Unveiling the hidden practices of the web

Web pages can include many elements invisible to users, which collect their data. These elements are used by third parties to track users online behavior and influence their future choices. We periodically analyze the 1000 most used web sites in France in order to reveal these practices and follow their evolution.

Who is my browser talking with ?

To display a web page, a browser communicates with the remote server corresponding to the domain name indicated in the address bar. This address corresponds to the main domain, which the user wishes to view the content from. For example, cnil.fr corresponds to the main domain of the CNIL website. However, most of the data exchanges carried out by the browser when loading a page are made with other actors, third parties, in order to provide functionality to users or to collect their personal data (e.g. statistics, browsing data, instant messaging, etc.).

What are cookies used for?

Cookies are pieces of information stored in the browser and transmitted with each communication with the specific domain by which they have been dropped. This information can be used to uniquely identify web users when they browse the Web. When a communication is associated with one or more cookie(s), it is therefore possible to identify the terminal of an individual and to link together the different webpages accessed by this user from its terminal. Some techniques also allow to link together the different terminals (computer, tablet, smartphone) or browsers of the same web user to reconstitute a global history of his navigation.

These tracking mechanisms allow advertisers to collect navigation data from web users in order to build advertising profiles. For example, the keywords searched for by web users can allow a better understanding of their center of interest, and by extension infer the product they are more likely to purchase. They are then retained by these players to improve their targeted advertising algorithm.

Why does the CNIL monitor those behavior ?

The CNIL has repealed in 2019 its recommendation "relating to cookies and other tracking devices" and has published new guidelines to explain the applicable legal framework and how consent should be collected, when necessary. Following consultation with members of the digital advertising ecosystem and the civil society, on the one hand, and after a public consultation, on the other hand, the CNIL published on October 1, 2020, the result of its work on "cookies and other tracking devices". These guidelines and recommendations aim to support professionals in bringing the cookies (or similar technologies) they use on their sites or mobile applications into compliance with the applicable legal framework.

Methodology

For this study we analyzed the communications taking place between a "neutral" browser, which do not performe any filtering or blocking of communications with websites, and the different servers called during a first visit to the 1000 most used French sites

according to Alexa Study carried out on the basis of the Alexa results of January 20, 2021.

We are considering to refine these results for next studies other sources of data relating to site statistics.

, without interacting with the pages (i.e. without any click, scroll or mouse movement). We use the software CookieViz developed by the CNIL in 2013 and redesigned in 2019.

This analysis made on the 20th of January, 2021 does not prejudge the compliance or non-compliance of the concerned sites with the new recommendation relating to cookies and other tracking devices. It nevertheless allows us to better understand current practices and to qualify the predominance of actors using cookies on those websites.

Of these 1,000 most visited sites, 889 sites were sucessfully accessed during the analysis.

Results

A majority of sites drop third party cookies on the first visit.

This visualization represents the exchange of information through the reading and writing of cookies that took place during the first visit to a site:

the blue circles represent the main domains, i.e. the addresses that were actually visited by the user,
the orange circles are the third-party domains that the browser has communicated with during the visit,
the red links between these domains represent the reads and writes of cookies from the visited domain to a third-party domain.

You can zoom in on this representation and get the details of these readings and writings by moving your mouse over the areas and links.

This visualization represents the set of cookies having been read and deposited during the course of all the sites. The red zones formed around the domains indicate intense reading and writing of cookies to or from third parties.

You can get details on the visited domains from the following list or by clicking select one at random : .

You can also find details on third party domains that have set cookies during this visit on the following list or by clicking select one at random : .

Up to 79 third parties can access your browsing information when a web page loads.

Each cookie written or read by a third-party domain may be used to initiate a mechanism to identify your browser and track your navigation on the site you visit.

This histogram represents the number of third-party domains that have read and written cookies per site visited. It is divided into three distinct areas:

the orange zone includes 20% of the sites with the highest presence of third parties writing or reading cookies, between 7 and 79 third parties,
the violet zone includes the majority of sites (60%) with 1 to 6 third party domains reading and placing cookies,
the tail of the histogram represents the 175 sites (20%) which did not set any cookies from third-party sites during the first visit.

You can zoom on this representation and move your mouse over each of the sites to get details on how many third parties wrote and read cookies on the first visit.

Advertising agencies are the main users of cookies.

We have analyzed for each third party domain with a strong presence (more than 1% of the sites), the announced purpose of the cookies deposited from their privacy policy.

This map represents in proportion the coverage of these third parties among the sites visited, as well as their purpose displayed according to two zones:

the orange zone groups together all the sites that have declared an advertising purpose when placing these cookies,
the purple zone groups together all the sites that have declared a different purpose (statistics, AB testing, etc.) when depositing these cookies.

You can move your mouse over each of these areas to get more details about the cookies used and their stated purpose. Clicking on one of these areas will take you to the privacy policy in which these purposes were detailed.

This analysis makes it possible to better realize the extent of the advertising tracking to which the user is subjected. If cookies are used for multiple purposes, the purpose of advertising targeting is present for a large majority of cookies deposited.