Abstract
Consent Management Providers (CMPs) provide consent pop-ups that are embedded in ever more websites over time to enable streamlined compliance with the legal requirements for consent mandated by the ePrivacy Directive and the General Data Protection Regulation (GDPR). They implement the standard for consent collection from the Transparency and Consent Framework (TCF) (current version v2.0) proposed by the European branch of the Interactive Advertising Bureau (IAB Europe). Although the IAB’s TCF specifications characterize CMPs as data processors, CMPs factual activities often qualifies them as data controllers instead. Discerning their clear role is crucial since compliance obligations and CMPs liability depend on their accurate characterization. We perform empirical experiments with two major CMP providers in the EU: Quantcast and OneTrust and paired with a legal analysis. We conclude that CMPs process personal data, and we identify multiple scenarios wherein CMPs are controllers.
A preliminary version of this paper is presented for discussion only, with no official proceedings at ConPro’21: https://www.ieee-security.org/TC/SPW2021/ConPro/.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Standardization is used within the meaning of streamline at scale consent implementation.
- 2.
For the sake of uniformity, we call it “Consent Signal” in the rest of the paper.
References
Deceived by design: How tech companies use dark patterns to discourage us from exercising our rights to privacy (2018). https://www.forbrukerradet.no/undersokelse/no-undersokelsekategori/deceived-by-design
Working Party: Opinion 1/2010 on the concepts of “controller” and “processor” WP 169 (2010). https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf
Advocate General Mengozzi: Opinion of Advocate General Mengozziin Jehovah’s witnesses, C-25/17, ECLI:EU:C:2018:57, paragraph 68 (2018)
Agencia Española de Protección de Datos (Spanish DPA): Guide on use of cookies (2021). https://www.aepd.es/sites/default/files/2021-01/guia-cookies-en.pdf
Article 29 Working Party: Opinion 2/2010 on online behavioural advertising (WP 171) (2010). https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp171_en.pdf
Bielova, N., Santos, C.: Call for Feedback to the EDPB regarding Guidelines 07/2020 on the concepts of controller and processor in the IAB Europe Transparency and Consent Framework (2020). http://www-sop.inria.fr/members/Nataliia.Bielova/opinions/EDPB-contribution-controllers-processors.pdf
Commission Nationale de l’Informatique et des Libertés (CNIL): Shaping Choices in the Digital World (2019). https://linc.cnil.fr/sites/default/files/atoms/files/cnil_ip_report_06_shaping_choices_in_the_digital_world.pdf
Commission Nationale de l’Informatique et des Libertés (French DPA): French guidelines on cookies: Deliberation No 2020–091 of September 17, 2020 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 amended to read and write operations in a user’s terminal (in particular to “cookies and other tracers”) (2020). https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000042388179
Cookiebot: Cookie scanner - revealer of hidden tracking, September 2020. https://www.cookiebot.com/en/cookie-scanner/
Cookiepedia Official website. https://cookiepedia.co.uk/
CookiePro: Lesson 3: Scan Results and Categorizing Cookies, July 2020). https://community.cookiepro.com/s/article/UUID-309d4544-c927-fe00-da50-60ed7668c6b5
CookiePro: Scanning a Website, November 2020. https://community.cookiepro.com/s/article/UUID-621498be-7e5c-23af-3bfd-e772340b4933
CookiePro by OneTrust: CookiePro Free IAB TCF 2.0 CMP Builder (nd). https://www.cookiepro.com/iab-tcf-2-builder/
Court of Justice of the European Union: Case 582/14 - Patrick Breyer v Germany (2016). ECLI:EU:C:2016:779
Crownpeak: Vendor categories (nd). https://community.crownpeak.com/t5/Universal-Consent-Platform-UCP/Vendor-Categories/ta-p/665
Danish DPA (Datatilsynet): Guide on consent (2019). www.datatilsynet.dk/media/6562/samtykke.pdf
Data Protection Commission (Irish DPA): Guidance note on the use of cookies and other tracking technologies (2020). https://www.dataprotection.ie/sites/default/files/uploads/2020-04/Guidance%20note%20on%20cookies%20and%20other%20tracking%20technologies.pdf
Data Protection Commission (Irish DPA): Report by the DPC on the Use of Cookies and Other Tracking Technologies (2020). https://www.dataprotection.ie/en/news-media/press-releases/report-dpc-use-cookies-and-other-tracking-technologies
Degeling, M., Utz, C., Lentzsch, C., Hosseini, H., Schaub, F., Holz, T.: We value your privacy ... now take some cookies: measuring the GDPR’s impact on web privacy. In: Network and Distributed Systems Security Symposium (2019)
Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32009L0136. Accessed 31 Oct 2019
Europe, I: Transparency and consent string with global vendor & CMP list formats (final vol 2.0): About the transparency & consent string (TC String) (2020). https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IAB%20Tech%20Lab%20-%20Consent%20string%20and%20vendor%20list%20formats%20v2.md#about-the-transparency-consent-string-tc-string. Accessed 14 Jan 2021
European Court of Justice: Case 25/17 Jehovan todistajat, ECLI:EU:C:2018:551
European Court of Justice: Case C-40/17 Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV, ECLI:EU:C:2019:629
European Court of Justice: Case C-210/16 Wirtschaftsakademie Schleswig-Holstein, ECLI:EU:C:2018:388
European Data Protection Board: Guidelines 05/2020 on consent, Version 1.1 (2020). https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf. Accessed 4 May 2020
European Data Protection Board: Guidelines 07/2020 on the concepts of controller and processor in the GDPR Version 1.0 (2020). https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-072020-concepts-controller-and-processor_en
Evidon: Quantcast-related pages on Evidon Company Directory (2017). https://info.evidon.com/companies?q=Quantcast. Consulted 8 Jan 2021
Finck, M., Pallas, F.: They who must not be identified - distinguishing personal from non-personal data under the GDPR. Int. Data Priv. Law 10 (2020)
Fouad, I., Bielova, N., Legout, A., Sarafijanovic-Djukic, N.: Missed by filter lists: detecting unknown third-party trackers with invisible pixels. In: Proceedings on Privacy Enhancing Technologies (PoPETs) (2020). Published online 08 May 2020, https://doi.org/10.2478/popets-2020-0038
Fouad, I., Santos, C., Al Kassar, F., Bielova, N., Calzavara, S.: On compliance of cookie purposes with the purpose specification principle. In: 2020 International Workshop on Privacy Engineering, IWPE (2020). https://hal.inria.fr/hal-02567022
Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (general data protection regulation) (text with EEA relevance). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32016R0679
Gray, C.M., Kou, Y., Battles, B., Hoggatt, J., Toombs, A.L.: The dark (patterns) side of UX design. In: Proceedings of the CHI Conference Human Factors in Computing Systems, p. 534 (2018)
Gray, C.M., Santos, C., Bielova, N., Toth, M., Clifford, D.: Dark patterns and the legal requirements of consent banners: an interaction criticism perspective. In: ACM CHI 2021 (2020). https://arxiv.org/abs/2009.10194
Greek DPA (HDPA): Guidelines on Cookies and Trackers (2020). http://www.dpa.gr/APDPXPortlets/htdocs/documentSDisplay.jsp?docid=84,221,176,170,98,24,72,223
Hils, M., Woods, D.W., Böhme, R.: Measuring the emergence of consent management on the web. In: ACM Internet Measurement Conference (IMC 2020) (2020)
Hintze, M.: Data controllers, data processors, and the growing use of connected products in the enterprise: managing risks, understanding benefits, and complying with the GDPR. Cybersecurity (2018)
IAB Europe: Transparency and Consent String with Global Vendor and CMP List Formats (Final vol 2.0) (2019). https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IABTechLab-Consentstringandvendorlistformatsv2.md. Accessed 12 Feb 2021
IAB Europe: IAB Europe Transparency & Consent Framework Policies (2020). https://iabeurope.eu/wp-content/uploads/2020/11/TCF_v2-0_Policy_version_2020-11-18-3.2a.docx-1.pdf
IAB Europe: Vendor List TCF v2.0 (2020). https://iabeurope.eu/vendor-list-tcf-v2-0/
Information Commissioner’s Office: Data controllers and data processors: what the difference is and what the governance implications are (2018). https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/controllers-and-processors/
Information Commissioner’s Office: Guidance on the use of cookies and similar technologies (2019). https://ico.org.uk/media/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf
Jared Spool: Do users change their settings? (2011). https://archive.uie.com/brainsparks/2011/09/14/do-users-change-their-settings/
Johnson, E.J., Bellman, S., Lohse, G.L.: Defaults, framing and privacy: why opting in-opting out. Mark. Lett. 13, 5–15 (2002)
Johnson, E.J., Goldstein, D.G.: Do defaults save lives? Science 302, 1338–1339 (2003)
Machuletz, D., Böhme, R.: Multiple purposes, multiple problems: a user study of consent dialogs after GDPR. In: Proceedings on Privacy Enhancing Technologies (PoPETs), pp. 481–498 (2020)
Maier, G., Feldmann, A., Paxson, V., Allman, M.: On dominant characteristics of residential broadband internet traffic. In: Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement Conference, pp. 90–102 (2009)
Matte, C., Santos, C., Bielova, N.: Purposes in IAB Europe’s TCF: which legal basis and how are they used by advertisers? In: Antunes, L., Naldi, M., Italiano, G.F., Rannenberg, K., Drogkaris, P. (eds.) APF 2020. LNCS, vol. 12121, pp. 163–185. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-55196-4_10. https://hal.inria.fr/hal-02566891
Matte, C., Bielova, N., Santos, C.: Do cookie banners respect my choice? Measuring legal compliance of banners from IAB Europe’s transparency and consent framework. In: IEEE Symposium on Security and Privacy (IEEE S&P 2020) (2020)
Mishra, V., Laperdrix, P., Vastel, A., Rudametkin, W., Rouvoy, R., Lopatka, M.: Don’t count me out: on the relevance of IP address in the tracking ecosystem. In: Huang, Y., King, I., Liu, T., van Steen, M. (eds.) WWW 2020: The Web Conference 2020, Taipei, Taiwan, 20–24 April 2020, pp. 808–815. ACM/IW3C2 (2020). https://doi.org/10.1145/3366423.3380161
Nouwens, M., Liccardi, I., Veale, M., Karger, D., Kagal, L.: Dark patterns after the GDPR: scraping consent pop-ups and demonstrating their influence. In: CHI (2020)
OneTrust PreferenceChoice: Consent management platform (CMP). https://www.preferencechoice.com/consent-management-platform/. Accessed 20 Jan 2021
Pawlata, H., Caki, G.: The impact of the transparency consent framework on current programmatic advertising practices. In: 4th International Conference on Computer-Human Interaction Research and Applications (2020)
Quantcast: Quantcast Choice (2020). https://www.quantcast.com/products/choice-consent-management-platform/
Quantcast: Quantcast Choice - User Guide (2020). https://help.quantcast.com/hc/en-us/articles/360052725133-Quantcast-Choice-User-Guide
Quantcast: Quantcast Choice Terms of Service (2020). https://www.quantcast.com/legal/quantcast-choice-terms-of-service/
Quantcast: Quantcast Measure and Q for Publishers Terms of Service (2020). https://www.quantcast.com/legal/measure-terms-service/
Quantcast: Quantcast Privacy Policy (2020). https://www.quantcast.com/privacy
Quantcast: Quantcast Choice - Universal Tag Implementation Guide (TCF v2) (2021). https://help.quantcast.com/hc/en-us/articles/360052746173-Quantcast-Choice-Universal-Tag-Implementation-Guide-TCF-v2-
Quantcast: Quantcast Measure (2021). https://www.quantcast.com/products/measure-audience-insights/
Santos, C., Bielova, N., Matte, C.: Are cookie banners indeed compliant with the law? Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners. Technol. Regul. 91–135 (2020). https://doi.org/10.26116/techreg.2020.009
Signatu: Trackerdetect (nd). https://signatu.com/product/trackerdetect/
Thaler, R.H., Sunstein, C.R.: Nudge: Improving Decisions About Health, Wealth, and Happiness. Yale University Press (2008)
TrustArc: Cookie Consent Manager (nd). https://trustarc.com/cookie-consent-manager/
Utz, C., Degeling, M., Fahl, S., Schaub, F., Holz, T.: (Un)informed consent: studying GDPR consent notices in the field. In: Conference on Computer and Communications Security (2019)
Acknowledgements
We would like to thank Daniel Woods, Triin Siil, Johnny Ryan and anonymous reviewers of ConPro’21 and APF’21 for useful comments and feedback that has lead to this paper. This work has been partially supported by the ANR JCJC project PrivaWeb (ANR-18-CE39-0008) and by the Inria DATA4US Exploratory Action project.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Santos, C., Nouwens, M., Toth, M., Bielova, N., Roca, V. (2021). Consent Management Platforms Under the GDPR: Processors and/or Controllers?. In: Gruschka, N., Antunes, L.F.C., Rannenberg, K., Drogkaris, P. (eds) Privacy Technologies and Policy. APF 2021. Lecture Notes in Computer Science(), vol 12703. Springer, Cham. https://doi.org/10.1007/978-3-030-76663-4_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-76663-4_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-76662-7
Online ISBN: 978-3-030-76663-4
eBook Packages: Computer ScienceComputer Science (R0)