Adblocker non grata, third-party cookie for hidden traceability, standard acceptance of cookies, non-systematic recording of selection preferences … The online banking site Boursorama has implemented a management of cookies and consent that is far from flawless, but ‘after that Company complies with the recommendations of the CNIL.
In this still fluid legal context, websites are doing their best – or not – to apply the regulation while waiting for a clearer legal framework. With regard to Boursorama, on the contrary, the efforts made in terms of the management and consent of cookies seem far from bearing fruit. It has been suggested that the choice of online banking does indeed raise questions in this area. Start by tracking the activities of users and customers of Boursorama services in their own customer area. Boursorama has taken over a personalized subdomain that is registered in the form of a CNAME field in the DNS (c0011) in order to counter potential ad blockers that could “interfere with good navigation” and prevent “zero risk consultation” of accounts .boursorama .com) actually refers to at-o.net, depending on AT Internet, and allows the protection of browsers and ad blockers to be bypassed.
Using a CNAME managed by a third party, in this case AT Internet, can also pose a security risk. Indeed, a malicious user at the service provider – or even an employee targeted by social engineering – can access technical logs and the required privilege level, keep session logs, and possibly log in instead of the user. ‘User. “It’s a potential source of security breaches, and the contractual framework, in turn, requires a security commitment. Otherwise, Boursorama can be blamed for negligence in using partners,” said Florence Bonnet, Associate Director of Data at Inside the TNP cabinet. “There is no such thing as zero risk, but it is very theoretical here, it takes a number of factors to get there, and even if it were, the malicious person could not do anything because of all the sensitive operations that are protected”, Aurore Gaspar, deputy general manager of Boursorama told us.
Boursorama is far from being an isolated incident
“A CNAME enables the creation of subdomains and dummy URLs that are transmitted under the caudal forks of built-in ad blockers thanks to marketing and advertising data that are identified as proprietary but not third-party data,” said an expert in digital marketing who preferred to remain anonymous. “The goal is to disguise a bit of third party cookies by presenting them as proprietary cookies,” said Florence Bonnet. “This helps circumvent measures that have been taken for browsers that want to bypass them. On the other hand, on the part of Boursorama, there is no desire to hide anything. “When customers arrive at the seats, they will not be tracked until they have given their consent by accepting the installation of cookies or otherwise setting them on the cookie management console,” said Aurore Gaspar.
But why go to so much trouble to hide a third-party cookie as the owner? “Chrome deletes third-party cookies, but not proprietary cookies. This allows Boursorama to follow up on the person from the moment the person gives their consent,” continues the anonymous digital marketing expert. “Unfortunately, Boursorama is not an isolated case, it is still very common in France today.” And Florence Bonnet at the start: “For us, Boursorama is a bad student. We see that companies are clearly complying with the regulations. We cannot say this is the case if third party cookies that are being tracked are insufficiently qualified and therefore not valid consent. . It’s up to the person to come forward, it’s an abusive practice but in this case it’s not just boursorama. “
From self-advertising space to monetized advertising
Among the choices that Boursorama makes in relation to cookies, some can prove to be bothersome. This is the case, for example, with the cookie wall, where the standard acceptance options for 5 processing categories (storage and access to information, personalization, selection, distribution and measurement of advertising, selection, distribution and measurement of content and statistics) are set to “On” set. If the user manually clears these check boxes, preference history will not run. Result: The user / client has to restart the procedure for rejecting cookies with each connection. What are the navigation plotters in the customer area of Boursorama set up for? At the moment, in order to promote self-advertising, ie internal products and services, it cannot be ruled out that these advertising spaces will be monetized in the future. “There are no third-party advertisements in the customer area, we are a pretty innovative company and if that happened one day it would of course be consent,” assures Aurore Gaspar.
An entry from the CNIL in the event of the required consent that has not been obtained in accordance with the GDPR
And the CNIL for its part states: “The deposit and reading of cookies imply, in principle, a free, specific, informed and unambiguous consent, after the user has been informed of the purposes of the tracer and the means of refusal. The only exceptions are currently in Article 82 of the Data Protection Act. Article 15 of the “ePrivacy” Directive allows Member States to limit this obligation (that of Article 5 (3) of the “ePrivacy” Directive) for certain purposes. The clarity implies in particular that the acceptance of cookies is not may be the default mode, or by default it may result from inactivity or pre-checked checkboxes, etc. […] If consent is required and it is not obtained in accordance with the legal provisions (beforehand, free, specific, informed and unambiguous), users can contact the CNIL. “It remains to be seen whether Boursorama will agree to change the management of cookies in order not to face such a situation.