Cookie Management and Consent: is Boursorama playing with fire?

Adblocker non grata, third-party cookie for hidden traceability, standard acceptance of cookies, non-systematic recording of selection preferences … The online banking site Boursorama has implemented a management of cookies and consent that is far from flawless, but ‘after that Company complies with the recommendations of the CNIL.

There is sometimes (often) a gap from theory to practice. This is usually the case with regard to the general regulation on the protection of personal data (RGPD) and in particular the guidelines for the use of cookies by websites. The decision of the Council of State of June 19, 2020 to go in the direction of the website editors to block access to internet users who refuse cookies, despite the fact that the CNIL considers the use of wall cookies to be contrary to the GDPR, sounded like a blow. from thunder. “The CNIL is continuing its work on drafting recommendations and guidelines regarding cookies and other tracers. The guidelines are therefore being adapted to take account of this decision. [du Conseil d’Etat]. This adjustment and the acceptance of this recommendation by the CNIL College should take place after the beginning of the school year September 2020 according to a schedule that has yet to be specified, ”the commission explained to us.

In this still fluid legal context, websites are doing their best – or not – to apply the regulation while waiting for a clearer legal framework. With regard to Boursorama, on the contrary, the efforts made in terms of the management and consent of cookies seem far from bearing fruit. It has been suggested that the choice of online banking does indeed raise questions in this area. Start by tracking the activities of users and customers of Boursorama services in their own customer area. Boursorama has taken over a personalized subdomain that is registered in the form of a CNAME field in the DNS (c0011) in order to counter potential ad blockers that could “interfere with good navigation” and prevent “zero risk consultation” of accounts .boursorama .com) actually refers to, depending on AT Internet, and allows the protection of browsers and ad blockers to be bypassed.

Using a CNAME managed by a third party, in this case AT Internet, can also pose a security risk. Indeed, a malicious user at the service provider – or even an employee targeted by social engineering – can access technical logs and the required privilege level, keep session logs, and possibly log in instead of the user. ‘User. “It’s a potential source of security breaches, and the contractual framework, in turn, requires a security commitment. Otherwise, Boursorama can be blamed for negligence in using partners,” said Florence Bonnet, Associate Director of Data at Inside the TNP cabinet. “There is no such thing as zero risk, but it is very theoretical here, it takes a number of factors to get there, and even if it were, the malicious person could not do anything because of all the sensitive operations that are protected”, Aurore Gaspar, deputy general manager of Boursorama told us.

Boursorama is far from being an isolated incident

“A CNAME enables the creation of subdomains and dummy URLs that are transmitted under the caudal forks of built-in ad blockers thanks to marketing and advertising data that are identified as proprietary but not third-party data,” said an expert in digital marketing who preferred to remain anonymous. “The goal is to disguise a bit of third party cookies by presenting them as proprietary cookies,” said Florence Bonnet. “This helps circumvent measures that have been taken for browsers that want to bypass them. On the other hand, on the part of Boursorama, there is no desire to hide anything. “When customers arrive at the seats, they will not be tracked until they have given their consent by accepting the installation of cookies or otherwise setting them on the cookie management console,” said Aurore Gaspar.

But why go to so much trouble to hide a third-party cookie as the owner? “Chrome deletes third-party cookies, but not proprietary cookies. This allows Boursorama to follow up on the person from the moment the person gives their consent,” continues the anonymous digital marketing expert. “Unfortunately, Boursorama is not an isolated case, it is still very common in France today.” And Florence Bonnet at the start: “For us, Boursorama is a bad student. We see that companies are clearly complying with the regulations. We cannot say this is the case if third party cookies that are being tracked are insufficiently qualified and therefore not valid consent. . It’s up to the person to come forward, it’s an abusive practice but in this case it’s not just boursorama. “

From self-advertising space to monetized advertising

Among the choices that Boursorama makes in relation to cookies, some can prove to be bothersome. This is the case, for example, with the cookie wall, where the standard acceptance options for 5 processing categories (storage and access to information, personalization, selection, distribution and measurement of advertising, selection, distribution and measurement of content and statistics) are set to “On” set. If the user manually clears these check boxes, preference history will not run. Result: The user / client has to restart the procedure for rejecting cookies with each connection. What are the navigation plotters in the customer area of ​​Boursorama set up for? At the moment, in order to promote self-advertising, ie internal products and services, it cannot be ruled out that these advertising spaces will be monetized in the future. “There are no third-party advertisements in the customer area, we are a pretty innovative company and if that happened one day it would of course be consent,” assures Aurore Gaspar.

“The CMP [plate-forme de gestion des consentements] provide for the purposes except that they are not clearly defined and do not meet the requirements of European regulations, ”explains Florence Bonnet. “They provide that we can choose something other than consent as a legitimate interest that will allow Boursorama to opt out. This may be the reason why some have already configured the CMP to set cookies by default, even if it does not conform to the RGPD. “According to its privacy policy, Boursorama bases profiling for advertising purposes – and thus tracking – on legitimate interests. It includes it in commercial prospecting. “On this point, the choice of legal basis can be debated, but the purposes are not precise enough,” admits Florence Bonnet.

An entry from the CNIL in the event of the required consent that has not been obtained in accordance with the GDPR

And the CNIL for its part states: “The deposit and reading of cookies imply, in principle, a free, specific, informed and unambiguous consent, after the user has been informed of the purposes of the tracer and the means of refusal. The only exceptions are currently in Article 82 of the Data Protection Act. Article 15 of the “ePrivacy” Directive allows Member States to limit this obligation (that of Article 5 (3) of the “ePrivacy” Directive) for certain purposes. The clarity implies in particular that the acceptance of cookies is not may be the default mode, or by default it may result from inactivity or pre-checked checkboxes, etc. […] If consent is required and it is not obtained in accordance with the legal provisions (beforehand, free, specific, informed and unambiguous), users can contact the CNIL. “It remains to be seen whether Boursorama will agree to change the management of cookies in order not to face such a situation.