Fnac sells off your personal data

You are tracked from the website's home page

If, like me, you want to limit your dependence on GAFA, you may already have placed an order with Fnac. Beyond the problems of tax evasion, abuse of dominant position or employee exploitation, Amazon is also a key player in surveillance capitalism, with among others:

Amazon Advertising and Amazon Publisher Services : advertising solutions for advertisers and publishers. Little known to the general public, Amazon is already the world's number 3 advertising platform, behind Google and Facebook.
Amazon Alexa : Amazon's voice assistant, a spy present in millions of homes.
Amazon Ring : connected video doorbells that are very popular in the United States. Ring was acquired by Amazon in 2018, and this subsidiary signs partnerships with multiple police departments.

Amazon's competitors in the e-commerce sector therefore have an opening to offer a customer experience that respects privacy, which is unfortunately not the case for Fnac, as we will see. Let's start our investigation with the Fnac website:

Disable your adblocker.
Delete cookies on Chrome (Settings > Advanced settings > Clear browsing data), so you are logged out of your Google account.
Open the Chrome console (⌘+Option+J on Mac, Ctrl, Shift and J on PC), click on the Application tab, then Cookies on the left panel.
Then go to fnac.com.
Do not browse Fnac yet; instead, look at the different cookies placed by third-party companies (other than Fnac).

As we can see, even before browsing and accepting tracking, you already find yourself tracked by several companies:

AppNexus : represented by the adnxs domain, an American company, it is one of the leaders in the adtech sector (far behind Google), offering both advertising monetization solutions for publishers and an advertising space purchasing platform for advertisers. Acquired by AT&T in 2018, with the lucrative video advertising market in mind but also the merger of personal data held by the American telecoms giant and the advertising data of hundreds of millions of Internet users.
Criteo : the French adtech giant, world leader in retargeting. If you have visited product pages, then been bombarded with banner ads for these same products all over the web, for several days or even weeks, it was probably Criteo. This company literally revealed to the general public the intrusive side of personalized advertising.
Google : represented by the domain doubleclick.net, its advertising solution for publishers and advertisers, dominant in the adtech market.
Eulerian : represented by the ew3.io domain, a French attribution solution (allowing Fnac to understand which advertising campaigns trigger sales) and data management solution (allowing Fnac to profile you in order to target you better).
Smart AdServer : another French company, allows Fnac to monetize its advertising inventory.
iAdvize : French company offering conversational purchasing assistance.

Fnac is clearly breaking the law here, like many French websites (on this subject, read: collecting consent on the internet: a widespread lie). Fnac does not even respect its own information banner, which says third-party cookies will not be placed until you continue browsing.

information tracking banner

Note the fictitious "consent" presented by this banner: continuing to browse is treated as acceptance of cookies being placed, cross-referencing with your customer data, distribution of personalized content and advertising, marketing studies and fraud prevention. This type of banner, still present on many French websites, comes from a flaw introduced by the CNIL in 2013, which stated that "continuing to browse constitutes agreement to Cookies being placed on your terminal". This loose notion of consent should no longer be valid within a few months, with the arrival of new CNIL recommendations on consent collection.

Continue browsing, and the trackers multiply

What happens if you “continue browsing”? Simply scroll on the Fnac home page, and observe the new requests sent via the Chrome console or Charles Proxy:

fnac pursuit navigation tracking

Many new marketing companies are now tracking you. We can note:

Mediarithmics : French company offering an advertising space purchasing platform, and a data management solution (better profile you to better target you).
Facebook : as with Google, Facebook's monitoring tools are omnipresent on the web, and very widely used by advertisers.
Temelio : represented by the Leadplace domain, this French data marketing company offers advertisers the opportunity to cross-reference your personal data online and offline. You are being tracked everywhere.
Weborama : another French data marketing company (profiling you better, to target you better).
MediaMath : represented by the mathtag domain, an American company, one of the main advertising space purchasing platforms on the market.
Bluekai : data marketing company, American this time, bought by the giant Oracle in 2014. It was one of the first companies to launch a DMP (Data Management Platform) on the market, more than 10 years ago.
Bidswitch : Russian company that builds programmatic advertising platforms for multiple clients, and which serves as an intermediary between advertising space purchasing platforms and advertising monetization solutions.
Rubicon : American advertising monetization platform.

Other marketing companies also appear if you continue browsing Fnac. All these companies therefore track you on the web, without your consent, enriching your profile with each page viewed, each addition to the basket, each purchase. Some go so far as to cross-reference this online data with information collected about your offline behavior, all with the aim of targeting you ever more effectively with personalized advertising.

Refuse cookies, and we will continue to track you

No one clicks on cookie information banners, and very often, they do not work anyway. Fnac is no exception; you can see this by clicking on “Find out more and configure cookies”.

Note here that you can "Authorize all" directly, but there is no "Refuse all" button. You have to uncheck the cookie categories one by one, which clearly does not comply with the GDPR (it must be as easy to refuse consent as to give it). It is also impossible to access the list of companies tracking you (no information on Google, Facebook, Criteo, Eulerian or Weborama).

Naively, you might think that disabling advertising cookies should stop tracking. Not quite. Although the list is shorter than if you continue browsing directly, you are still tracked by several advertising companies.

So Criteo, Google (doubleclick), AppNexus (adnxs), Smart AdServer and Eulerian continue to track you... Let's go back to this "Preference Center" and deactivate the "Analytical Cookies".

Fnac cookies analytics

It turns out that this setting means you are no longer tracked by Google, AppNexus, Smart AdServer and Eulerian (except for Eulerian, these are not analytics tools but adtech companies). Criteo still resists: if we reload the home page, the tracker reappears.

Fnac without cookies Analytics

One last try with Criteo: let's refuse all cookies by unchecking "Functional cookies".

Fnac deactivates functional cookies

Bad luck: Criteo is immortal, and the Fnac home page still triggers the Criteo tracker.

Fnac all cookies disabled

Privacy at Fnac? Access denied!

Eager to know more about this disastrous handling of my personal data, I decide to read the privacy policy, still from the “Preference Center”.

Your confidentiality - Fnac

No luck: by clicking on the "More information" link, I land on a staging page... Access denied.

Confidentiality - Fnac - Inaccessible

Fortunately, you can still consult Fnac's “personal data protection policy”, accessible via the website footer. There, you can better understand the extent to which Fnac uses your personal data. For example, Fnac is part of "the Gravity alliance", a large personal data exchange made up of 150 sites and applications, with 2,000 targeting segments.

But you will also read some lies, like:

To oppose advertising targeting for the benefit of advertising partners, you must refuse advertising cookies. For more information and to manage your advertising cookies, go to the “Cookies” page of the site.

This is false for Criteo, Google, AppNexus, Smart AdServer and Eulerian, which continue to use your browsing on Fnac to target you later. Another questionable passage:

The legal basis for the use of browsing data for advertising profiling purposes is consent (cookie consent).

I have never consented to this tracking. To be valid under the GDPR, consent must be free and informed.

Log in, and sell off your personal data

As long as you are not logged in, you can decide to delete your cookies and thus start from scratch with the different adtech companies. By logging in, you take the risk that Fnac will also leak persistent data. I wanted to check, so I logged into my Fnac account from Chrome, and unfortunately this intuition turned out to be correct: on login, Fnac leaked to Mediarithmics a hash of my email address as well as my Fnac account number.

fnac hash email mediarithmics

Who is Mediarithmics? This French data management company was chosen by the Gravity alliance, the large personal data exchange mentioned in Fnac's “Personal data protection policy”. So Fnac does not merely leak your personal data to third parties: it does so with a persistent identifier linked to your email, and shares this information with 150 other sites, all partners of the alliance. What does Fnac say about Gravity?

Fnac Darty may also participate in data pooling programs for advertising purposes such as the Gravity Data Media Alliance. [...] FNAC DARTY creates these segments or profiles on the basis of information held by the group's brands (browsing data, purchasing data, declarative data) or information collected as part of our relationships with partners (e.g. member of the Gravity Data Media Alliance),..

Tracking continues on the Fnac app for iOS

If you were thinking of avoiding the leak of your personal data by using the Fnac app, it is a wasted effort. First, note that I have limited ad tracking on my iPhone:

iPhone ad tracking limit

Then, to carry out the test, I used the Charles Proxy application, and I followed the following steps:

Close the apps on my iPhone.
Open Charles Proxy and enable tracking.
Launch the Fnac application.
Export the Charles Proxy logs to my computer.

Here is the result:

Fnac iPhone

Who does Fnac send my personal data to? The following data marketing companies:

Google : it is difficult to escape Google. Fnac uses Crashlytics (a crash monitoring tool bought from Twitter) and Google Analytics, the omnipresent analytics tool.
Accengage : a French push notification tool, acquired in 2018 by the mobile marketing company Airship. Looking at the details of the requests to Accengage, I realize that Fnac leaks my first and last name in plain text, together with the details of my smartphone, all the Fnac products viewed, and a variable indicating my supposed agreement to be geolocated, "optin_geoloc": "Y" (I never gave my agreement).
Adobe : you know Photoshop, but Adobe is also a marketing giant, and Fnac uses its analytics tool.
Criteo : targeted on the web, I am also targeted on the Fnac application. And Criteo knows how to find me: a hash of my email is sent with each request.
Adjust : a mobile marketing solution offering fraud prevention, analytics, attribution but also a solution for building user profiles.
Glaze : a French solution to personalize the customer experience.

Personal data sent

Fnac therefore sends personal data (first and last name) to Accengage. Beyond the fact that I never consented to such tracking and that Fnac does not warn users of this personal data leak, what does Accengage's personal data protection policy say?

purpose SDK accengage

No personal data is listed. Fnac probably freely decided to send Accengage the names of its customers, which would fit into the “relevant information” box. Accengage also claims to respect the user preferences indicated in the iOS settings:

opposition tracking SDK Accengage

However, this is not the case: I checked the “Limited advertising tracking” box and Accengage continues to track me, by name.

The Criteo case

Fnac also sends a hash of my email address to Criteo. What does the Personal data protection policy say, in the section on sharing data with third parties?

To allow us to connect your different terminals (computers, mobile phones, etc.) and provide you with a consistent experience across the different devices you use. To find out more about the system for combining different devices or to object to it, you can go to http://www.criteo.com/fr/privacy/

So let's go to the Criteo privacy policy and read the section on deactivating Criteo services on mobile applications. It also says:

For iOS (version 6 and later), activate the “Limited advertising tracking” option: to do this, in your device settings, go to “Privacy” > “Advertising” and activate the “Limited advertising tracking” option.

What should activating the “Limited ad tracking” option change according to Criteo?

Criteo withdrawal consent app

I notice that the hash of my email address is still collected. It allows Criteo to recognize my device and associate me with the data Criteo already has on me. Maybe Criteo does not store this hash, but I cannot prove that, and why collect it in the first place?

It should be noted that Fnac does not send my email address to Criteo in plain text, but Criteo does accept email addresses sent in "plain text" by its customers, "to ensure the greatest possible flexibility", according to the Criteo support site, currently oddly offline but still accessible via Google cache. Criteo then says it "crypts" the emails (incidentally, in French one should say chiffrer, not crypter). Here again I cannot prove it; you would have to trust Criteo.

Criteo raw email address

It is therefore particularly enlightening to observe Criteo's double discourse: reassuring with users and permissive with advertisers. Here is its commitment to users:

Criteo Commitment

If my smartphone identifier is persistent, my email address (or even a hash of my email address) is too, and yet Criteo collects it even when I disable advertising tracking. Fnac also remains at fault: how can this close partnership with a third party that shows so little respect for customers' privacy be justified?

An impossibility of limiting tracking on the Fnac app for iOS

If limiting advertising tracking on iPhone is not enough, how can you stop being tracked? You would be right to think that Fnac provides an option to refuse tracking in its application (after all, even if it does not work well, Fnac displays a consent banner on its website). I eventually found Fnac's "Personal data protection policy" from the iOS app. It is a real obstacle course; you have to:

Go to “My Account”.
Then go to “My contact details”.
Then click on “Read more” at the bottom of the page.
Then scroll to the bottom of the page, and click on "here".

fnac ios confidentiality

Bad luck again: Fnac does not provide any option to refuse tracking. In conclusion, unless you install ad blockers for applications (see How to protect your privacy on an iPhone?), it is impossible to avoid the leak of your personal data on the Fnac application. We can therefore only hope that in the future, the CNIL will have the means and above all the will to enforce the law and better protect your privacy.