The website multiplies trackers from the home page
In these lockdown times, grocery retail is seeing a boom in online orders (as well as frequent unavailability). Since I regularly shop at Monoprix, I wanted to know more about how their website managed my personal data. Let's start the investigation on monoprix.fr:
- Disable your ad blocker.
- Delete cookies in Chrome (Settings > Advanced settings > Clear browsing data), so you are logged out of your Google account.
- Open the Chrome console (⌘+Option+J on Mac, Ctrl, Shift and J on PC), “Network” tab or launch Charles Proxy.
- Then go to the home page monoprix.fr.
- Do not browse; just observe the different third-party companies that track you.
And the list of trackers is long; I had to take 2 screenshots:
Note that all these trackers were triggered before I could even interact with the consent banner to say that I did not want to be tracked. These banners have unfortunately become a dark joke: in addition to being unbearable for users, they rarely work properly.
Here are the companies that track you from the Monoprix home page, without consent:
- Google : via its advertising service for businesses DoubleClick, and via Google Analytics.
- AB Tasty : French A/B testing and site personalization tool.
- Commanders Act : via commander1.com, a French tag management tool. It is supposed to trigger other trackers when conditions are met, according to rules pre-established by Monoprix. Obviously, Monoprix does not take your consent into account before triggering numerous tags.
- Effiliation : a French affiliate marketing tool. How does affiliate marketing work? A website that advertises Monoprix products receives a commission if a user clicks on the ad and then buys a product.
- Evidon : renamed Crownpeak, offers a tool for collecting consent for websites.
- Eulerian : French analytics, attribution (determining which advertising campaign is the most effective) and Data Management tool, it allows Monoprix to better profile you.
- Facebook : no introduction needed; Facebook trackers are unfortunately omnipresent on the web.
- Salecycle : a data management tool for e-commerce sites, which analyzes customer behavior to maximize Monoprix sales.
- 3W.Relevanc : also known as 3WRégie, which modestly presents itself as "the French leader in the collection, measurement, targeting and monetization of audiences and transactional data".
- Mediarithmics : a French ad space buying platform and data management tool, whose role I had already mentioned for Showroomprive and Fnac.
- Outbrain : world leader in sponsored articles, you have probably noticed the stupid titles at the bottom of the press articles, it's mostly them.
- AppNexus : via the domain adnxs.com, bought by AT&T, it is one of the leaders in adtech (far behind Google), providing an advertising space buying platform for advertisers and a monetization solution for publishers.
- CapitalData : via kdata.fr, a French company that profiles you by mixing your online and offline data. According to its website: By creating the interface between digital contact points (emails, content consultation, online purchase) and events or interactions generated in real life (store visits, shopping cart), we facilitate the implementation of digital activation strategies to develop incremental sales in store.
At Monoprix, all cookies are welcome, even the most intrusive.
Refuse consent, and third-party trackers are still everywhere
If now, unlike almost all Internet users, you decide to click on the consent banner and refuse the leak of your personal data to third parties:
Note that you have to click the red “I accept” button to refuse tracking, but audience measurement, site personalization and advertising tools should now be disabled. Then continue browsing Monoprix and observe the requests sent by your browser:
The tracking continues, with the same marketing companies that we talked about previously (including Google and Facebook, still omnipresent), but also new marketing companies:
- Rakuten Advertising : via nxtck.com, the advertising division of the Japanese e-Commerce giant, which bought the French retargeter NextPerformance in 2016.
- Target2Sell : French product recommendation tool.
- Criteo : French company, the world leader in retargeting.
Log in and tracking becomes permanent
When you are not logged in, it is still possible to delete cookies. Also, your personal data is not associated with directly identifying data. What happens when you log in to your Monoprix account to place an order? To check, I first refused third-party tracking via Monoprix's consent banner, then I logged in.
Here again, the list of trackers is long and I had to take 2 captures:
Which third parties collect permanent personal data?
- Salecycle : this company collects my browsing data (all Monoprix products viewed) as well as my first name, my last name, my phone number and my email !
- CapitalData : via kdata.fr, this company retrieves a hash of my email, which allows it to track me permanently, whatever device I use and whatever app I use (not only on Monoprix). It also gets my Monoprix account ID. It also retrieves a fingerprint of my computer, another dirty technique for tracking me. It also synchronizes its user identifiers with AppNexus, the advertising space buying platform (which allows it to retarget me).
- 3W.Relevanc : also known as 3WRegie, in addition to retrieving a hash of my email, my Monoprix account ID and all the products I viewed, this company also retrieves my age, gender and postal code.
- Target2Sell : gets my Monoprix account ID as well as my browsing.
- Criteo : the famous French retargeter retrieves my Monoprix account ID as well as my browsing.
- Rakuten Advertising : via nxtck.com, gets a hash of my email address as well as my browsing.
Monoprix therefore leaked persistent, and sometimes even directly identifying, personal data while I had refused third-party tracking, clearly breaking any trust I might have had. What happens if I accept third-party tracking (i.e. by not configuring the consent banner and simply closing it)? Exactly the same thing: the same trackers are triggered, with the same personal data.
Monoprix outsources its cookie “control” page
If we now consult the "Personal data protection charter" from Monoprix, we can read a passage on the 3W retargeters RelevanC, Criteo and Capital Data:
What is the legal basis for this collection? Certainly not the legitimate interest, but Monoprix never obtained my consent (and even flouted it).
Monoprix does not mention here the other third-party companies that collect my personal data, but, well hidden, it offers a link to a page hosted by Evidon. This page is an old-fashioned "opt-out" page where some of Monoprix's partners offer to install an "opt-out" cookie in your browser (while other partners offer nothing).
The Monoprix iOS app, managed by a service provider, also sells off your personal data
You might think that the Monoprix iOS app lets you do your grocery shopping; in reality, it mainly lets you manage your coupons. Let's look at the requests sent via Charles Proxy:
There is no call to the monoprix.fr domain: the app is hosted by Snapp, a Bordeaux agency, proof that Monoprix is considerably behind in its digital strategy. But you will not escape trackers, with:
- Adobe : via demdex.net and campaign.adobe.com, the American giant offers not only Photoshop but also a suite called Adobe Marketing Cloud. Monoprix (or rather Snapp) leaks my email address to Adobe.
- Facebook : the Monoprix app uses the Facebook toolbox.
- Google : used for its Firebase suite.
- Tune : via mobileapptracking.com, an attribution tool that allows Monoprix to understand which advertising campaigns are working.
- Segment : the tag manager for apps, which allows your personal data to be sent to other service providers.
And unfortunately, nothing is done to deactivate these trackers. One might say that, to use a coupon app, you already have to accept selling off your personal data, but the minimum would be for Monoprix to inform its customers and leave them in control.