EDIT August 3, 2021: End of the game on July 29, 2021, the CNIL sanctioned Le Figaro to the tune of... 50,000 euros due to the placement of advertising cookies from the lefigaro.fr site without obtaining the prior consent of Internet users. This ridiculous sanction is a incentive to break the rules, the problem has still not been systematically resolved, as proven by this test.
EDIT October 31, 2020: Has Le Figaro made any corrections since the initial date of publication of this article (April 19, 2020, more than 6 months ago)? After checks:
- (-) Lefigaro.fr always massively leaks your personal data, upon arrival on its website (even before having consented or not, in violation of the law). Surprise, there are more tracers than in April! All these companies track you via a unique identifier: ZBO Media, Comscore, CMPA, eStat, Taboola, Doubleclick (owned by Google), Google Analytics, Chartbeat and Hubvisor.
- (=) Take the trouble to go to the settings to refuse the collection of your data by third parties, Lefigaro.fr does not respect your choice and multiplies the trackers.
- (-) If you have time to waste, you can dig into the consent banner (the “CMP” or Consent Management Platform) used by Lefigaro.fr and offered by the SFBX company. The mechanism is even worse than in April. Very well hidden, you will then be able to realize that even if you have clicked on "Refuse all", certain marketing companies consider that they can still spy on you for various purposes (such as "Create an advertising profile"), under the pretext of legitimate interest. You would then have to oppose legitimate interest for 9 different purposes, or 27 additional clicks! And unfortunately, it doesn't even work: Lefigaro.fr continues to send the signal that you have not opposed the legitimate interest, and you continue to be monitored by multiple companies.
- (-) The consent banner now includes analytics, but Lefigaro.fr does not take your refusal into account: you continue to be monitored by Google Analytics and Chartbeat, the advertising features of Google Analytics are still activated (via the doubleclick cookie allowing Google to monitor you on the web), the cookie still has a lifespan of more than 13 months.
- (=) Lefigaro.fr still considers that scrolling on the page constitutes consent (in violation of the law). So if you scroll (or click on an article), the number of third-party companies spying on you continues to explode.
- (-) On the iOS application, there is now a consent banner. But like on the web, before you have even made a choice, Le Figaro leaks your personal data to multiple companies: Facebook, Adjust, Amazon, AppNexus, Google, Taboola and ACPM.
- (-) Same complexity for refusing surveillance (always via the SFBX company), and even violation of your choices. After refusal, you are still monitored by multiple companies including Google, Facebook, Adjust, Taboola, Amazon, AppNexus, ACPM or Smart AdServer.
Unfortunate conclusion: Lefigaro.fr has not resolved any of the problems observed. On the contrary, marketing surveillance on its website and on its iOS app is even stronger. Updating the consent banner following migration to the TCF v2 (the advertising industry's "consent collection" mechanism), could make you believe that you have control over the leak of your personal data, but this is not the case. Why is the CNIL still not sanctioning Le Figaro?!
Le Figaro was targeted by a complaint in August 2018
On August 11, 2018, an Internet user contacts the CNIL for failure to collect consent when placing cookies on the website lefigaro.fr. On September 30, 2019 (more than a year later), the CNIL informed the Internet user that it had asked the data protection officer (DPO) of Le Figaro to "take the necessary measures and modifications". Which does not seem to frighten Le Figaro who claims : "we handle this matter in accordance with the regulations".
Since then, nothing has changed, despite Internet user reminders :
Le Figaro is unfortunately not an exception but the rule among French media sites. It is nevertheless regrettable that the CNIL does not react quickly and strongly, the fear of the police should push media sites to respect the regulations. I mentioned lefigaro.fr in the article detailing the widespread falsehood of collecting consent, let's study in more detail how Le Figaro violates your privacy.
Le Figaro leaks your personal data upon arrival on its website
In order to be aware of the tracking on the site lefigaro.fr, follow the following steps:
- Disable your adblocker.
- Delete cookies on Chrome (Settings > Advanced settings > Clear browsing data), so you are logged out of your Google account.
- Open the Chrome console (⌘+Option+J on Mac, Ctrl, Shift and J on PC), “Network” tab or launch Charles Proxy.
- Then go to the home page lefigaro.fr.
Seeing the consent banner (below), you might say to yourself: as long as I have not made a choice, Le Figaro will not leak my personal data to third parties.
Error! The list of requests to third-party trackers is so long that I had to take 2 screenshots:
And always before even continuing my navigation, Le Figaro allows some of these third parties to place cookies on your browser:
Thus, in violation of the law and its own consent banner, Le Figaro allows the following companies to track you:
- Doubleclick : we no longer present, Le Figaro uses Google's advertising monetization solution, in addition to AppNexus. It is nevertheless surprising that Le Figaro cannot deactivate Doubleclick when you have not yet browsed its site.
- eStat : Médiamétrie subsidiary specializing in audience measurement.
- CMPA : the Alliance for press and media figures, formerly OJD, also specialized in audience measurement.
- Hubvisor : a French advertising monetization solution, specialized in "Header Bidding", a practice which consists of putting multiple advertising monetization platforms into competition, each of which then puts multiple advertising space purchasing platforms into competition to better target you (inception).
- Taboola : provider of links with stupid titles at the end of the article, merged with global industry leader Outbrain. Here too, why call articles Taboola when you haven't started browsing?
Refuse cookies, Le Figaro continues to leak your personal data
What happens if you configure the "consent banner" to refuse cookies? The solution (a CMP, “Consent Management Platform”) proposed by the Bordeaux company SFBX (formerly Chandago) doesn't make your life easier: instead of displaying a "Refuse" button at the same level as the "Accept" button, refusing tracking takes 7 clicks!
The motto of SFBX ? “Privacy Matters.” If we read the SFBX home page, it feels like 1984:
What happens after you refuse the different categories of cookies? No luck again, refusal of consent has no impact on the third-party cookies mentioned above, these marketing companies continue to track you from page to page:
In particular, Le Figaro offers a blank check to Google via its Doubleclick service, which can monetize your brain time also when you refuse tracking (while the vast majority of other advertising monetization platforms are excluded).
The analytics tools of Le Figaro, a shameless lie
Another problem with the “Consent Management Platform” (CMP) which follows the “Transparency & Consent Framework" of the IAB (the professional association of internet advertising companies), they do not take into account analytics tools and other marketing tools but only tools directly linked to advertisements. Also you might think that by unchecking “Measurement”, the analytics tools would be disabled. But this is only the “measurement” brick of advertising tools. After refusing cookies via the consent banner, look at the name of the “1st party” cookies (cookies placed on the lefigaro.fr domain):
You may observe cookies associated with the following tools:
- Google Analytics : all cookies that contain "ga" are placed by Google Analytics, Google's "free" web analytics tool which tracks you on the vast majority of the global web.
- Chartbeat : specialized web analytics tool for media sites.
Le Figaro wrote a cookie information page, a paragraph is dedicated to audience measurement cookies:
Le Figaro states that the analytics tools used “only send our technical service providers or commercial partners aggregated statistics and traffic volumes".
In reality, this is a profound misunderstanding of how analytics tools work. Le Figaro transmits personal information to these companies (which includes your identifier, making it possible to follow your session and recognize you if you return to lefigaro.fr), they then calculate aggregated information including attendance volumes, which they then make available to their customers in a dedicated interface.
Le Figaro then indicates that these audience measurement cookies "do not allow us to track your browsing on other sites". Most analytics tools do not allow you to track your browsing on other sites (because they are based solely on 1st party cookies), except that Google Analytics offers this option (allowing you to access "Google Analytics advertising features"), and that Le Figaro has activated it (this functionality is "opt-in"). The proof in the screenshot below:
We can read that Le Figaro, through its use of Google Analytics, allows Google to follow you (and enrich your Google profile) via the following elements:
- stats.g.doubleclick.net is the doubleclick domain associated with Google Analytics.
- collect? function allowing Google to collect analytics parameters linked to your consultation of the lefigaro.fr site.
- the “IDE” cookie allows Google to identify you on all websites, because it is not associated with the 1st party domain lefigaro.fr, but with the domain owned by Google doubleclick.net.
Le Figaro finally lies to you about the lifespan of audience measurement cookies, informing you that this "does not exceed 13 months". First of all, it must be clarified that this duration is renewable, come back to lefigaro.fr in 12 months and the expiry date of the cookie is updated. Then, simply zoom in on the cookies placed by Google Analytics to see that certain cookies (like "ga" or "gads") have a lifespan of 24 months:
If we now refer to the CNIL page Cookies & tracers: what does the law say? :
Le Figaro, through its use of Google Analytics, flouts the law on these 2 points:
- Le Figaro uses cookies whose lifespan exceeds 13 months.
- These cookies have an extended lifespan during new visits to the site.
As Le Figaro does not allow you to block analytics cookies directly via its site, it simply to tell you that you can do it via your browser, or through each of the providers, which is not the easiest:
Continue your navigation, Le Figaro multiplies the trackers
If, like almost all Internet users, you decide not to touch the "consent banner", but to continue your navigation by scrolling on the home page or clicking on an article, you will then trigger a multitude of additional trackers. Indeed, Le Figaro considers that continued navigation constitutes consent: it is an illegal practice but still tolerated currently, because the CNIL is struggling to bring our law into compliance with the GDPR.
If we look at the detail via the Chrome console (⌘+Option+J on Mac, Ctrl, Shift and J on PC), then "Application", "Cookies" tab, we can see that via the lefigaro.fr page, many third-party cookies are placed (the list was too long, I had to delete certain cookies for this capture):
So, in addition to being tracked by the companies mentioned above, you are also tracked by:
- ZBO Media : via zebestof.com, a French company which presents itself as a “programmatic marketing platform”.
- LinkedIn : you may not know it, but LinkedIn tracks and retargets you on the web.
- Twitter : we no longer present the microblogging social network, also tracks you on the web.
- Liquidm : via lqm.io, German advertising inventory purchasing platform, recently purchased by the French company Smart AdServer, specialized in the monetization of advertising inventories.
- Facebook : you won't escape it, even if you don't have an account, offers its toolbox to websites.
- Krux : via krxd.net, data marketing platform bought by Salesforce, used by Le Figaro to better profile you and monetize your browsing.
- AppNexus : the main advertising monetization solution of the Le Figaro group (adserver and SSP), bought by the American telecoms giant AT&T.
But your surveillance does not stop there, some trackers trigger a second wave of trackers, encapsulated in “iframes” (invisible pages on the lefigaro.fr page). Thus Krux (owned by Salesforce), the DMP ("Data Management Platform") of the Le Figaro group, allows the installation of the following cookies (here too, the list was long, I had to delete certain cookies for the screen capture):
You are tracked by the following companies:
- Comscore : via scorecardresearch.com, American advertising analysis and profiling tool.
- Liveramp : via rlcdn.com, world leader in cross-referencing online and offline personal data.
- Xaxis : via mookie1.com, an advertising space purchasing platform owned by the advertising agency WPP.
- Nielsen : via exelator.com, marketing analysis company.
- Bluekai : Data Management company, acquired by Oracle.
ZBO Media allows the placement of the following cookies (reduced list for screen capture):
You are therefore also tracked by these following companies:
- Outbrain : the world leader in links to filthy articles, merged with Taboola, previously cited.
- Graphinium : via crm4d.com, a French company specializing in the reconciliation of online and offline personal data.
- Yahoo : it is always surprising to see this internet dinosaur again, Yahoo was bought by Verizon who then merged it with AOL to form Verizon Media, a huge advertising agency.
- Adyoulike : via omnitagis.com, advertising monetization platform, specialized in “native” advertising (which aims to blend visually with the content).
- Weborama : French data marketing company, which has been seen to leak your personal data to Russian companies in this article.
- ImproveDigital : via 360yield.com, advertising monetization solution.
- Index Exchange : via casalemedia.com, another advertising monetization solution.
We discussed the lifespan of analytics cookies, not exceeding 13 months according to Le Figaro (in reality, 24 months). In his cookie information page, Le Figaro is a little more cautious about advertising cookies (the emphasis on in principle is mine):
The lifespan of advertising cookies placed during your navigation on the Site/Application is in principle of 13 months. The associated data which is sent to commercial partners is kept by the latter for a period which in principle does not exceed 13 months.
What's the point of reporting the 13 months if you know it's false? For example, we see a LinkedIn advertising cookie with a lifespan of 24 months:
The figaro privacy policy also repeats the lie:
The data related to your browsing on our online services collected by cookies has, in all cases, a retention period which cannot exceed thirteen (13) months.
On the iOS application, uninhibited tracking
To complete my investigation, I installed the Le Figaro iOS application and followed the following steps:
- Closing the various background applications.
- Launching the application Charles Proxy and enabling tracking.
- Launching the Le Figaro application, then browsing the App: I consulted a few articles.
- Export of logs from my Charles Proxy session to my computer, in order to easily analyze the requests sent by Le Figaro.
I was not entitled to any "consent banner", but to a multitude of trackers (the same as on the web, and a few additional):
To avoid tracking, you need to search in the menu, then "Settings", then "About" > "My personal data", and finally uncheck each category:
Still no luck, if refusing tracking on the web reduced the number of trackers, this refusal apparently has no impact on the application: Le Figaro continues to leak my personal data to numerous third parties.
What does it say the Cookie Information page ? Le Figaro claims that you can block cookies there:
Except that it's false, I have activated the "Limited advertising tracking" option on my iPhone (you should not deactivate it as Le Figaro seems to believe), but this has no impact on the trackers triggered.
Le Figaro is unfortunately not the exception
If Le Figaro doesn't care about your privacy, this is just one example among others, the French media being mostly addicted to advertising tracking. They could offer a better user experience by limiting advertisements and other trackers, respecting the notion of consent, while maintaining comfortable income. But without a real policeman and without sanctions (the CNIL, are you there?), it is unlikely that things will change.