTB House, SpeedCurve, Target 2 Sell, Teads, Teester, Valiuz and Verizon Media.
Here too, you can click on "Block" for "All partners", you will not see any mention of legitimate interest, these partners are based on your consent. The mystery remains about which "partners" are based on legitimate interest, it seems at first glance that a simple click on "Refuse and close" at the top right of the initial banner is sufficient.
Via the Consent String Decoder website, I nevertheless check my consent chain, a character string which encodes my choices and which must be respected by Decathlon’s partners:
The variables purposeConsents and purposeLegitimateInterests are empty, no Decathlon partner has a legal basis to process my personal data.
After refusal, you are still tracked by iAdvize
After clicking on "Refuse and close", I launch Charles Proxy to observe the requests sent by my browser:
Surprise! Decathlon is not the only recipient of my personal data.
iAdvize therefore follows your navigation, thanks to the parameters url, sourceVisitorId and deviceId. The parameter cookieConsent also questions, it is informed to unknown ! What is iAdvize? A conversational window on the Decathlon website, to encourage purchasing:
Sporty by iAdvize, always available to observe your behavior!
If I return to the cookies banner to check my choices, via "Cookie management" (and not "Personal data") at the bottom of the page:
Lots of love for “unnecessary cookies”.
Then, if I click on "Manage my cookies" and search for my choice for iAdvize:
I refused iAdvize monitoring, Decathlon therefore ignores my choice.
Note that Decathlon and iAdvize could argue that iAdvize does not set cookies when you click "Refuse and close". Except that the latter identifies you via identifiers sourceVisitorId and deviceId, a fingerprint is indeed a user identifier and your consent is necessary:
The CNIL is explicit on the application of the ePrivacy directive, "fingerprinting" is concerned.
Registration, with a mysterious partner but a strong commitment
Do you now want to order from Decathlon? You will need to register:
As a team! Decathlon offers you its offer with “its partners”.
You have already refused the monitoring of 26 partners, why is Decathlon talking to you about “partners” again? It seems that the reference is more to the sellers of its marketplace, but we would have liked Decathlon to be more explicit. Enter an email address, then a password:
One more “partner”, Valiuz (remember this name for the rest).
You don't necessarily want to receive Decathlon newsletters, via the mysterious partner "Valiuz", so don't check the box and simply click on "Confirm and continue":
The telephone number is mandatory, and of course, it is only to contact you about your order ;-)
You can also enter your favorite sports. On the same page, Decathlon communicates on the way in which your data is used, first of all for account creation:
With strong words:
Where does your data go? At our place, and that's it! It is rare that we appreciate that our email is sold to other brands. Rest assured, this is not house policy. Your data is only intended for Decathlon: our logistics service, our customer relations center, etc.. If our subcontractors process your data, they only do so for statistical purposes, deduplication or correction, and on the instructions of DECATHLON.
Decathlon communicates with the same words on how your data is used for communication:
We note the confidence of the athlete:
Finally, if despite the interest we have in protecting your data you are not satisfied, you can file a complaint with the CNIL.
These commitments concern account creation and Decathlon communications. But as we saw previously, with your consent (except for iAdvize), Decathlon can share your personal data with no less than 26 partners for various purposes: "Personalized advertisements", "Audience and content performance measurement" and "Content personalization".
Some of your personal data is therefore not intended only for Decathlon...
Looking for privacy settings
Being suspicious, I want to check if Decathlon has correctly protected my account, with the most protective options on the privacy side. For this, I go to "My dashboard" :
The quickest access to privacy settings?!
In the "Manage my Decathlon account" section of the menu, hidden in "Preferences", I discover 2 interesting entries, "Browsing history" and "Personal data":
Victory?
Let's click on "Browsing history":
Always “improving the on-site experience”.
When you uncheck the option, we explain that you will no longer see the articles already viewed:
This “Browsing History” option is indeed well hidden.
If I now click on "Personal data", I find myself on the page "Your data & Decathlon". To be sure not to miss any options, I click on the "Security" entry in the page menu.My dashboard". And there, surprise, a second dashboard:
“Manage all your data in one place!” If you find it ;-)
There you can give Decathlon a little more information, including your measurements:
Surveillance capitalism is attacking your body.
The idea? Offer you products and services adapted to your body type:
Decathlon supports you in your discipline, that’s great, isn’t it?
Next, let's look at the "Communication Preferences":
Obviously, almost all communications are pre-checked.
If you click "Unsubscribe from all information", you will be asked if you are really sure:
After all these efforts, we wonder if you really want to miss our commercial communications.
Finally, let's go to the "Data Usage" entry in the menu:
Another relevant page concerning your privacy, well hidden, isn't it?
If you click "Edit" for "Partner websites and applications", you will see a more or less empty page, depending on your accounts:
Always partners, and yet “Your data is only intended for Decathlon”.
I have no "Partner Websites and Applications", no additional sharing of personal data. If you now click on "Edit" for "Deduction of preferences by Decathlon":
The option is pre-checked, a classic!
If you remember, I have already deactivated my browsing history as well as all communications, how can Decathlon continue to "infer" my preferences? Mystery... Let's now click on "Modify" for "Share with Valiuz":
New pre-checked option, to share your data with “a group of brands”.
We remind you of Decathlon's commitment when you register:
Where does your data go? At our place, and that's it ! It is rare that we appreciate that our email is sold to other brands. Rest assured, this is not house policy. Your data is only intended for Decathlon : our logistics service, our customer relations center, etc. If our subcontractors process your data, they only do so for statistical purposes, deduplication or correction, and on the instructions of DECATHLON.
So it's not the house's policy, but it's still what Decathlon does, for your most interesting personal data: purchasing habits, address, composition of your household, contact details. You may have refused everything, but this sharing is activated by default, sharing with a group of mysterious brands. Also, via @Eriatolc, you will learn that Decathlon automatically enrolls you in its loyalty program.
Speaking of Valiuz, it's a partner that I had already blocked:
A partner already blocked, but with whom Decathlon still shares your personal data.
The text of the consent banner is interesting, as Valiuz allows itself to do a lot with your personal data:
VALIUZ helps personalize advertising banners distributed online (on the websites of alliance members, external sites, social networks), promoting the products and services of third-party advertisers (audience extension). Your data is never transmitted to the advertisers concerned. VALIUZ constitutes audiences (list of people with common points) based on your browsing data and the information you have transmitted to the alliance companies, and these audiences are exposed to online advertisements that match their profile.
On the page "Your data & Decathlon", section "OUR COMMUNICATIONS ARE ADAPTED TO YOUR SPORTS LIFE", you can find out a little more about this "audience extension":
Valiuz sells advertising campaigns based on your profile, on websites that do not belong to the alliance ("audience extension"), a very nice business!
Learn more about Valiuz
To better understand what Valiuz does, I clicked on the link "Learn more about Valiuz" from Decathlon's "Sharing with the Valiuz program" page. Here I am on the Valiuz website, and here the list of alliance members : Auchan, Boulanger, Kiabi, Leroy Merlin, Norauto, Flunch, 3 brasseurs, Alinea, Top Office, Saint Maclou, Tape à l'oeil, Jules, Electro Depot, Rouge-Gorge, Nhood, Chronodrive, Grain de Malice, Bizzbee, Decathlon, Oney, "and many more to come!"
On the page "How it works", Valiuz sells you the usefulness of its targeted emails:
"I am a family with 2 children, who have a strong interest in fresh & hi-tech products for cooking."
Valiuz also sells you the usefulness of its targeted SMS and notifications:
"I am a customer who only buys in store and never online, and visits my usual shopping area on Saturdays."
But Valiuz also seeks to reassure you:
Your data is, and will never be, resold or exchanged between Valiuz partner brands. Only Valiuz has access to the data transmitted to it by its partners.
Valiuz has created a common pool of your personal data on the different partner brands, to better use them:
Valiuz allows Decathlon and other partner brands to better target you.
What about the unique identifier created by Valiuz? The page "My rights" gives a little detail:
I hope you are reassured, all your identifying data (your email address, your postal address or your telephone number) are chopped before being compared between brands. For the smart ones among you who would use a typical email alias system SimpleLogin, Valiuz will find you using your telephone number (required for registration) and your postal address (recommended if you have ordered).
By the way, the hash of your email address is probably already known to the major platforms and from all adtech. Is it “secure” as Valiuz indicates?
“Valiuz ensures maximum security”.
We can doubt it, go take a look at the site "Have I been pwned" and check your email address, it's likely that it's leaked (just like your phone number). If this is the case, someone with access to the leak will be able to trace your email address from their hash.
Still on the “My rights” page, you can object to the use of your information related to your purchases (in store and online) within the framework of Valiuz:
Enter your email to not be monitored via your email.
Why give your email address? This would be the only way to “unsubscribe”:
This email address must be known to one of the members of the alliance, in order to allow us to identify the customer profile concerned. It will only be used to send you an automatic confirmation message and will be pseudonymized (i.e. it will be transformed into information of type 1a2b3c4d5e6f which we will compare with our data to take your request into account).
In fact, you can also uncheck the “Sharing with the Valiuz program” option on your Decathlon account. But you will have to do this with all the other brands in the Valiuz alliance for which you have an account, if they offer the option:
Opposition to sharing my Decathlon data with Valiuz vs opposition to the Valiuz service in a global manner.
During my test last August, it was possible to object to the processing of navigation information, at the price of a magnificent dark pattern :
When it's 'OFF', it's 'ON'.
So how can you block the processing of your browsing information? We return to the initial consent banner:
The obstacle course.
To refuse the Valiuz cookie, you must use the cookie management tool available on our partners’ websites.
Phew! So it's already done, from the start of this article. It would nevertheless have been interesting to let the user refuse this monitoring directly from the Valiuz site, for all the alliance sites. You must now click on "Refuse all" on the consent banner of each of the alliance sites.
And note that when Valiuz combines information related to your purchases (in store and online) with information from your browsing, that's a lot of information :
To better profile you, Valiuz also collects “data freely accessible to the public (open-data) or from databases provided by third parties (example: INSEE).”
Additional gift, your browsing information and the reconciliation with the data held by the members of the alliance is not operated directly by Valiuz, it is carried out via French adtech Mediarithmics :
“Your data is only intended for Decathlon”, new episode.
What are the legal bases for Valiuz processing?
Difficult question, if we take the information:
Valiuz is based on consent (via Decathlon’s cookies banner) for:
- The personalization of advertising banners distributed online (on the websites of alliance members, external sites, social networks), promoting the products and services of third-party advertisers (audience extension). VALIUZ constitutes audiences (list of people with common points) based on your browsing data and the information you have transmitted to the alliance companies, and these audiences are exposed to online advertisements that match their profile.
Valiuz bases itself on its legitimate interest for the rest, that is to say:
- To carry out non-individual statistical analyzes allowing its partner companies to better understand the expectations of their customers and to respond to them by developing their activity.
- To improve the quality of customer information from its partner companies and thus contribute to their updating (example: identify people whose postal address is obsolete, to stop sending them communications).
- To segment the customer databases of its partner companies and thus help improve the relevance of the communications they send to you.
We understand this articulation better in the section “What is the service provided by VALIUZ” on the page “Alliance personal data and cookies policy" :
Legitimate interest in advertising profiling, consent for browsing data and display of targeted advertising.
Also, the enigmatic message of the consent banner on the Decathlon website now makes sense:
Some partners do not ask for your consent to process your data and rely on their legitimate business interest. You can revoke your consent or object to data processing based on legitimate interest at any time by clicking “Learn more”
Except that objecting to data processing based on legitimate interest was a little more complicated than clicking "Learn more", this banner is particularly dishonest. More generally, Decathlon seems to have a problem with the notion of consent, as evidenced by the page "Your data & Decathlon", section “OUR COMMUNICATIONS ARE ADAPTED TO YOUR SPORTS LIFE”:
"[...] if and only if the persons concerned have consented [...]", but we still base ourselves on legitimate interest.
Behind Valiuz, the Mulliez group
Who is behind this “Valiuz” alliance? If you are not a connoisseur of French-style capitalism, you will not necessarily guess that Auchan, Decathlon or Leroy Merlin belong to the wealthy Mulliez family. The article "Valiuz, the data project with 150 million loyalty cards from the Mulliez group" (which you can read using your browser's "reading" mode), written in 2019, gives some information:
- Valiuz already reached 29 million French households.
- It therefore brought together more than 150 million loyalty cards.
- This is not the only alliance, 3W.RelevanC (Casino) brought together 31 million consumers, the article also mentions RetailLink from Fnac-Darty.
- Mediarithmics sends user profiles to the Data Management Platforms (DMP) of the various members of the alliance, other Actech players therefore recover your enriched personal data.
- Currently limited to the Mulliez galaxy, the initiative could open up to other groups in the coming months. Particularly in verticals where AFM member entities are not present, such as telecoms, for example.
If you remember, Valiuz said:
Your data is, and will never be, resold or exchanged between Valiuz partner brands. Only Valiuz has access to the data transmitted to it by its partners.
Valiuz also offers a cashback application, to siphon off your banking transactions
Valiuz retrieves your online and in-store purchase histories from alliance members. But why not recover all your banking transactions? Obviously, if you are at all concerned about your privacy, you will not use this type of application, but Valiuz offers an application of "cashback" called Naomi :
Accumulating rewards automatically, interesting isn't it?
When registering, Naomi asks you for access to your bank account:
“Your banking connection information simply allows us to identify your purchases to pay out your winnings.”
Naomi does not in fact have access to banking identifiers, "only" to all of the client's banking transactions:
Privacy and security, why worry?
The "personal data protection policy" of the Naomi application is interesting. We note that the statistical studies on your banking transactions are based on the legitimate interest of Naomi alias Valiuz:
Still the famous pseudonymization, now with all of your banking transactions.
Given the sensitivity of the data recovered, you will not necessarily be reassured to read that Naomi uses subcontractors for many actions:
“statistical studies, segmentation and advertising profiling based on data”, carried out by subcontractors whose name you do not have.
The icing on the cake is that Naomi works with the kings of surveillance capitalism, Google and Facebook:
The famous "pixels", very effective tracking vectors.
But bank transactions are not precise enough, Naomi wants to know exactly what you bought, and therefore suggests that you scan the receipts:
Naomi thus retrieves the details of the purchases: nature of the product, stores, date, amount.
Note that, unlike Decathlon, the legal basis for profiling for the Valiuz alliance is consent:
You're lucky, purchases or payments that are sensitive or don't correspond to a purchase are not shared by Naomi.
As it says so beautifully the Valiuz Twitter account :
Valiuz, knowing you better to talk to you better.
Surveillance capitalism is recruiting
Convinced by this laudatory article, you decide to go to the Valiuz page of Welcome to the Jungle and read job offers. If you are in operations, you could be Programmatic Account Manager for example:
“Specialized in the implementation of economic models around data”.
If you feel like a salesperson, you could be Sales Manager - Retail Media :
"Valiuz Media, the most powerful retail offering on the market: 18 complementary brands, 55 million registered customers, 1.7 billion omnichannel transactions, 3,520 stores in France."
But why work at Valiuz you ask me?
“[...] the largest customer data base in France” sounds like a dream, right?
The final word, on Valiuz homepage, with “Our values”:
“We do not sell your information.”