Skip to main content
SpringerLink
Log in
Book cover

Annual Privacy Forum

APF 2021: Privacy Technologies and Policy pp 47–69Cite as

Consent Management Platforms Under the GDPR: Processors and/or Controllers?

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12703))

Abstract

Consent Management Providers (CMPs) provide consent pop-ups that are embedded in ever more websites over time to enable streamlined compliance with the legal requirements for consent mandated by the ePrivacy Directive and the General Data Protection Regulation (GDPR). They implement the standard for consent collection from the Transparency and Consent Framework (TCF) (current version v2.0) proposed by the European branch of the Interactive Advertising Bureau (IAB Europe). Although the IAB’s TCF specifications characterize CMPs as data processors, CMPs factual activities often qualifies them as data controllers instead. Discerning their clear role is crucial since compliance obligations and CMPs liability depend on their accurate characterization. We perform empirical experiments with two major CMP providers in the EU: Quantcast and OneTrust and paired with a legal analysis. We conclude that CMPs process personal data, and we identify multiple scenarios wherein CMPs are controllers.

A preliminary version of this paper is presented for discussion only, with no official proceedings at ConPro’21: https://www.ieee-security.org/TC/SPW2021/ConPro/.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Standardization is used within the meaning of streamline at scale consent implementation.

  2. 2.

    For the sake of uniformity, we call it “Consent Signal” in the rest of the paper.

References

  1. Deceived by design: How tech companies use dark patterns to discourage us from exercising our rights to privacy (2018). https://www.forbrukerradet.no/undersokelse/no-undersokelsekategori/deceived-by-design

  2. Working Party: Opinion 1/2010 on the concepts of “controller” and “processor” WP 169 (2010). https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf

  3. Advocate General Mengozzi: Opinion of Advocate General Mengozziin Jehovah’s witnesses, C-25/17, ECLI:EU:C:2018:57, paragraph 68 (2018)

    Google Scholar 

  4. Agencia Española de Protección de Datos (Spanish DPA): Guide on use of cookies (2021). https://www.aepd.es/sites/default/files/2021-01/guia-cookies-en.pdf

  5. Article 29 Working Party: Opinion 2/2010 on online behavioural advertising (WP 171) (2010). https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp171_en.pdf

  6. Bielova, N., Santos, C.: Call for Feedback to the EDPB regarding Guidelines 07/2020 on the concepts of controller and processor in the IAB Europe Transparency and Consent Framework (2020). http://www-sop.inria.fr/members/Nataliia.Bielova/opinions/EDPB-contribution-controllers-processors.pdf

  7. Commission Nationale de l’Informatique et des Libertés (CNIL): Shaping Choices in the Digital World (2019). https://linc.cnil.fr/sites/default/files/atoms/files/cnil_ip_report_06_shaping_choices_in_the_digital_world.pdf

  8. Commission Nationale de l’Informatique et des Libertés (French DPA): French guidelines on cookies: Deliberation No 2020–091 of September 17, 2020 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 amended to read and write operations in a user’s terminal (in particular to “cookies and other tracers”) (2020). https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000042388179

  9. Cookiebot: Cookie scanner - revealer of hidden tracking, September 2020. https://www.cookiebot.com/en/cookie-scanner/

  10. Cookiepedia Official website. https://cookiepedia.co.uk/

  11. CookiePro: Lesson 3: Scan Results and Categorizing Cookies, July 2020). https://community.cookiepro.com/s/article/UUID-309d4544-c927-fe00-da50-60ed7668c6b5

  12. CookiePro: Scanning a Website, November 2020. https://community.cookiepro.com/s/article/UUID-621498be-7e5c-23af-3bfd-e772340b4933

  13. CookiePro by OneTrust: CookiePro Free IAB TCF 2.0 CMP Builder (nd). https://www.cookiepro.com/iab-tcf-2-builder/

  14. Court of Justice of the European Union: Case 582/14 - Patrick Breyer v Germany (2016). ECLI:EU:C:2016:779

    Google Scholar 

  15. Crownpeak: Vendor categories (nd). https://community.crownpeak.com/t5/Universal-Consent-Platform-UCP/Vendor-Categories/ta-p/665

  16. Danish DPA (Datatilsynet): Guide on consent (2019). www.datatilsynet.dk/media/6562/samtykke.pdf

  17. Data Protection Commission (Irish DPA): Guidance note on the use of cookies and other tracking technologies (2020). https://www.dataprotection.ie/sites/default/files/uploads/2020-04/Guidance%20note%20on%20cookies%20and%20other%20tracking%20technologies.pdf

  18. Data Protection Commission (Irish DPA): Report by the DPC on the Use of Cookies and Other Tracking Technologies (2020). https://www.dataprotection.ie/en/news-media/press-releases/report-dpc-use-cookies-and-other-tracking-technologies

  19. Degeling, M., Utz, C., Lentzsch, C., Hosseini, H., Schaub, F., Holz, T.: We value your privacy ... now take some cookies: measuring the GDPR’s impact on web privacy. In: Network and Distributed Systems Security Symposium (2019)

    Google Scholar 

  20. Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32009L0136. Accessed 31 Oct 2019

  21. Europe, I: Transparency and consent string with global vendor & CMP list formats (final vol 2.0): About the transparency & consent string (TC String) (2020). https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IAB%20Tech%20Lab%20-%20Consent%20string%20and%20vendor%20list%20formats%20v2.md#about-the-transparency-consent-string-tc-string. Accessed 14 Jan 2021

  22. European Court of Justice: Case 25/17 Jehovan todistajat, ECLI:EU:C:2018:551

    Google Scholar 

  23. European Court of Justice: Case C-40/17 Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV, ECLI:EU:C:2019:629

    Google Scholar 

  24. European Court of Justice: Case C-210/16 Wirtschaftsakademie Schleswig-Holstein, ECLI:EU:C:2018:388

    Google Scholar 

  25. European Data Protection Board: Guidelines 05/2020 on consent, Version 1.1 (2020). https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf. Accessed 4 May 2020

  26. European Data Protection Board: Guidelines 07/2020 on the concepts of controller and processor in the GDPR Version 1.0 (2020). https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-072020-concepts-controller-and-processor_en

  27. Evidon: Quantcast-related pages on Evidon Company Directory (2017). https://info.evidon.com/companies?q=Quantcast. Consulted 8 Jan 2021

  28. Finck, M., Pallas, F.: They who must not be identified - distinguishing personal from non-personal data under the GDPR. Int. Data Priv. Law 10 (2020)

    Google Scholar 

  29. Fouad, I., Bielova, N., Legout, A., Sarafijanovic-Djukic, N.: Missed by filter lists: detecting unknown third-party trackers with invisible pixels. In: Proceedings on Privacy Enhancing Technologies (PoPETs) (2020). Published online 08 May 2020, https://doi.org/10.2478/popets-2020-0038

  30. Fouad, I., Santos, C., Al Kassar, F., Bielova, N., Calzavara, S.: On compliance of cookie purposes with the purpose specification principle. In: 2020 International Workshop on Privacy Engineering, IWPE (2020). https://hal.inria.fr/hal-02567022

  31. Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (general data protection regulation) (text with EEA relevance). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32016R0679

  32. Gray, C.M., Kou, Y., Battles, B., Hoggatt, J., Toombs, A.L.: The dark (patterns) side of UX design. In: Proceedings of the CHI Conference Human Factors in Computing Systems, p. 534 (2018)

    Google Scholar 

  33. Gray, C.M., Santos, C., Bielova, N., Toth, M., Clifford, D.: Dark patterns and the legal requirements of consent banners: an interaction criticism perspective. In: ACM CHI 2021 (2020). https://arxiv.org/abs/2009.10194

  34. Greek DPA (HDPA): Guidelines on Cookies and Trackers (2020). http://www.dpa.gr/APDPXPortlets/htdocs/documentSDisplay.jsp?docid=84,221,176,170,98,24,72,223

  35. Hils, M., Woods, D.W., Böhme, R.: Measuring the emergence of consent management on the web. In: ACM Internet Measurement Conference (IMC 2020) (2020)

    Google Scholar 

  36. Hintze, M.: Data controllers, data processors, and the growing use of connected products in the enterprise: managing risks, understanding benefits, and complying with the GDPR. Cybersecurity (2018)

    Google Scholar 

  37. IAB Europe: Transparency and Consent String with Global Vendor and CMP List Formats (Final vol 2.0) (2019). https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IABTechLab-Consentstringandvendorlistformatsv2.md. Accessed 12 Feb 2021

  38. IAB Europe: IAB Europe Transparency & Consent Framework Policies (2020). https://iabeurope.eu/wp-content/uploads/2020/11/TCF_v2-0_Policy_version_2020-11-18-3.2a.docx-1.pdf

  39. IAB Europe: Vendor List TCF v2.0 (2020). https://iabeurope.eu/vendor-list-tcf-v2-0/

  40. Information Commissioner’s Office: Data controllers and data processors: what the difference is and what the governance implications are (2018). https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/controllers-and-processors/

  41. Information Commissioner’s Office: Guidance on the use of cookies and similar technologies (2019). https://ico.org.uk/media/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf

  42. Jared Spool: Do users change their settings? (2011). https://archive.uie.com/brainsparks/2011/09/14/do-users-change-their-settings/

  43. Johnson, E.J., Bellman, S., Lohse, G.L.: Defaults, framing and privacy: why opting in-opting out. Mark. Lett. 13, 5–15 (2002)

    Article  Google Scholar 

  44. Johnson, E.J., Goldstein, D.G.: Do defaults save lives? Science 302, 1338–1339 (2003)

    Article  Google Scholar 

  45. Machuletz, D., Böhme, R.: Multiple purposes, multiple problems: a user study of consent dialogs after GDPR. In: Proceedings on Privacy Enhancing Technologies (PoPETs), pp. 481–498 (2020)

    Google Scholar 

  46. Maier, G., Feldmann, A., Paxson, V., Allman, M.: On dominant characteristics of residential broadband internet traffic. In: Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement Conference, pp. 90–102 (2009)

    Google Scholar 

  47. Matte, C., Santos, C., Bielova, N.: Purposes in IAB Europe’s TCF: which legal basis and how are they used by advertisers? In: Antunes, L., Naldi, M., Italiano, G.F., Rannenberg, K., Drogkaris, P. (eds.) APF 2020. LNCS, vol. 12121, pp. 163–185. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-55196-4_10. https://hal.inria.fr/hal-02566891

    Chapter  Google Scholar 

  48. Matte, C., Bielova, N., Santos, C.: Do cookie banners respect my choice? Measuring legal compliance of banners from IAB Europe’s transparency and consent framework. In: IEEE Symposium on Security and Privacy (IEEE S&P 2020) (2020)

    Google Scholar 

  49. Mishra, V., Laperdrix, P., Vastel, A., Rudametkin, W., Rouvoy, R., Lopatka, M.: Don’t count me out: on the relevance of IP address in the tracking ecosystem. In: Huang, Y., King, I., Liu, T., van Steen, M. (eds.) WWW 2020: The Web Conference 2020, Taipei, Taiwan, 20–24 April 2020, pp. 808–815. ACM/IW3C2 (2020). https://doi.org/10.1145/3366423.3380161

  50. Nouwens, M., Liccardi, I., Veale, M., Karger, D., Kagal, L.: Dark patterns after the GDPR: scraping consent pop-ups and demonstrating their influence. In: CHI (2020)

    Google Scholar 

  51. OneTrust PreferenceChoice: Consent management platform (CMP). https://www.preferencechoice.com/consent-management-platform/. Accessed 20 Jan 2021

  52. Pawlata, H., Caki, G.: The impact of the transparency consent framework on current programmatic advertising practices. In: 4th International Conference on Computer-Human Interaction Research and Applications (2020)

    Google Scholar 

  53. Quantcast: Quantcast Choice (2020). https://www.quantcast.com/products/choice-consent-management-platform/

  54. Quantcast: Quantcast Choice - User Guide (2020). https://help.quantcast.com/hc/en-us/articles/360052725133-Quantcast-Choice-User-Guide

  55. Quantcast: Quantcast Choice Terms of Service (2020). https://www.quantcast.com/legal/quantcast-choice-terms-of-service/

  56. Quantcast: Quantcast Measure and Q for Publishers Terms of Service (2020). https://www.quantcast.com/legal/measure-terms-service/

  57. Quantcast: Quantcast Privacy Policy (2020). https://www.quantcast.com/privacy

  58. Quantcast: Quantcast Choice - Universal Tag Implementation Guide (TCF v2) (2021). https://help.quantcast.com/hc/en-us/articles/360052746173-Quantcast-Choice-Universal-Tag-Implementation-Guide-TCF-v2-

  59. Quantcast: Quantcast Measure (2021). https://www.quantcast.com/products/measure-audience-insights/

  60. Santos, C., Bielova, N., Matte, C.: Are cookie banners indeed compliant with the law? Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners. Technol. Regul. 91–135 (2020). https://doi.org/10.26116/techreg.2020.009

  61. Signatu: Trackerdetect (nd). https://signatu.com/product/trackerdetect/

  62. Thaler, R.H., Sunstein, C.R.: Nudge: Improving Decisions About Health, Wealth, and Happiness. Yale University Press (2008)

    Google Scholar 

  63. TrustArc: Cookie Consent Manager (nd). https://trustarc.com/cookie-consent-manager/

  64. Utz, C., Degeling, M., Fahl, S., Schaub, F., Holz, T.: (Un)informed consent: studying GDPR consent notices in the field. In: Conference on Computer and Communications Security (2019)

    Google Scholar 

Download references

Acknowledgements

We would like to thank Daniel Woods, Triin Siil, Johnny Ryan and anonymous reviewers of ConPro’21 and APF’21 for useful comments and feedback that has lead to this paper. This work has been partially supported by the ANR JCJC project PrivaWeb (ANR-18-CE39-0008) and by the Inria DATA4US Exploratory Action project.

Author information

Authors and Affiliations

  1. Inria, Paris, France

    Michael Toth, Nataliia Bielova & Vincent Roca

  2. Utrecht University, Utrecht, The Netherlands

    Cristiana Santos

  3. Aarhus University, Aarhus, Denmark

    Midas Nouwens

Authors
  1. Cristiana Santos
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Midas Nouwens
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michael Toth
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Nataliia Bielova
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Vincent Roca
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Cristiana Santos .

Editor information

Editors and Affiliations

  1. University of Oslo, Oslo, Norway

    Nils Gruschka

  2. Department of Computer Science, University of Porto, Porto, Portugal

    Luís Filipe Coelho Antunes

  3. Goethe University Frankfurt, Frankfurt, Germany

    Kai Rannenberg

  4. ENISA, Athens, Greece

    Prokopios Drogkaris

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Santos, C., Nouwens, M., Toth, M., Bielova, N., Roca, V. (2021). Consent Management Platforms Under the GDPR: Processors and/or Controllers?. In: Gruschka, N., Antunes, L.F.C., Rannenberg, K., Drogkaris, P. (eds) Privacy Technologies and Policy. APF 2021. Lecture Notes in Computer Science(), vol 12703. Springer, Cham. https://doi.org/10.1007/978-3-030-76663-4_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-76663-4_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-76662-7

  • Online ISBN: 978-3-030-76663-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation