mediamarkt.nl

#04

Privacy Audit — MediaMarkt Netherlands

2026-03-096/10 overall

TL;DR

✅

Reject button actually works

Clicking "Opslaan" with toggles off results in zero trackers and only a consent-preference cookie — one of the cleanest reject implementations we've seen.

🔴

Pre-consent fingerprinting

Canvas, WebGL, WebRTC, and MediaDevices APIs are all called before any consent interaction — this constitutes device fingerprinting under ePrivacy Art. 5(3).

🤔

Consent revocation is broken

The footer cookie settings link reopens the banner, but after revoking consent, all 5 tracking cookies (_fbp, _pin_unauth, _pinterest_ct_ua, _ga, _ga_MWM6L6JJNR) remain in the browser.

Score breakdown

Consent

6 / 10

7.8

Legal Pages

7.8 / 10

6.9

Cross-Border

6.9 / 10

5.5

Dark Patterns

5.5 / 10

3.1

Security Headers

3.1 / 10

5.5

Cookie Management

5.5 / 10

Pre-Consent Tracking

6 / 10

Full audit deck

Loading deck…

GDPR compliance

Article	Topic	Status	Finding
Art. 6(1)(a)	Consent basis	partial	Consent mechanism present with granular toggles, but asymmetric UI and no explicit reject undermine freely-given consent
Art. 7(3)	Withdrawal of consent	fail	Revocation requires 2 clicks vs 1 for acceptance; tracking cookies persist after revocation — withdrawal does not stop processing
ePrivacy 5(3)	Cookie consent	fail	Pre-consent fingerprinting (Canvas, WebGL, WebRTC, MediaDevices) constitutes access to terminal equipment without consent
Art. 13	Transparency	partial	Comprehensive cookie policy; privacy policy covers most Art. 13 elements but some behind expandable sections. Missing Art. 22 profiling disclosure.
Art. 25	Data protection by design	pass	Reject scenario fully honoured — zero trackers fire after saving with toggles off, demonstrating privacy-by-default capability
Art. 44-49	International transfers	partial	Most US transfers to DPF-certified companies (Google, Meta, Pinterest); several transfers to unknown-jurisdiction domains (Forter, UserZoom)

Recommendations

critical

Eliminate pre-consent fingerprinting

Canvas, WebGL, WebRTC, and MediaDevices APIs are called before consent. Defer Forter's fingerprinting script to post-consent or ensure it runs only after the user accepts the "Comfortabel" or "Marketing" toggles.

ePrivacy Art. 5(3) · EDPB Guidelines 2023 on tracking; AEPD treats fingerprinting as equivalent to cookie tracking

critical

Fix consent revocation to delete tracking cookies

After revoking consent via the footer link, 5 tracking cookies (_fbp, _pin_unauth, _pinterest_ct_ua, _ga, _ga_MWM6L6JJNR) remain. Revocation must actually stop processing per GDPR Art. 7(3).

Art. 7(3) · CNIL: consent withdrawal must delete tracking cookies (multiple decisions 2022-24)

high

Add an explicit "Reject all" button

Replace "Opslaan" with a clearly labelled "Alles weigeren" button on the first consent layer, styled equally to "Alles accepteren". Currently users must understand that saving with defaults = rejecting.

EDPB Guidelines 03/2022 · CNIL fined Google EUR 150M and Facebook EUR 60M for no equally prominent reject option (Jan 2022)

high

Implement missing security headers

Add Content-Security-Policy, X-Content-Type-Options (nosniff), Referrer-Policy (strict-origin-when-cross-origin), and Permissions-Policy. Add SRI attributes to all external scripts (currently 0% coverage).

Art. 32

medium

Implement TCF for programmatic advertising

Google Syndication, Criteo, and other RTB partners are active but no IAB TCF framework is deployed. TCF provides standardised consent signals required by most ad exchanges.

ePrivacy 5(3)

medium

Disclose all cookies in cookie policy

Scanner found cookies not listed in the cookie policy: _fbp (Meta Pixel), forterToken (Forter fraud detection). All cookies must be disclosed with their purpose and duration per Art. 13 GDPR.

Art. 13(1)(e)