The website multiplies the trackers, from the home page
In these times of confinement, mass distribution is experiencing a boom in online orders (as well as frequent unavailability). So, having purchasing habits at Monoprix, I wanted to know more about how their website managed my personal data. Let's start the investigation on monoprix.fr :
- Disable your adblocker.
- Delete cookies on Chrome (Settings > Advanced settings > Clear browsing data), so you are logged out of your Google account.
- Open the Chrome console (⌘+Option+J on Mac, Ctrl, Shift and J on PC), “Network” tab or launch Charles Proxy.
- Then go to the home page monoprix.fr.
- Don't surf, but observe the different third-party companies that track you.
And the list of trackers is long, I had to take 2 captures:
Note that all of these trackers were triggered before I could even play with the consent banner to signify that I did not want to be tracked. These headbands are today unfortunately a dark joke, because in addition to being unbearable for the user, they rarely work properly.
Here are the companies that track you from the Monoprix home page, without consent:
- Google : Via its advertising service for businesses Doubleclick, and via Google Analytics.
- AB Tasty : French A/B testing and site personalization tool.
- Commanders Act : via commander1.com, French Tag Management tool, This is supposed to trigger the other trackers when the conditions are met, according to rules pre-established by Monoprix. Obviously, Monoprix does not take your consent into account to trigger numerous tags.
- Affiliation : French affiliation tool. How does affiliation work? A website that advertises Monoprix products will receive a commission if a user clicks on this ad and then purchases a product.
- Evidon : renamed Crownpeak, offers a tool for collecting consent for websites.
- Eulerian : French analytics, attribution (determining which advertising campaign is the most effective) and Data Management tool, it allows Monoprix to better profile you.
- Facebook : we no longer present, Facebook trackers are unfortunately omnipresent on the web.
- Salecycle : data management tool for e-commerce sites, analyzes customer behavior to maximize Monoprix sales.
- 3W.Relevanc : alias 3WRégie, modestly presents itself as "the French leader in the collection, measurement, targeting and monetization of audiences and transactional data".
- Mediarithmics : French advertising space purchasing platform and data management tool, whose role I had already mentioned for Showroomprive and Fnac.
- Outbrain : world leader in sponsored articles, you have probably noticed the stupid titles at the bottom of the press articles, it's mostly them.
- AppNexus : via the domain adnxs.com, bought by AT&T, it is one of the leaders in adtech (far behind Google), provides an advertising space purchasing platform for advertisers, and a monetization solution for publishers.
- CapitalData : via kdata.fr, a French company which profiles you by mixing your online and offline data. According to their website: By creating the interface between digital contact points (emails, content consultation, online purchase) and events or interactions generated in real life (store visits, shopping cart), we facilitate the implementation of digital activation strategies to develop incremental sales in store.
At Monoprix, all cookies are welcome, even the most intrusive.
Deny consent, third-party trackers are still everywhere
If now, unlike almost all Internet users, you decide to click on the consent banner and refuse the leak of your personal data to third parties:
Note that you must click on the red “I accept” button to refuse tracking, but that the audience measurement, site personalization and advertising tools should now be deactivated. Then continue your surfing on Monoprix and observe the requests sent by your browser:
The tracking continues, with the same marketing companies that we talked about previously (including Google and Facebook, still omnipresent), but also new marketing companies:
- Rakuten Advertising : via nxtck.com, the advertising division of the Japanese e-Commerce giant, which bought the French retargeter NextPerformance in 2016.
- Target2Sell : French product recommendation tool.
- Criteo : French company, the world leader in retargeting.
Log in and tracking becomes permanent
Without being logged in, it is still possible to delete cookies. Also, your personal data is not associated with nominative data. What happens when you connect to your Monoprix to place your order? To check, I first refused third-party tracking via the consent banner offered by Monoprix, then I logged in.
Here again, the list of trackers is long and I had to take 2 captures:
Which third parties collect permanent personal data?
- Salecycle : this company collects my browsing data (all Monoprix products consulted) as well as my first name, my last name, my phone number and my email !
- CapitalData : via kdata.fr, this company recovers a hash from my email, which allows it to track me permanently, whatever the terminal with which I connect, and whatever the application (not just on Monoprix). She also gets my Monoprix account id. She also recovers a fingerprint from my computer, which is another "dirty" technique to stalk me. It also synchronizes its user identifiers with AppNexus, the platform for purchasing advertising space (which allows it to retarget me).
- 3W.Relevanc : alias 3WRegie, in addition to recovering a hash my email, my Monoprix account ID and all of my products consulted, this company also recovers my age, gender and postal code.
- Target2Sell : get my monoprix account id as well as my navigation.
- Criteo : the famous French retargeter recovers my monoprix account id as well as my navigation.
- Rakuten Advertising : via nxtck.com, get a hash of my email address as well as my navigation.
Thus Monoprix leaked permanent and sometimes even nominative personal data while I refused third-party tracking, clearly breaking the contract of trust that I might have. What happens if I accept third-party tracking (i.e. by not setting the consent banner but by closing it)? Exactly the same thing, the same trackers are triggered, with the same personal data.
Monoprix outsources its cookie “control” page
If we now consult the "Personal data protection charter" from Monoprix, we can read a passage on the 3W retargeters RelevanC, Criteo and Capital Data:
What is the legal basis for this collection? Certainly not the legitimate interest, but Monoprix never obtained my consent (and even flouted it).
Monoprix does not mention here the other third party companies which collect my personal data, but well hidden, offers a link to a page hosted by Evidon. This page is an old-fashioned "opt-out" page where some of Monoprix's partners offer to install an "opt-out" cookie on your browser (while other partners offer nothing).
The Monoprix iOS app, managed by a service provider, also sells off your personal data
One might believe that the Monoprix iOS app allows you to do your shopping, it's actually just about being able to manage your coupons. Let's look at the requests sent via Charles Proxy :
There is no call to the domain monoprix.fr, the app is hosted by Snapp, a Bordeaux agency, proof that Monoprix is considerably behind in its digital strategy. But you won't escape trackers with:
- Adobe : via demdex.net and campaign.adobe.com, the American giant not only offers Photoshop but also a suite called Adobe Marketing Cloud. Monoprix (or rather Snapp) leaks my email address at Adobe.
- Facebook : the Monoprix app uses the Facebook toolbox.
- Google : used for its Firebase suite.
- tune : via mobileapptracking.com, an attribution tool, allows Monoprix to understand which advertising campaigns are working.
- Segment : the tag manager for Apps which allows you to send your personal data to other service providers.
And unfortunately, nothing is done to deactivate these trackers. We could say that to use a coupon app, you must already agree to selling off your personal data, but the minimum would be that Monoprix informs its customers and leaves them in control.