mediamarkt.nl

6

ADEQUATE

Privacy Audit — MediaMarkt Netherlands · 13 trackers · 31 cookies

>_ datagobes.dev

1 / 29

TL;DR

Three Things to Know

✅

Reject button actually works

Clicking "Opslaan" with toggles off results in zero trackers and only a consent-preference cookie — one of the cleanest reject implementations we've seen.

🔴

Pre-consent fingerprinting

Canvas, WebGL, WebRTC, and MediaDevices APIs are all called before any consent interaction — this constitutes device fingerprinting under ePrivacy Art. 5(3).

🤔

Consent revocation is broken

The footer cookie settings link reopens the banner, but after revoking consent, all 5 tracking cookies (_fbp, _pin_unauth, _pinterest_ct_ua, _ga, _ga_MWM6L6JJNR) remain in the browser.

Scroll for the full story →

>_ datagobes.dev

2 / 29

Methodology

How We Scanned

🔍

Scout

Banner detection

→

📡

Pre-Consent

Before interaction

9 cookies0 trackers52 requests7 domains

→

✅

Post-Consent

After accept/reject

31 cookies44 trackers120 requests29 domains

Scan configuration

BrowserFirefox (stealth mode) Viewport1440×900 Localeen-NL (EU) Variantsignore · accept · reject Banner detectionVision-assisted hints ClassificationTracking fires → consent-mode pings → SDK loads

↧ Download JSON ↧ Download Report

Privacy Audit ##04 in the datagobes.dev series

>_ datagobes.dev

3 / 29

Consent Delta

Before vs After Consent

How many cookies exist before you interact with the banner vs after clicking Accept.

Before Consent

9 cookies

essential 3

unknown 6

0 trackers · 7 domains

◉ cookies◉ localStorage

→

+22 cookies +44 trackers 3.4× increase

After Accept

31 cookies

essential 3

analytics 4

tracking 3

marketing 7

unknown 14

44 trackers · 29 domains

◉ cookies◉ localStorage

>_ datagobes.dev

4 / 29

Audit Trail

What Happens Before You Click Anything

Network requests fired before any user interaction — these happen without consent.

Phase 1 — Page Load (no interaction)

t+0ms

Page load begins mediamarkt.nl

t+297ms

CDN images loaded (mmst.eu) cms-images.mmst.eu

t+676ms

Google Tag Manager loaded (4 containers) www.googletagmanager.com

t+1.5s

Forter fraud detection script loaded b81bc251e9ad.cdn4.forter.com

t+1.8s

Forter config fetched cdn0.forter.com

t+2.3s

Forter beacon sent 04fc92849e124abda50782ba4c6cc8d5-b81bc251e9ad.cdn.forter.com

t+2.3s

Canvas fingerprinting: toDataURL mediamarkt.nl

t+2.3s

WebRTC: RTCPeerConnection enumerated mediamarkt.nl

t+2.3s

WebGL2: debug renderer info queried mediamarkt.nl

t+2.3s

MediaDevices: enumerateDevices called mediamarkt.nl

t+3.0s

Forter event beacon cdn3.forter.com

>_ datagobes.dev

5 / 29

Audit Trail

What Happens After Accept

New requests triggered immediately after clicking Accept All.

Phase 2 — Post-Consent

t+92ms

SpeedCurve performance monitoring loaded cdn.speedcurve.com

t+92ms

UserZoom UX research script loaded cdn4.userzoom.com

t+95ms

Google Ads (googlesyndication) loaded pagead2.googlesyndication.com

t+149ms

Pinterest Tag SDK loaded s.pinimg.com

t+152ms

Meta Pixel (fbevents.js) loaded connect.facebook.net

t+333ms

Pinterest Tag fired ct.pinterest.com

>_ datagobes.dev

6 / 29

Audit Trail

What Happens After Accept

New requests triggered immediately after clicking Accept All.

Phase 2 — Post-Consent

t+359ms

Meta Pixel PageView fired www.facebook.com

t+473ms

Google Ad Traffic Quality check ep1.adtrafficquality.google

t+508ms

Google SafeFrame container loaded safeframe.googlesyndication.com

t+1.0s

Google Analytics measurement sent region1.analytics.google.com

t+1.1s

Criteo RTB bidding b.fr3.eu.criteo.com

t+1.3s

Dotomi ad sync login.dotomi.com

>_ datagobes.dev

7 / 29

Consent Mechanism

Banner Blueprint

Custom (MediaMarktSaturn PWA Consent Layer)

Accept standard Reject standard

✓

Granular category toggles Three categories offered: Noodzakelijk (required/locked), Comfortabel, Marketing — users can make informed per-category choices

✗

No explicit "Reject all" button Users must understand that clicking "Opslaan" with toggles off equals rejection — this is not immediately obvious to average users

✗

Asymmetric button styling "Alles accepteren" is a filled, prominent red button; "Opslaan" is an outlined, subdued button — visual hierarchy steers toward acceptance

✓

GPC signal detected and read Site reads the Global Privacy Control signal — a positive sign of respecting browser-level privacy preferences

✗

No TCF implementation Despite using Google Syndication for advertising, no IAB TCF consent framework is detected

✗

Consent revocation does not delete cookies Footer link reopens banner (2 clicks vs 1 for accept), but 5 tracking cookies persist after revocation

>_ datagobes.dev

8 / 29

UX Fairness

Fairness Scale

Whether the consent interface makes it equally easy to accept or reject tracking.

Reject-biased Balanced Accept-biased

Accept Path

Button styling Filled red, high contrast

Button label "Alles accepteren" — clear action

Visual weight ~2x prominence vs save button

Reject Path

Button styling Outlined, low contrast

Button label "Opslaan" — ambiguous (means Save)

Requires understanding User must know toggles-off = reject

Moderate dark patterns — accept path is visually favoured

>_ datagobes.dev

9 / 29

Reject Scenario

What Happens When You Say No?

0

Trackers persist

0

Cookies persist

✓

Reject honoured

Rejection fully honoured — zero trackers fired and only a consent-preference cookie (pwaconsent) was set after clicking "Opslaan" with all toggles off

>_ datagobes.dev

10 / 29

Consent Variants

Ignore vs Accept vs Reject

Side-by-side comparison of what gets loaded depending on your consent choice.

No Interaction Accept All Reject All

Trackers

No Interaction

0

Accept All

44

Reject All

0

Cookies

No Interaction

9

Accept All

31

Reject All

10

3rd Parties

No Interaction

7

Accept All

29

Reject All

8

Rejection eliminates 100% of trackers and 95% of new cookies vs accepting — an exemplary reject implementation

>_ datagobes.dev

11 / 29

Audit Trail

What Happens After Reject

Requests that still fire after explicitly clicking Reject — these shouldn't exist.

Phase 2 — Post-Reject

t+100ms

Consent preference cookie set (pwaconsent) mediamarkt.nl

t+500ms

No trackers fired — rejection honoured mediamarkt.nl

>_ datagobes.dev

12 / 29

Tracking Systems

Who's Watching?

Google Syndication (Ads)

pagead2.googlesyndication.com, tpc.googlesyndication.com

Advertising

Gated (post-consent)

Meta Pixel

connect.facebook.net, www.facebook.com

Tracking

Gated (post-consent)

Pinterest Tag

ct.pinterest.com, s.pinimg.com

Tracking

Gated (post-consent)

Google Analytics

region1.analytics.google.com

Analytics

Gated (post-consent)

Criteo

b.fr3.eu.criteo.com

Advertising

Gated (post-consent)

Dotomi (Conversant)

login.dotomi.com, login-ds.dotomi.com, dclk-match.dotomi.com

Advertising

Gated (post-consent)

Google DoubleClick

cm.g.doubleclick.net, stats.g.doubleclick.net

Advertising

Gated (post-consent)

Contextweb (PulsePoint)

bh.contextweb.com

Advertising

Gated (post-consent)

ThisIsDAX (Audio Ads)

us-east.ads.audio.thisisdax.com

Advertising

Gated (post-consent)

Yahoo Analytics

ups.analytics.yahoo.com

Analytics

Gated (post-consent)

Lotame (Crowd Control)

sync.crwdcntrl.net, lotame-match.dotomi.com

Advertising

Gated (post-consent)

Smart AdServer

rtb-csync.smartadserver.com

Advertising

Gated (post-consent)

1RX (RhythmOne)

sync.1rx.io

Advertising

Gated (post-consent)

13 gated post-consent

>_ datagobes.dev

13 / 29

Cookie Lifespan

Persistence Bars

0 30d 6mo 1yr 2yr

Marketing & Tracking 13 cookies

dtm_token_sc .mediamarkt.nl

1.1yr

dtm_token .mediamarkt.nl

1.1yr

DotomiUser .dotomi.com

1.1yr

_pin_unauth .mediamarkt.nl

1.0yr

_pinterest_ct_ua .ct.pinterest.com

1.0yr

ar_debug .pinterest.com

1.0yr

pb_rtb_ev_part .contextweb.com

1.0yr

dax_listenerid .thisisdax.com

12mo

VP .contextweb.com

12mo

__eoi .mediamarkt.nl

6mo

_fbp .mediamarkt.nl

3mo

DotomiSync .dotomi.com

10d

DotomiSession_85063 .dotomi.com

Session

Analytics 6 cookies

_ga .mediamarkt.nl

1.1yr

_ga_MWM6L6JJNR .mediamarkt.nl

1.1yr

_fpid .mediamarkt.nl

1.1yr

Marketing

Analytics

>_ datagobes.dev

14 / 29

Cookie Lifespan

Persistence Bars

0 30d 6mo 1yr 2yr

Analytics 6 cookies

FPAU .mediamarkt.nl

3mo

lux_uid www.mediamarkt.nl

Session

FPGSID .mediamarkt.nl

Session

Functional 2 cookies

pwaconsent .mediamarkt.nl

1.0yr

tc_id .mediamarkt.nl

1.0yr

Essential 7 cookies

forterToken .mediamarkt.nl

1.1yr

a www.mediamarkt.nl

14d

__cf_bm .mediamarkt.nl

Session

_cfuvid .mediamarkt.nl

Session

t_fpd .mediamarkt.nl

Session

_msbps .mediamarkt.nl

Session

r www.mediamarkt.nl

Session

Unknown 3 cookies

optid .mediamarkt.nl

Session

ts_id .mediamarkt.nl

Session

INGRESSCOOKIE bh.contextweb.com

Session

Analytics

Functional

Essential

Unknown

>_ datagobes.dev

15 / 29

Cookie Audit

Declared vs Observed Purpose

Whether cookies are used for the purpose the site claims in its consent banner.

Cookie Declared Observed

✗ Comfortabel → analytics

✗ Not listed in cookie policy → tracking

✓ Marketing → tracking

✗ Not listed in cookie policy → essential

✓ Noodzakelijk → essential

✗ Comfortabel → analytics

2 match

4 mismatch

>_ datagobes.dev

16 / 29

Network Activity

Request Pulse

Volume of third-party network requests per domain, split by consent phase.

0 31 61

cms-images.mmst.eu

61

pagead2.googlesyndication.com

36

assets.mmsrg.com

10

ct.pinterest.com

9

b.fr3.eu.criteo.com

8

www.googletagmanager.com

5

cdn0.forter.com

4

Essential / CDN

Pre-consent

Post-consent

>_ datagobes.dev

17 / 29

Network Activity

Request Pulse

Volume of third-party network requests per domain, split by consent phase.

0 31 61

tpc.googlesyndication.com

4

cdn4.userzoom.com

3

ep2.adtrafficquality.google

3

connect.facebook.net

2

www.facebook.com

2

login.dotomi.com

2

s.pinimg.com

2

Essential / CDN

Pre-consent

Post-consent

>_ datagobes.dev

18 / 29

Data Transfers

Transfer Circuit

Where your data travels — each destination's jurisdiction and legal safeguards.

🌐 mediamarkt.nl

🌍 US

pagead2.googlesyndication.com

36 reqs

🌍 EU

cms-images.mmst.eu

61 reqs

🌍 US

ct.pinterest.com

9 reqs

🌍 EU

b.fr3.eu.criteo.com

8 reqs

🌍 US

connect.facebook.net, www.facebook.com

4 reqs

🌍 US

www.googletagmanager.com

5 reqs

Adequate

DPF Certified

No Safeguards

>_ datagobes.dev

19 / 29

Browser Storage

Beyond Cookies

All browser storage mechanisms used — cookies, localStorage, IndexedDB, and more.

Sites increasingly use storage APIs to avoid cookie regulations

localStorage

Pre-Consent (4)

forterToken ftr__gf psc pst

Post-Consent (1)

__$intc

>_ datagobes.dev

20 / 29

Browser Fingerprinting

API Interception Heatmap

Browser fingerprinting techniques detected — these work even without cookies.

Severity: HIGH

WebRTC.RTCPeerConnection PRE

1

Canvas.toDataURL PRE

1

WebGL2.getExtension(WEBGL_debug_renderer_info) PRE

2

WebGL2.getParameter PRE

4

MediaDevices.enumerateDevices PRE

1

Pre-consent (5)

>_ datagobes.dev

21 / 29

Art. 7(3) Compliance

Consent Withdrawal Test

How easy it is to withdraw consent after initially accepting.

✓

Accept

1 click

31 cookies

footer-link

✗

Revoke

2 clicks

31 cookies

✗ 2 clicks to revoke vs 1 to accept

✗ Tracking cookies persisted after revocation

Cookies that survived revocation:

>_ datagobes.dev

22 / 29

Security Posture

Shield Rings

2/6

strict-transport-security Active

x-frame-options Active

content-security-policy Missing

x-content-type-options Missing

referrer-policy Missing

permissions-policy Missing

2 / 6 headers active

SRI Coverage: 0% (0/5 external scripts)

>_ datagobes.dev

23 / 29

Legal Compliance

Document Shelf

Privacyverklaring Found

Cookieverklaring Found

Algemene voorwaarden Found

Juridische informatie Found

Persoonsgegevens Found

5 found

0 missing

>_ datagobes.dev

24 / 29

Art. 13/14 Compliance

Privacy Policy Checklist

How well the privacy policy covers the 13 GDPR-required information items.

62%

8/13 required elements

✓

Controller identity

Section: "Wie is de verwerkingsverantwoordelijke voor het gebruik van mijn gegevens?"

⚠

DPO contact

Privacy policy page lists sections but DPO contact details hidden behind expandable sections

✓

Processing purposes

Purposes listed: contact/service, myMediaMarkt, profiling, newsletters, statistics, abuse prevention

✓

Legal basis per purpose

Cookie policy cites Art. 6(1)(f) AVG; section "Waarom mogen we jouw gegevens verwerken?" exists

⚠

Legitimate interests

References Art. 6(1)(f) but specific interests not clearly enumerated per purpose

✓

Recipients

Section: "Wie hebben er toegang tot mijn gegevens en aan welke derden verstrekken jullie mijn gegevens?"

✓

International transfers

Section: "Doorgifte naar derde landen" present in privacy policy

✓

Retention periods

Section: "Hoe lang bewaren wij jouw gegevens?" present; cookie policy lists specific durations per cookie

✓

Data subject rights

Section: "Welke rechten heb je in verband met het gebruik van jouw gegevens?"

⚠

Right to withdraw consent

Cookie policy mentions deactivation via browser; no clear single-step withdrawal instruction

✓

Right to complain

Section: "Hoe kan je een klacht indienen over het gebruik van jouw persoonsgegevens?"

✗

Statutory/contractual requirement

No section addressing whether data provision is obligatory and consequences of refusal

✗

Automated decision-making

"Genereren van klantprofielen" mentioned but no Art. 22 profiling details provided

8 present

2 absent

3 vague

>_ datagobes.dev

25 / 29

Art. 15-22

Data Subject Rights Accessibility

How accessible GDPR rights are — data access, deletion, portability, and objection.

How many clicks to exercise each right?

✓ Right of access (Art. 15)

2 clicks

✓ Right to rectification (Art. 16)

2 clicks

✓ Right to erasure (Art. 17)

2 clicks

✓ Right to restriction (Art. 18)

2 clicks

✓ Right to portability (Art. 20)

2 clicks

✓ Right to object (Art. 21)

2 clicks

1-2 clicks 3-4 clicks 5+ clicks

6 accessible

0 not found

>_ datagobes.dev

26 / 29

GDPR Compliance

Compliance Matrix

⚠

Art. 6(1)(a)

Consent basis

Consent mechanism present with granular toggles, but asymmetric UI and no explicit reject undermine freely-given consent

✗

Art. 7(3)

Withdrawal of consent

Revocation requires 2 clicks vs 1 for acceptance; tracking cookies persist after revocation — withdrawal does not stop processing

✗

ePrivacy 5(3)

Cookie consent

Pre-consent fingerprinting (Canvas, WebGL, WebRTC, MediaDevices) constitutes access to terminal equipment without consent

⚠

Art. 13

Transparency

Comprehensive cookie policy; privacy policy covers most Art. 13 elements but some behind expandable sections. Missing Art. 22 profiling disclosure.

✓

Art. 25

Data protection by design

Reject scenario fully honoured — zero trackers fire after saving with toggles off, demonstrating privacy-by-default capability

⚠

Art. 44-49

International transfers

Most US transfers to DPF-certified companies (Google, Meta, Pinterest); several transfers to unknown-jurisdiction domains (Forter, UserZoom)

1 compliant

2 violations

3 partial

>_ datagobes.dev

27 / 29

Risk Assessment

Privacy Risk Summary

Consent 6

Custom PWA consent layer with granular toggles and GPC support, but no explicit reject button, asymmetric styling, and broken revocation (cookies persist)

Pre-Consent 6

Zero tracker fires pre-consent (good), but aggressive fingerprinting via Canvas/WebGL/WebRTC/MediaDevices APIs before consent interaction

Legal 7.8

Full suite of legal documents with comprehensive cookie policy listing ~80 cookies. Privacy policy covers 9/13 Art. 13 elements; missing Art. 22 profiling disclosure

Cross-Border 6.9

Heavy US data flows (Google, Meta, Pinterest, Dotomi, Yahoo) — most DPF-certified. Some unknown-jurisdiction domains (Forter, UserZoom, DAX)

Security 3.1

Only HSTS and X-Frame-Options present (2/6). No CSP, no Referrer-Policy, no Permissions-Policy. Zero SRI coverage on 5 external scripts

Cookies 5.5

31 cookies after consent, several exceeding CNIL's 13-month guideline (forterToken, _ga, dtm_token at ~400 days). Cookie policy is detailed but some cookies undisclosed

Dark Patterns 5.5

Accept button has ~2x visual prominence (filled red vs outlined save). No explicit reject; user must understand "Opslaan" with toggles off = rejection

Overall

6

>_ datagobes.dev

28 / 29

Action Items

Recommendations

1

Eliminate pre-consent fingerprinting Canvas, WebGL, WebRTC, and MediaDevices APIs are called before consent. Defer Forter's fingerprinting script to post-consent or ensure it runs only after the user accepts the "Comfortabel" or "Marketing" toggles.

2

Fix consent revocation to delete tracking cookies After revoking consent via the footer link, 5 tracking cookies (_fbp, _pin_unauth, _pinterest_ct_ua, _ga, _ga_MWM6L6JJNR) remain. Revocation must actually stop processing per GDPR Art. 7(3).

3

Add an explicit "Reject all" button Replace "Opslaan" with a clearly labelled "Alles weigeren" button on the first consent layer, styled equally to "Alles accepteren". Currently users must understand that saving with defaults = rejecting.

4

Implement missing security headers Add Content-Security-Policy, X-Content-Type-Options (nosniff), Referrer-Policy (strict-origin-when-cross-origin), and Permissions-Policy. Add SRI attributes to all external scripts (currently 0% coverage).

5

Implement TCF for programmatic advertising Google Syndication, Criteo, and other RTB partners are active but no IAB TCF framework is deployed. TCF provides standardised consent signals required by most ad exchanges.

6

Disclose all cookies in cookie policy Scanner found cookies not listed in the cookie policy: _fbp (Meta Pixel), forterToken (Forter fraud detection). All cookies must be disclosed with their purpose and duration per Art. 13 GDPR.

>_ datagobes.dev

29 / 29