EDIT June 6, 2021: Lemonde.fr has made some additional corrections:
- (+) Lemonde.fr always triggers AT Internet trackers upon arrival on its website. But AT Internet, provided that it is configured adequately and to make use of it strictly necessary for the functioning and day-to-day administration operations of the website, falls within the scope of the exemption from consent defined by the CNIL.
- (+) When you refuse to give your consent, Lemonde.fr blocks the loading of the Dailymotion video player, preventing it from leaking your personal data.
- (-) The blogging platform is unfortunately still forgotten, it leaks your personal data to Google Analytics before consent.
- (+) If we do not take into account AT Internet (consent exemption), Batch (notifications) and Google Firebase (technical), the iOS app does not track you at launch, nor when you refuse to give your consent.
EDIT September 20, 2020: Via Twitter (here and there), I was informed that Lemonde.fr had made corrections. After checks:
- (-) Lemonde.fr always leaks your personal data to AT Internet upon arrival on its website.
- (-) Lemonde.fr still does not offer an opt-out for AT Internet.
- (-) Lemonde.fr always leaks your connection data to AT Internet.
- (+) Your scroll no longer constitutes consent.
- (+) If you refuse to be monitored, Lemonde.fr now respects your choice and does not increase the number of trackers. In particular, legitimate interest is no longer pre-checked when you have refused to give your consent.
- (-) But Lemonde.fr has unfortunately forgotten its Dailymotion player, integrated from the home page. This does not respect your choices and leaks your personal data to various companies (and presents a curious timer, you have 10 seconds to react).
- (-) Lemonde.fr has also forgotten its blogging platform, whose articles are often highlighted via its home page. Example with this article highlighted on September 20: you may have refused trackers, but your personal data enriches multiple marketing companies.
- (-) Nothing changes on the iOS app: Lemonde.fr tracks you from the first launch and if you refuse tracking, monitoring continues.
You have already refused advertising monitoring, but that's not over: you have 10 seconds to refuse monitoring initiated by the Dailymotion video player. In fact, even if you bother to click Customize and "Refuse All" on the "Your privacy settings" from Dailymotion, monitoring continues.
EDIT September 2, 2020: I was able to complete the legal information (and correct typos) thanks to the explanations of @Cellular_PP, thank you!
Lemonde.fr leaks your personal data to AT Internet upon arrival on its website
Since August 15, Google has integrated the new “framework” for collecting consent of the advertising industry, the aptly named "Transparency and Consent Framework (TCF) v2.0" and publishers update their consent banners. An improvement in user experience? Not necessarily according to my French Twitter feed :
In England, it's not better :
In order to better understand what has changed among media sites, I chose to test Lemonde.fr, the “reference journal”, of which I am an occasional reader. To be honest, I didn't have a very good idea:
- Lefigaro.fr, historical rival, extensively stalks his readers, cf "Le Figaro, emblem of invasive advertising tracking on French media sites".
- Before their new versions, these consent banners were already misleading Internet users, see "Collecting consent on the internet: a widespread lie".
- Last December, Lemonde.fr was already leaking your personal data to numerous third parties including Russian companies, see "Weborama and Lemonde.fr, site slowness and leak of your personal data to Russia".
But you have the right to demand better respect for your privacy. In order to be aware of the tracking on the site Lemonde.fr, follow the following steps:
- Disable your adblocker.
- Delete cookies on Chrome (Settings > Advanced settings > Clear browsing data), so you are logged out of your Google account.
- Open the Chrome console (⌘+Option+J on Mac, Ctrl, Shift and J on PC), “Network” tab or launch Charles Proxy.
- Then go to the home page Lemonde.fr.
First observation: Le Monde does not allow you to refuse tracking directly, only to “Configure cookies”. This choice is contrary to the spirit of the GDPR, even if the CNIL is far behind in its implementation. Let's read for example the interview with the president of the CNIL in the newspaper... Le Monde, in February 2020:
This means that the Internet user will no longer have a big green button offering to “Accept” and a small text in a corner to refuse?
There must be symmetry between the two. Furthermore, users must be able to know the recipients of their data collected for advertising profiling purposes. There are texts in force which require the collection of free and informed consent but these recommendations are not generally implemented.
Reminder: The GDPR came into force in May 2016 and has been applicable since May 25, 2018 (cf. article 99 of the GDPR). Professionals have therefore had 4 years to prepare, the CNIL should therefore not postpone the applicability of the text in disregard of people's fundamental rights.
But Le Monde is perhaps waiting for the new recommendations (or even sanctions?!) from the CNIL to act... Let's now look at the requests sent:
3 lessons:
- Lemonde.fr calls two marketing companies to download their javascript files, Batch and Amplitude, no tracking hits here.
- Iubenda is the CMP (Consent Management Platform) used by Le Monde.
- After research, the subdomain buf.lemonde.fr turns out to be a “sex cache” for the French analytics company AT Internet, Le Monde allows it to track you even before you have given your consent.
Lemonde.fr does not offer an opt-out for AT Internet, in violation of the law
What can Lemonde.fr rely on to leak your personal data to AT Internet even before having received your consent? Maybe on one old exemption from the CNIL, hardly consistent with the spirit of the GDPR.
Except that this exemption found its source inArticle 6 of the CNIL deliberation of 2013, the conditions for placing cookies without consent are now specified in article 5 of the CNIL deliberation of July 2019. The fact that the CNIL leaves the article online could lead a site editor to indicate that the CNIL misled it, that consequently it was in good faith in not applying the 2019 deliberation, so the CNIL should modify its article.
But whether we look at the deliberation of 2013 or 2019, one rule remains obligatory: the implementation of the option "opt-out" : "it must have the ability to object via an opposition mechanism that can be easily used across all terminals, operating systems, applications and web browsers. No reading or writing operation must take place on the terminal from which the person objected".
So let's click on "Configure cookies":
Curious to know what is hidden behind these “Operational Cookies”?
Surprise! Alongside authentication cookies, Lemonde.fr places AT Internet trackers in the “Operational Cookies” category (and not “Analytical Cookies” as one might expect). The excuse given? The OJD, now named CMPA, a media audience certification body, which allows Le Monde to to brag regularly achieves good audience figures.
As a result of this classification of AT Internet in "Operational Cookies", the "opt-out" option has not been implemented, in violation of the conditions of the exemption.
Another rule that must be respected in order to benefit from the exemption is the information, which must take place before placing the cookie: "the person must be informed prior to their implementation" (the 2013 deliberation only indicated that the person had to be informed). Here again, Lemonde.fr violates the conditions of the consent exemption
Via a security breach, Lemonde.fr leaks your connection data to AT Internet
Let's continue the investigation into these calls to AT Internet, behind the subdomain buf.lemonde.fr, hides an obscure domain :
Domain which actually belongs to AT Internet :
This camouflage is carried out by a mechanism called domain delegation or CNAME. Lemonde.fr allows AT Internet to manage a subdomain in its name, via an alias mechanism. The interest for marketing companies is to override browser protections (such as Safari ITP or Firefox Enhanced Tracking Protection) and other adblockers (even if some adblockers such as uBlock Origin on Firefox manage to block these trackers).
The use of CNAME is dangerous, it can leak your connection data: cookies from the domain consulted (such as authentication cookies from lemonde.fr) can be sent to the tracker subdomain (like buf.lemonde.fr). So let's look at the requests sent to AT Internet when I am connected to the Lemonde.fr site:
AT Internet recovers all cookies from the domain lemonde.fr. In order to check if these cookies allow access to my Lemonde.fr customer account, I delete my cookies then via the Chrome extension Edit This Cookie, I enter the different cookies collected by AT Internet. Quickly, I realize that the “lmd_a_s” cookie allows me to connect to my account:
Magic! An AT Internet employee can thus access your account
I have already had the opportunity to talk about this security flaw in previous articles:
- Criteo encourages crime by encouraging many publishers to implement it, see "Criteo, a French surveillance marketing giant".
- On a media site, you might say to yourself that it's not that serious, but this flaw is sometimes implemented on more critical websites such as the Boursorama Banque customer area (flaw since corrected), cf. "Boursorama Banque leaks your connection data".
Refuse to be monitored, Lemonde.fr increases the number of trackers, notably via Weborama
Let's continue our journey on the Lemonde.fr consent banner:
Apart from operational cookies, everything is unchecked by default, Lemonde.fr also offers a “Refuse all” button. Good practice so, now let's click "Save and continue". Do you now expect to no longer be monitored?
Yes you are not dreaming, these are all the requests sent after having made the effort to refuse tracking. And this without consulting a single article or even reloading the page. In detail, here are the trackers which place cookies via HTTP header (some trackers also create cookies via javascript, or store identifiers in the browser's local storage), with personal identifier (pseudonym):
- Outbrain : the nasty articles at the bottom of the page also track you across the web, and on the website lemonde.fr without your consent.
- Weborama : French “data marketing” company working with Lemonde.fr, profiles you on the web and as you can read below, leaks your personal data to many other third parties.
- Index Exchange : via casalemedia.com, advertising monetization platform (SSP) used by Lemonde.fr via a system called "Header Bidding" (competition of advertising inventory on several marketplaces.
- TheTradeDesk : via adsrvr.org, advertising inventory purchasing platform, called by Index Exchange and Weborama.
- Criteo : world leader in retargeting and French, track you aggressively on the web and in apps, Lemonde.fr has installed its "Direct bidder" (allows Criteo to buy without paying commission to a monetization platform), Criteo is also called by Weborama.
- Nielsen : via exelator.com, the eXelate company redeemed by market research giant Nielsen in 2017 is also called by Weborama.
- Smart AdServer : French advertising monetization platform used by Lemonde.fr via "Header Bidding", also called by Weborama.
- Adobe : via everesttech.net, the American giant also offers a marketing suite, it is also called by Weborama.
- MediaMath : via mathtag.com, advertising inventory purchasing platform, called by Weborama.
- Temelio : via leadplace.fr, a French data marketing company, offers advertisers the ability to cross-reference your personal data online and offline, always via Weborama.
- Graphinium : via crm4d.com, a French company specializing in the reconciliation of online and offline personal data, again via Weborama.
- Yahoo : yes Yahoo still exists, it has been resurrected by Weborama.
- ZBO Media : via zebestof.com, French advertising inventory purchasing platform, called by Weborama.
- Sublime : via ayads.co, a French advertising monetization platform, specialized in page dressings ("Sublime Skinz"), integrated by Lemonde.fr via "Header Bidding".
- Pubstack ; via pbstck.com, French “Header Bidding” solution.
Like already seen last December, Lemonde.fr allows Weborama to leak your personal data to numerous companies, for the sole interest of Weborama. Below, the complete list of partners (including several Russian companies):
The partners with a small blue arrow in front were activated when the home page loaded (redirection from Weborama to the partner and therefore leak of my personal data), the others will potentially be activated when reading an article, joy!
Please note that certain advertising players respect your choice and do not place cookies: advertising monetization platforms AppNexus, Magnite (ex Rubicon) and above all Google (which has a privileged position at Lemonde.fr, being the main ad server and advertising monetization platform).
Well hidden, the information that your personal data can still be exploited via a dubious legal basis, "legitimate interest"
What can these advertising companies do with your personal data? Let’s return to the consent banner, and in particular to “Advertising targeting cookies”:
No mistake, you refused them. However, let's click on "See description and personalize":
Still no error, Lemonde.fr also informs you that by deactivating these cookies, advertisements unrelated to your supposed interests will be offered to you. Now let's click on "Personalize advertising tracking", and surprise! Many purposes are explained and consent is deactivated. But except for the purpose "Store and/or access information stored on a terminal" (that allowing actors to place a cookie with an advertising identifier), the box "Authorize the processing of your data on the basis of a legitimate interest for this purpose" is checked:
The purpose “Store and/or access information stored on a terminal” requires your consent (no legitimate interest here). The various advertising players violate your choices by placing cookies with advertising identifiers.
TCF v2 allows different advertising companies to declare legitimate interest as a legal basis for different purposes. But these actors often need an advertising identifier to achieve these purposes (for which your consent is always required)... It's the snake biting its tail!
Thus the advertising actors who monitor you would allow themselves different processing not on the legal basis of consent (reminder: you have already refused) but on the legal basis of legitimate interest, provided for by the GDPR. It is difficult to justify legitimate interest when it comes to purposes such as:
- Create a personalized advertising profile (= profile yourself).
- Select personalized advertisements (= influence you according to your profile).
It is likely that legitimate interest does not apply to most of the purposes presented on this consent banner. The CNIL reminds moreover that the legitimate interest can only be retained if the processing satisfies the condition of “necessity”, surveillance and targeted advertising are not “necessities”.
Uncheck the legitimate interest for the different purposes, nothing changes
Let's continue our marathon, to refuse legitimate interest for the different purposes, the "Refuse all" button does not work! A new "Dark Pattern"how we like them! You must uncheck the legitimate interest on each of the purposes individually, i.e. 9 clicks! Click "Save and continue" and observe the result:
Caramba, nothing changes! Looking at the detail, most of these actors continue to drop a cookie, as if nothing had happened.
Disable legitimate interest for each company individually?
All hope is not lost, let's go back to our consent banner, reproduce the different refusals and this time, scroll to the bottom of the "Personalize advertising tracking" window (be quick because Lemonde.fr has an auto-refresh which takes you back to the home page and forces you to redo all the steps):
You arrive at a growing list of partners (more than 500), some of which rely on legitimate interest for specific purposes. And even though you may have unchecked all the legitimate interest purposes in the previous step, these partners still have the legitimate interest box checked! Randomly, Google:
Google relies on consent for the first purpose "Store and/or access information stored on a terminal"(he has no choice, it's the law, and the TCF does not allow you to do otherwise). And in fact, Google did not place an advertising identifier on my computer (no doubleclick cookie IDE). Google, on the other hand, indicates that it relies on legitimate interest for various purposes, which is highly debatable:
Select standard advertisements; Create a profile to view personalized content; Select personalized content; Measure the performance of advertisements; Use market research to generate audience data; Develop and improve products.
Criteo is one of the companies that still tracks you, even after refusing consent. What purposes does it declare, and on what legal basis?
Criteo therefore declares to rely on consent for the first purpose "Store and/or access information stored on a terminal"(he has no choice, it's the law and the TCF does not allow you to do otherwise), it is never based on legitimate interest. Criteo violates the law since it places an advertising identifier on my computer without my consent (via the cookie uid), which is hardly surprising given the company's liabilities regarding violations of your privacy.
We also noted that Weborama, the “Trojan horse” leaking your personal data to multiple companies, did not respect your refusal of consent. What purposes does it declare, and on what legal basis?
Weborama declares to rely on consent for the first purpose "Store and/or access information stored on a terminal"(he has no choice, it's the law and the TCF does not allow you to do otherwise), but on legitimate interest for many other purposes. Weborama therefore violates the law by placing an advertising identifier on my computer without my consent (via the "AFFICHE_W" cookie), and allows itself to synchronize this advertising identifier with numerous other companies which can thus monitor me. The legitimate interest he claims for various purposes then allows him to profile me and exploit my surfing.
To what extent do adtech advertising companies abuse this notion of legitimate interest? To explore the issue further, you can read the publication by Célestin Matte, Cristiana Santos and Nataliia Bielova, “Purposes in IAB Europe’s TCF: which legal basis and how are they used by advertisers?". In May 2020, only 325 adtech companies were registered with the TCF, but legitimate interest was widely used :
Obviously, I cannot refuse the legitimate interest for all these surveillance companies (more than 500 companies with which Lemonde.fr could theoretically work). Note that you shouldn't have to opt out of legitimate interest for every advertising company:
- Refusing consent in step 1 should allow you to refuse “Ad Targeting Cookies”: normally this is the end of the game for the advertising industry.
- If you continue browsing, the purpose "Store and/or access information stored on a terminal" cannot be based on legitimate interest, so here again, no other options than to rely on your consent to place a cookie with an advertising identifier.
- When you uncheck legitimate interest for different purposes, this applies to all advertising companies. You should not need to uncheck legitimate interest for any company specifically.
However, what happens if I refuse the legitimate interest in Weborama ("opt-out")?
As you can see...it's "business as usual". You are still being hunted extensively. In particular, Weborama always identifies you via an advertising identifier and always synchronizes this identifier with the small world of online advertising monitoring.
Lemonde.fr, its CMP Iubenda and adtech companies, a hellish trio
Let's summarize the obstacle course of a user who wants not to be tracked, and who follows the protocol put in place by Lemonde.fr and its service provider Iubenda (Consent Management Platform):
- When arriving on Lemonde.fr, do not scroll or click on an article because via a flaw introduced by the CNIL in a deliberation dating from 2013 2013, "continuing to browse constitutes agreement to the placement of Cookies on your terminal". And obviously Lemonde.fr uses this flaw, which is no longer valid.
- Indeed, this deliberation was repealed in July 2019, the new deliberation indicates : "The strengthening of individuals' rights leads the Commission to repeal its deliberation no. 2013-378 of December 5, 2013 adopting a recommendation relating to cookies and other tracers covered by article 32-II of the law of January 6, 1978 (hereinafter "the cookies and other tracers recommendation") to replace it with these guidelines. These guidelines will be supplemented subsequently by sectoral recommendations aimed in particular at specifying the practical arrangements for obtaining consent.". But the legal value of the recommendations does not, however, postpone the application of ePrivacy, nor of the GDPR, nor of the new deliberation.
- On the scroll in particular, the 2019 deliberation indicates: “The Commission emphasizes that consent must be manifested through a positive action by the person previously informed of the consequences of their choice and having the means to exercise it. Continuing to browse a website, using a mobile application or scrolling down the page of a website or mobile application do not constitute clear positive actions amounting to valid consent".
- Despite these precautions, you are already being tracked by AT Internet, Lemonde.fr is already violating the law.
Let's continue our test of the consent banner:
- So click on "Configure cookies", because there is no first-level choice to refuse cookies (unlike the " buttonAccept" at the first level).
- Realizing that Lemonde.fr is violating again the law by not allowing opt-out.
- The "Advertising targeting cookies" are unchecked, but most advertising companies continue to monitor you (notable exception, Google). Click on "See description and customize" at the bottom of the window in order to understand if we can avoid this surveillance.
- Read that advertising services adhere to the IAB Transparency and Consent Framework, and that it is unchecked, but still click on "Personalize advertising tracking".
- Notice on the next page that these advertising services use your personal data for various purposes (10 purposes and 2 special purposes for which you have no control), and that if consent is unchecked for these purposes, legitimate interest is checked for almost all purposes except one ("Store and/or access information stored on a terminal" requires your consent). As there are no buttons to uncheck legitimate interest for these different purposes at once, uncheck them one by one (9 clicks). Realize that this has no effect on the advertising companies who continue to monitor you.
- At the very bottom of this long window, click on "Manage preferences for each advertising service", realize that there are more than 500 partners who can theoretically monitor you (Lemonde.fr could also considerably skim the list, many players are too small or absent from the French market). Also realize that you may have unchecked the legitimate interest for the different purposes in the previous step, the legitimate interest box is still checked with a good number of these companies, for various purposes.
- Having no option to suddenly uncheck the legitimate interest for each of the companies, uncheck Weborama, a “Trojan horse” of advertising monitoring, and realize that it has no effect. Weborama continues to monitor you and allow many other companies to monitor you.
A journey of death therefore, thanks to Lemonde.fr, its CMP Iubenda and advertising companies that don't care about your choices and your privacy. A final point on Iubenda, the service provider which allows Lemonde.fr to offer you this banner for collecting consent for such a difficult process. Its job is to collect and transmit your choices to the different advertising companies, verifying that the signal collected and then transmitted to the advertising companies is correct.
This is the signal transmitted when you simply ignore the advertising banner by scrolling on the home page of the Lemonde.fr site (what constitutes consent thanks to the CNIL). How was I able to get it back? Via Charles or the Chrome console, retrieve the "gdpr_consent" field from a request sent to an advertising actor and decode the character string via this site (TCF v2):
I just stuck but obviously it's a "free, specific, informed and unequivocal consent". Now let's look at the signal sent when you have refused consent and legitimate interest for each of the proposed purposes:
Iubenda does not provide the value of the variables representing the different purposes of consent and legitimate interest. It turns out that if we read the TCF v2 specification, it is correct:
If the variables purposeConsents and purposeLegitimateInterests are not defined, this must be interpreted as “No consent” (therefore no cookies with advertising identifiers) and “Legitimate interest not established”.
Good news, no Google monitoring... nor advertising delivered by Google
If Lemonde.fr, its CMP and the small world of advertising monitoring manage to violate your choices and continue to monitor you, we can nevertheless note that when you take the trouble to click on "Personalize" on the consent banner, then click on "Save and continue", Google no longer places cookies, and the number of advertisements drops sharply, allowing you to have a slightly better reading experience.
Why? The first version of TCF (Transparency & Consent Framework), the protocol set up by the IAB (the advertising industry) to collect and propagate consent signals throughout the advertising chain, was not supported by Google.
Since August 15, Google supports TCF v2. For customers of its Google Ad Manager monetization platform (such as Lemonde.fr), Google is required to respect user choices. Here is how it communicates about the first purpose, "To store and/or access information on a device" :
Several interesting information here:
Google is not capable of delivering advertising without monitoring you (a.k.a. without placing the doubleclick cookie IDE). What reasons does he give? Google says it needs it to detect fraud and abuse, to limit the number of exposures to the same ad ("frequency capping") and to provide aggregated reports.
Google says it needs your consent to store cookies or mobile identifiers, even for non-targeted ads. If we read his "User consent rules in the European Union", but also Help with user consent rules in the European Union", Google indicates that this obligation comes from the "cookie provisions of the EU Electronic Privacy Directive" (also called ePrivacy directive) :
Google needs user identifiers to measure the performance of advertisements, therefore your consent:
Without consent for the first purpose, publishers must not call Google (Lemonde.fr does not take this into account and calls Google). If Google is called, it will not deliver advertising (and indeed, no advertising served through Google).
Legal explanations on the need for consent for storing cookies
Be careful, this is technical, thanks to @Cellular_PP for his detailed explanations. Let's start from Directive 2002/58/EC, article 5 paragraph 3 (I put the interesting passage in bold):
Member States shall ensure that the use of electronic communications networks with a view to storing information or accessing information stored in the terminal equipment of a subscriber or user is permitted only on condition that the subscriber or user is provided, in compliance with Directive 95/46/EC, withclear and complete information, among other things on the purposes of the processing, and that the subscriber or user has the right to refuse such treatment by the data controller. This provision does not prevent technical storage or access aimed exclusively at effecting or facilitating the transmission of a communication via an electronic communications network, or strictly necessary for the provision of an information society service expressly requested by the subscriber or user.
Directive 2009/136/EC, applicable since 2012, modifies article 5 paragraph 3 (in bold, observe the introduction of consent):
Member States shall ensure that the storage of information, or obtaining access to information already stored, in the terminal equipment of a subscriber or user is permitted only on condition that the subscriber or user gave his consent, after having received, in compliance with Directive 95/46/EC, clear and complete information, among other things on the purposes of the processing. This provision does not prevent technical storage or access aimed exclusively at carrying out the transmission of a communication via an electronic communications network, or strictly necessary for the supplier for the provision of an information society service expressly requested by the subscriber or user.
The French transposition is in article 82 of the data processing and freedom law.
The notion of consent is mentioned in article 2 of the same directive 2002/58/EC :
the "consent" of a user or subscriber corresponds to the "consent of the data subject" contained in Directive 95/46/EC
Here is the famous definition of consent, in Article 2 of Directive 95/46/EC
“consent of the data subject”: any free, specific and informed expression of will by which the data subject accepts that personal data concerning him or her may be processed.
What is the link between these “ePrivacy” directives and the GDPR on this obligation of consent? Article 95 of the GDPR indicates not to impose additional obligations:
This Regulation does not impose additional obligations on natural or legal persons with regard to processing in the context of the provision of publicly available electronic communications services on public communications networks in the Union in relation to those aspects for which they are subject to specific obligations having the same objective set out in Directive 2002/58/EC.
A review of the@EU_EDPB clarifies the relationship between the two texts.
Point 28 of the opinion states that Article 5 paragraph 3 applies to cookies:
The overarching aim of the ePrivacy Directive is to ensure the protection of fundamental rights and freedoms of the public when they make use of electronic communication networks. In light of this aim, articles 5(3) and 13 of the ePrivacy Directive apply to providers of electronic communication services as well as website operators (e.g. for cookies) or other businesses (e.g. for direct marketing).
Point 40 of the opinion indicates that when Article 5 paragraph 3 mentions that consent is required, it is not possible to use other bases:
A similar situation occurs with regards article 5(3) of the ePrivacy Directive, insofar as the information stored in the end-user’s device constitutes personal data. Article 5(3) of the ePrivacy Directive provides that, as a rule, prior consent is required for the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user. To the extent that the adopted information stored in the end-users device constitutes personal data, article 5(3) of the ePrivacy Directive shall take precedence over article 6 of the GDPR with regards to the activity of storing or gaining access to this information. The outcome is similar in the interplay between article 6 of the GDPR and articles 9 and 13 of the ePrivacy Directive. Where these articles require consent for the specific actions they describe, the controller cannot rely on the full range of possible lawful grounds provided by article 6 of the GDPR.
Conclusion: it is indeed illegal to pretext legitimate interest in order to place a cookie with an advertising identifier.
Respecting your privacy, the great fear of adtech
While reading the press, we can follow the thinking of advertising agencies:
- Google no longer delivers advertising via Google Ad Manager if the Internet user does not give their consent. The majority of French news sites use Google Ad Manager as an advertising distribution and monetization tool.
- The current consent banners disgust the vast majority of Internet users, but the CNIL must issue new recommendations, to finally respect the spirit of the GDPR.
Potential consequence if the CNIL one day does its job: a real consent mechanism (like placing the "Accept" and "Refuse" buttons at the same level, or better, a simple choice at the browser level) with real sanctions in the event of violation of the law. Here is a reaction representative of the adtech sector:
Since the Internet user's refusal has no impact on their browsing experience, it is dramatic to put this option on the same footing as acceptance, protests an adtech boss
Obviously, refusing consent would have a huge impact on the browsing experience: you would no longer be tracked (bonus, no more intrusive advertising) and page loading times would be greatly reduced.
Advertising agencies would be well advised to ask themselves the right questions: are the sharp deterioration of the user experience and generalized surveillance the solution to their economic problems? Not really if we look at the poor financial health of news sites, infused with intrusive advertising. As such, you can read these 2 excellent articles:
- On Wired, "Can Killing Cookies Save Journalism?": The experience of Dutch public radio (equivalent to France Info), which now earns more money through untargeted advertising than before.
- On Forbes, "Marketers And Publishers Are Making More Money By Using Less Adtech": explanations of how adtech intermediaries monopolize the majority of the money spent by advertisers, preventing publishers from making a decent living.
What should you do on your side? As always, do not rely on websites to respect your choices, but equip yourself with an adblocker such as uBlock Origin.
On its iOS app, Le Monde tracks you from the first launch
On Smartphone, you do not have to go through the Lemonde.fr website, you can also use the application. Is it more respectful of your privacy? In order to test the Le Monde iOS app, I followed the following procedure on my iPhone:
- Closing the various background applications.
- Installation of the Le Monde application.
- Launch of the Charles Proxy application and enabling tracking.
- Launch of the Le Monde application.
As on its website, Le Monde clearly displays its consent banner, without offering a first-level option to refuse trackers. Let's look at the tracers sent via the export of logs from my Charles Proxy session to my computer:
Even before setting up the consent banner, Le Monde has already leaked your personal data to several companies:
- Accengage : French push notifications tool, redeemed in 2018 by mobile marketing company Airship.
- Google : Le Monde uses Firebase, the application developers' toolkit.
- AT Internet : the French analytics company also tracks you on the Le Monde app.
- Batch : mobile CRM and push notifications solution.
- Outbrain : the fucking articles, also on Appli.
- Microsoft : via appcenter.ms, Le Monde uses Visual Studio App Center to manage the continuous integration and delivery of its application.
Refuse tracking, continuous monitoring
Return to the consent banner and click on “Configure cookies”:
First (bad) surprise: all the purposes are pre-checked, this is not really the spirit of the GDPR. Let's look at the details of "Operational Cookies":
So once again, Le Monde considers (wrongly) that AT Internet trackers can be classified as operational cookies, without offering you an opt-out. The ranking of Accengage, Batch and Google in operational cookies is also questionable. Now uncheck the different purposes, consult 3 articles and observe the trackers:
Surveillance therefore continues, with the same companies but also an additional guest: Smart AdServer, a French adserver, used by Le Monde for its application.
How to protect yourself? While waiting for possible sanctions from the CNIL, you can use apps such as DNSCloak, Adguard or NextDNS on iOS.