The website is packed with trackers, right from the home page
In these lockdown times, grocery retail is seeing a boom in online orders (as well as frequent unavailability). Since I regularly shop at Monoprix, I wanted to know more about how their website managed my personal data. Let's start the investigation on monoprix.fr:
- Disable your ad blocker.
- Delete cookies in Chrome (Settings > Advanced settings > Clear browsing data), so you are logged out of your Google account.
- Open the Chrome console (⌘+Option+J on Mac, Ctrl, Shift and J on PC), “Network” tab or launch Charles Proxy.
- Then go to the home page monoprix.fr.
- Do not browse; just watch the various third-party companies that track you.
And the list of trackers is long; I had to take 2 screenshots:
Note that all these trackers were triggered before I could even interact with the consent banner to say that I did not want to be tracked. These banners have sadly become a grim joke: on top of being unbearable for users, they rarely work properly.
Here are the companies that track you from the Monoprix home page, without consent:
- Google: via its advertising service for businesses, DoubleClick, and via Google Analytics.
- AB Tasty: a French A/B testing and site personalization tool.
- Commanders Act : via commander1.com, a French tag management tool. It is supposed to trigger the other trackers when the right conditions are met, according to rules set in advance by Monoprix. Clearly, Monoprix does not take your consent into account before firing numerous tags.
- Effiliation: a French affiliate marketing tool. How does affiliate marketing work? A website that advertises Monoprix products earns a commission if a user clicks on the ad and then buys a product.
- Evidon: since renamed Crownpeak, offers websites a tool for collecting consent.
- Eulerian: a French analytics, attribution (determining which advertising campaign is the most effective) and data management tool that helps Monoprix profile you more precisely.
- Facebook: needs no introduction; Facebook trackers are unfortunately everywhere on the web.
- Salecycle: a data management tool for e-commerce sites that analyzes customer behavior to maximize Monoprix's sales.
- 3W.Relevanc: also known as 3WRégie, which modestly presents itself as "the French leader in the collection, measurement, targeting and monetization of audiences and transactional data".
- Mediarithmics: a French ad space buying platform and data management tool, whose role I had already covered for Showroomprive and Fnac.
- Outbrain: world leader in sponsored articles. You have probably noticed the trashy clickbait headlines at the bottom of news articles; that's mostly them.
- AppNexus: via the domain adnxs.com, bought by AT&T, it is one of the leaders in adtech (far behind Google), providing an ad space buying platform for advertisers and a monetization solution for publishers.
- CapitalData: via kdata.fr, a French company that profiles you by combining your online and offline data. According to its website: By creating the interface between digital contact points (emails, content consultation, online purchase) and events or interactions generated in real life (store visits, shopping cart), we facilitate the implementation of digital activation strategies to develop incremental sales in store.
At Monoprix, all cookies are welcome, even the most intrusive.
Refuse consent, and third-party trackers are still everywhere
Suppose that this time, unlike almost every Internet user, you decide to click on the consent banner and refuse to let your personal data leak to third parties:
Note that you have to click the red “I accept” button to refuse tracking, but audience measurement, site personalization and advertising tools should now be disabled. Then continue browsing Monoprix and observe the requests sent by your browser:
The tracking continues, with the same marketing companies that we talked about previously (including Google and Facebook, still omnipresent), but also new marketing companies:
- Rakuten Advertising: via nxtck.com, the advertising division of the Japanese e-commerce giant, which bought the French retargeter NextPerformance in 2016.
- Target2Sell: a French product recommendation tool.
- Criteo: a French company, the world leader in retargeting.
Log in and tracking becomes permanent
As long as you are not logged in, you can still delete the cookies, and your personal data is not tied to your real-world identity. So what happens when you log in to your Monoprix account to place an order? To find out, I first refused third-party tracking via Monoprix's consent banner, then logged in.
Here again, the list of trackers is long and I had to take 2 screenshots:
Which third parties collect permanent personal data?
- Salecycle: this company collects my browsing data (every Monoprix product I viewed) as well as my first name, my last name, my phone number and my email!
- CapitalData: via kdata.fr, this company collects a hash of my email, which lets it track me permanently, whatever device I use and whatever app I am on (not just Monoprix). It also gets my Monoprix account ID, along with a fingerprint of my computer, another dirty technique for tracking me. It also syncs its user identifiers with AppNexus, the ad space buying platform (which lets it retarget me).
- 3W.Relevanc: also known as 3WRégie; on top of a hash of my email, my Monoprix account ID and every product I viewed, this company also collects my age, gender and postal code.
- Target2Sell: gets my Monoprix account ID as well as my browsing history.
- Criteo: the famous French retargeter collects my Monoprix account ID as well as my browsing history.
- Rakuten Advertising: via nxtck.com, gets a hash of my email address as well as my browsing history.
Monoprix therefore leaked persistent, and sometimes even directly identifying, personal data while I had refused third-party tracking, clearly breaking any trust I might have had. What happens if I accept third-party tracking (i.e. by not configuring the consent banner and simply closing it)? Exactly the same thing: the same trackers are triggered, with the same personal data.
Monoprix outsources its cookie “control” page
If we now turn to Monoprix's "Personal data protection charter", we find a passage about the retargeters 3W RelevanC, Criteo and Capital Data:
What is the legal basis for this collection? Certainly not legitimate interest, and Monoprix never obtained my consent (it even flouted it).
Monoprix does not mention the other third-party companies that collect my personal data here, but, well hidden, it does offer a link to a page hosted by Evidon. This is an old-fashioned "opt-out" page where some of Monoprix's partners offer to install an "opt-out" cookie in your browser (while others offer nothing at all).
The Monoprix iOS app, managed by a service provider, also sells off your personal data
You might think that the Monoprix iOS app lets you do your grocery shopping; in reality, it mainly lets you manage your coupons. Let's look at the requests sent via Charles Proxy:
There is not a single call to the monoprix.fr domain: the app is hosted by Snapp, a Bordeaux agency, which goes to show how far behind Monoprix is on its digital strategy. But you still will not escape the trackers:
- Adobe: via demdex.net and campaign.adobe.com, the American giant offers not only Photoshop but also a suite called Adobe Marketing Cloud. Monoprix (or rather Snapp) leaks my email address to Adobe.
- Facebook: the Monoprix app uses the Facebook toolkit.
- Google: used for its Firebase suite.
- Tune: via mobileapptracking.com, an attribution tool that lets Monoprix work out which advertising campaigns are working.
- Segment: the tag manager for apps, used to forward your personal data to other service providers.
And, as bad luck would have it, nothing is provided to turn these trackers off. One could argue that using a coupon app already means accepting that your personal data will be sold off, but the least Monoprix could do is inform its customers and leave them in control.