Le Figaro, emblem of invasive advertising tracking on French media sites

For Le Figaro, journalism and advertising surveillance still go hand in hand

Published by Pixel de Tracking on April 19, 2020

EDIT August 3, 2021: Game over on July 29, 2021: the CNIL sanctioned Le Figaro to the tune of... 50,000 euros for placing advertising cookies from the lefigaro.fr site without first obtaining users' consent. This ridiculous sanction is an incentive to break the rules. The problem has still not been systematically resolved, as this test proves.

EDIT October 31, 2020: Has Le Figaro made any corrections since the initial date of publication of this article (April 19, 2020, more than 6 months ago)? After checks:

  • (-) Lefigaro.fr still massively leaks your personal data as soon as you arrive on its website (even before you have consented or refused, in violation of the law). Surprise: there are more trackers than in April! All these companies track you via a unique identifier: ZBO Media, Comscore, ACPM, eStat, Taboola, DoubleClick (owned by Google), Google Analytics, Chartbeat and Hubvisor.
  • (=) Take the trouble to go into the settings to refuse the collection of your data by third parties: Lefigaro.fr does not respect your choice and multiplies the trackers.
  • (-) If you have time to waste, you can dig into the consent banner (the “CMP” or Consent Management Platform) used by Lefigaro.fr and provided by SFBX. The mechanism is even worse than in April. Well hidden, it lets you discover that even if you clicked "Reject all", some marketing companies consider that they can still spy on you for various purposes (such as "Create an advertising profile"), under the pretext of legitimate interest. You would then have to object to legitimate interest for 9 different purposes, or 27 additional clicks! And unfortunately, it does not even work: Lefigaro.fr continues to send the signal that you have not objected to legitimate interest, and you continue to be monitored by multiple companies.
  • (-) The consent banner now includes analytics, but Lefigaro.fr does not take your refusal into account: you continue to be monitored by Google Analytics and Chartbeat, Google Analytics advertising features are still activated (via the DoubleClick cookie, allowing Google to monitor you on the web), and the cookie still has a lifespan of more than 13 months.
  • (=) Lefigaro.fr still considers that scrolling on the page constitutes consent (in violation of the law). So if you scroll (or click on an article), the number of third-party companies spying on you still explodes.
  • (-) On the iOS app, there is now a consent banner. But as on the web, before you have even made a choice, Le Figaro leaks your personal data to multiple companies: Facebook, Adjust, Amazon, AppNexus, Google, Taboola and ACPM.
  • (-) The same complexity to refuse surveillance (still via SFBX), and the same violation of your choices. After refusing, you are still monitored by multiple companies, including Google, Facebook, Adjust, Taboola, Amazon, AppNexus, ACPM and Smart AdServer.

Unfortunate conclusion: Lefigaro.fr has not resolved any of the problems observed. On the contrary, marketing surveillance on its website and on its iOS app is even stronger. Updating the consent banner following migration to TCF v2 (the advertising industry's "consent collection" mechanism) could make you believe you have control over the leak of your personal data. You do not. Why is the CNIL still not sanctioning Le Figaro?!

Le Figaro was targeted by a complaint in August 2018

On August 11, 2018, an internet user contacted the CNIL for failure to collect consent before placing cookies on the lefigaro.fr website. On September 30, 2019 (more than a year later), the CNIL informed the internet user that it had asked Le Figaro's data protection officer (DPO) to "take the necessary measures and modifications". Which does not seem to frighten Le Figaro, which claims: "we handle this matter in accordance with the regulations".

Since then, nothing has changed, despite the user's follow-ups:

Tweet Cellular Lefigaro CNIL

Le Figaro is unfortunately not the exception, but the rule among French media sites. It is nevertheless regrettable that the CNIL does not react quickly and forcefully: fear of the regulator should push media sites to respect the rules. I mentioned lefigaro.fr in the article detailing the widespread lie of consent collection; let us now study in more detail how Le Figaro violates your privacy.

Le Figaro leaks your personal data upon arrival on its website

To see the tracking on the lefigaro.fr site, follow these steps:

  • Disable your ad blocker.
  • Delete cookies on Chrome (Settings > Advanced settings > Clear browsing data), so you are logged out of your Google account.
  • Open the Chrome console (⌘+Option+J on Mac, Ctrl, Shift and J on PC), “Network” tab or launch Charles Proxy.
  • Then go to the home page lefigaro.fr.

Seeing the consent banner (below), you might think: as long as I have not made a choice, Le Figaro will not leak my personal data to third parties.

Home lefigaro

Error! The list of requests to third-party trackers is so long that I had to take 2 screenshots:

lefigaro trackers list 1lefigaro trackers list 2

And still before I even continue browsing, Le Figaro allows some of these third parties to place cookies in your browser:

Lefigaro cookies

Thus, in violation of the law and its own consent banner, Le Figaro allows the following companies to track you:

  • DoubleClick: no introduction needed. Le Figaro uses Google's advertising monetization solution, in addition to AppNexus. It is nevertheless surprising that Le Figaro cannot deactivate DoubleClick when you have not yet browsed its site.
  • eStat : Médiamétrie subsidiary specializing in audience measurement.
  • ACPM: the Alliance for press and media circulation figures, formerly OJD, also specialized in audience measurement.
  • Hubvisor: a French advertising monetization solution specialized in "Header Bidding", a practice that consists of putting multiple advertising monetization platforms into competition, each of which then puts multiple ad-space buying platforms into competition to better target you (inception).
  • Taboola: provider of links with trashy titles at the end of articles, merged with global industry leader Outbrain. Here too, why call Taboola before you have even started browsing?

Refuse cookies, and Le Figaro continues to leak your personal data

What happens if you configure the "consent banner" to refuse cookies? The solution (a CMP, “Consent Management Platform”) offered by the Bordeaux company SFBX (formerly Chandago) does not make your life easier: instead of displaying a "Reject" button at the same level as the "Accept" button, refusing tracking takes 7 clicks!

Refusal of lefigaro cookies

The motto of SFBX? “Privacy Matters.” Reading the SFBX home page feels like 1984:

SFBX Privacy by design

What happens after you refuse the different categories of cookies? Bad luck again: refusal of consent has no impact on the third-party cookies mentioned above. These marketing companies continue to track you from page to page:

Cookies after refusal lefigaro

In particular, Le Figaro gives Google a blank check via its DoubleClick service, which can monetize your brain time even when you refuse tracking (while the vast majority of other advertising monetization platforms are excluded).

Le Figaro's analytics tools, a shameless lie

Another problem with “Consent Management Platforms” (CMPs) that follow the IAB's “Transparency & Consent Framework" (the professional association of internet advertising companies): they do not take analytics tools and other marketing tools into account, only tools directly linked to advertising. So you might think that by unchecking “Measurement”, the analytics tools would be disabled. But this is only the “measurement” component of advertising tools. After refusing cookies via the consent banner, look at the names of the “first-party” cookies (cookies placed on the lefigaro.fr domain):

lefigaro cookies measure

You may observe cookies associated with the following tools:

  • Google Analytics : all cookies that contain "ga" are placed by Google Analytics, Google's "free" web analytics tool which tracks you on the vast majority of the global web.
  • Chartbeat : specialized web analytics tool for media sites.

Le Figaro wrote a cookie information page, a paragraph is dedicated to audience measurement cookies:

lefigaro cookies audience measurement

Le Figaro states that the analytics tools used “only send our technical service providers or commercial partners aggregated statistics and traffic volumes".

In reality, this shows a deep misunderstanding of how analytics tools work. Le Figaro sends personal information to these companies (including your identifier, making it possible to follow your session and recognize you if you return to lefigaro.fr). They then calculate aggregated information, including traffic volumes, which they make available to their customers in a dedicated interface.

Le Figaro then says that these audience measurement cookies "do not allow us to track your browsing on other sites". Most analytics tools do not allow tracking of your browsing on other sites (because they are based solely on first-party cookies), except that Google Analytics offers this option (allowing access to "Google Analytics advertising features"), and Le Figaro has activated it (this feature is "opt-in"). Proof in the screenshot below:

Google Analytics DoubleClick Lefigaro

We can see that Le Figaro, through its use of Google Analytics, allows Google to track you (and enrich your Google profile) via the following elements:

  • stats.g.doubleclick.net is the DoubleClick domain associated with Google Analytics.
  • collect? function allowing Google to collect analytics parameters linked to your consultation of the lefigaro.fr site.
  • the “IDE” cookie allows Google to identify you across websites, because it is not associated with the first-party domain lefigaro.fr, but with Google's doubleclick.net domain.

Le Figaro finally lies to you about the lifespan of audience measurement cookies, informing you that this "does not exceed 13 months". First of all, it must be clarified that this duration is renewable, come back to lefigaro.fr in 12 months and the expiry date of the cookie is updated. Then, simply zoom in on the cookies placed by Google Analytics to see that certain cookies (like "ga" or "gads") have a lifespan of 24 months:

Google Analytics cookies lefigaro 24 months

If we now refer to the CNIL page Cookies & trackers: what does the law say?:

CNIL cookie lifespan

Le Figaro, through its use of Google Analytics, flouts the law on these 2 points:

  • Le Figaro uses cookies whose lifespan exceeds 13 months.
  • These cookies have an extended lifespan during new visits to the site.

Since Le Figaro does not allow you to block analytics cookies directly via its site, it simply tells you that you can do it through your browser, or through each provider, which is not exactly the easiest route:

opt-out analytics

Continue browsing, and Le Figaro multiplies the trackers

If, like almost all internet users, you decide not to touch the "consent banner", but continue browsing by scrolling on the home page or clicking on an article, you will trigger a multitude of additional trackers. Le Figaro considers continued browsing to constitute consent: this is an illegal practice, but still tolerated for now, because the CNIL is struggling to bring our law into compliance with the GDPR.

If we look at the details via the Chrome console (⌘+Option+J on Mac, Ctrl, Shift and J on PC), then the "Application" and "Cookies" tabs, we can see that many third-party cookies are placed via the lefigaro.fr page (the list was too long; I had to delete some cookies for this screenshot):

navigation lefigaro cookies

So, in addition to being tracked by the companies mentioned above, you are also tracked by:

  • ZBO Media : via zebestof.com, a French company which presents itself as a “programmatic marketing platform”.
  • LinkedIn : you may not know it, but LinkedIn tracks and retargets you on the web.
  • Twitter : no introduction needed for the microblogging social network, which also tracks you on the web.
  • Liquidm: via lqm.io, a German advertising inventory buying platform, recently acquired by the French company Smart AdServer, specialized in monetizing advertising inventory.
  • Facebook: you will not escape it. Even if you do not have an account, Facebook offers its toolbox to websites.
  • Krux: via krxd.net, a data marketing platform bought by Salesforce, used by Le Figaro to better profile you and monetize your browsing.
  • AppNexus: the Le Figaro group's main advertising monetization solution (ad server and SSP), bought by the American telecoms giant AT&T.

But your surveillance does not stop there. Some trackers trigger a second wave of trackers, embedded in “iframes” (invisible pages inside the lefigaro.fr page). Krux (owned by Salesforce), the DMP ("Data Management Platform") of the Le Figaro group, thus allows the following cookies to be placed (here too, the list was long, so I had to delete some cookies for the screenshot):

Lefigaro Krux cookies

You are tracked by the following companies:

  • Comscore: via scorecardresearch.com, an American advertising analysis and profiling tool.
  • LiveRamp: via rlcdn.com, world leader in matching online and offline personal data.
  • Xaxis: via mookie1.com, an ad-space buying platform owned by the advertising agency WPP.
  • Nielsen: via exelator.com, a marketing analysis company.
  • BlueKai: a data management company, acquired by Oracle.

ZBO Media, for its part, allows the following cookies to be placed (reduced list for the screenshot):

lefigaro zbo media cookies

You are therefore also tracked by the following companies:

  • Outbrain: the world leader in links to trashy articles, merged with Taboola, mentioned above.
  • Graphinium: via crm4d.com, a French company specializing in matching online and offline personal data.
  • Yahoo: it is always surprising to see this internet dinosaur again. Yahoo was bought by Verizon, which then merged it with AOL to form Verizon Media, a huge advertising network.
  • Adyoulike: via omnitagis.com, an advertising monetization platform specialized in “native” advertising (which aims to visually blend in with the content).
  • Weborama: a French data marketing company, which we have seen leaking your personal data to Russian companies in this article.
  • Improve Digital: via 360yield.com, an advertising monetization solution.
  • Index Exchange: via casalemedia.com, another advertising monetization solution.

We discussed the lifespan of analytics cookies, which according to Le Figaro does not exceed 13 months (in reality, 24 months). On its cookie information page, Le Figaro is a little more cautious about advertising cookies (the emphasis on in principle is mine):

The lifespan of advertising cookies placed during your browsing on the Site/Application is in principle 13 months. The associated data sent to commercial partners is kept by the latter for a period which in principle does not exceed 13 months.

What is the point of mentioning 13 months if you know it is false? For example, we see a LinkedIn advertising cookie with a lifespan of 24 months:

Linkedin cookie 24 months - lefigaro

The Le Figaro privacy policy also repeats the lie:

The data related to your browsing on our online services collected by cookies has, in all cases, a retention period which cannot exceed thirteen (13) months.

On the iOS app, uninhibited tracking

To complete my investigation, I installed the Le Figaro iOS app and followed these steps:

  • Close the various background apps.
  • Launch the Charles Proxy app and enable tracking.
  • Launch the Le Figaro app, then browse the app: I read a few articles.
  • Export the logs from my Charles Proxy session to my computer, in order to easily analyze the requests sent by Le Figaro.

I was not shown any "consent banner", but I did get a multitude of trackers (the same as on the web, plus a few additional ones):

lefigaro app trackers 1lefigaro app trackers 2

To avoid tracking, you need to search in the menu, then "Settings", then "About" > "My personal data", and finally uncheck each category:

Lefigaro App - My personal data

Still no luck: while refusing tracking on the web reduced the number of trackers, this refusal apparently has no impact on the app. Le Figaro continues to leak my personal data to numerous third parties.

lefigaro App no consent 1le figaro App no consent 2

What does the Cookie Information page say? Le Figaro claims that you can block cookies there:

refusal of app cookies

Except that this is false. I activated the "Limit Ad Tracking" option on my iPhone (you should not deactivate it, as Le Figaro seems to suggest), but this has no impact on the trackers triggered.

Limit advertising tracking

Le Figaro is unfortunately not the exception

If Le Figaro does not care about your privacy, it is only one example among others, with French media outlets mostly addicted to advertising tracking. They could offer a better user experience by limiting ads and other trackers, respecting the notion of consent, while maintaining comfortable revenues. But without a real regulator and without sanctions (CNIL, are you there?), it is unlikely that things will change.