VOOZH about

URL: https://link.springer.com/chapter/10.1007/978-3-030-76663-4_3?error=cookies_not_supported&code=b5936829-ef40-4fc5-bd7a-b0bb251db9db

⇱ Consent Management Platforms Under the GDPR: Processors and/or Controllers? | Springer Nature Link

Skip to main content

Consent Management Platforms Under the GDPR: Processors and/or Controllers?

  • Conference paper
  • First Online:

Abstract

Consent Management Providers (CMPs) provide consent pop-ups that are embedded in ever more websites over time to enable streamlined compliance with the legal requirements for consent mandated by the ePrivacy Directive and the General Data Protection Regulation (GDPR). They implement the standard for consent collection from the Transparency and Consent Framework (TCF) (current version v2.0) proposed by the European branch of the Interactive Advertising Bureau (IAB Europe). Although the IAB’s TCF specifications characterize CMPs as data processors, CMPs factual activities often qualifies them as data controllers instead. Discerning their clear role is crucial since compliance obligations and CMPs liability depend on their accurate characterization. We perform empirical experiments with two major CMP providers in the EU: Quantcast and OneTrust and paired with a legal analysis. We conclude that CMPs process personal data, and we identify multiple scenarios wherein CMPs are controllers.

A preliminary version of this paper is presented for discussion only, with no official proceedings at ConPro’21: https://www.ieee-security.org/TC/SPW2021/ConPro/.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+
from $39.99 /Month
  • Starting from 10 chapters or articles per month
  • Access and download chapters and articles from more than 300k books and 2,500 journals
  • Cancel anytime
View plans

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
eBook
USD 39.99
Price excludes VAT (USA)
Softcover Book
USD 54.99
Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Similar content being viewed by others

Explore related subjects

Discover the latest articles, books and news in related subjects, suggested using machine learning.

Notes

  1. 1.

    Standardization is used within the meaning of streamline at scale consent implementation.

  2. 2.

    For the sake of uniformity, we call it “Consent Signal” in the rest of the paper.

References

  1. Deceived by design: How tech companies use dark patterns to discourage us from exercising our rights to privacy (2018). https://www.forbrukerradet.no/undersokelse/no-undersokelsekategori/deceived-by-design

  2. Working Party: Opinion 1/2010 on the concepts of “controller” and “processor” WP 169 (2010). https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf

  3. Advocate General Mengozzi: Opinion of Advocate General Mengozziin Jehovah’s witnesses, C-25/17, ECLI:EU:C:2018:57, paragraph 68 (2018)

  4. Agencia Española de Protección de Datos (Spanish DPA): Guide on use of cookies (2021). https://www.aepd.es/sites/default/files/2021-01/guia-cookies-en.pdf

  5. Article 29 Working Party: Opinion 2/2010 on online behavioural advertising (WP 171) (2010). https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp171_en.pdf

  6. Bielova, N., Santos, C.: Call for Feedback to the EDPB regarding Guidelines 07/2020 on the concepts of controller and processor in the IAB Europe Transparency and Consent Framework (2020). http://www-sop.inria.fr/members/Nataliia.Bielova/opinions/EDPB-contribution-controllers-processors.pdf

  7. Commission Nationale de l’Informatique et des Libertés (CNIL): Shaping Choices in the Digital World (2019). https://linc.cnil.fr/sites/default/files/atoms/files/cnil_ip_report_06_shaping_choices_in_the_digital_world.pdf

  8. Commission Nationale de l’Informatique et des Libertés (French DPA): French guidelines on cookies: Deliberation No 2020–091 of September 17, 2020 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 amended to read and write operations in a user’s terminal (in particular to “cookies and other tracers”) (2020). https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000042388179

  9. Cookiebot: Cookie scanner - revealer of hidden tracking, September 2020. https://www.cookiebot.com/en/cookie-scanner/

  10. Cookiepedia Official website. https://cookiepedia.co.uk/

  11. CookiePro: Lesson 3: Scan Results and Categorizing Cookies, July 2020). https://community.cookiepro.com/s/article/UUID-309d4544-c927-fe00-da50-60ed7668c6b5

  12. CookiePro: Scanning a Website, November 2020. https://community.cookiepro.com/s/article/UUID-621498be-7e5c-23af-3bfd-e772340b4933

  13. CookiePro by OneTrust: CookiePro Free IAB TCF 2.0 CMP Builder (nd). https://www.cookiepro.com/iab-tcf-2-builder/

  14. Court of Justice of the European Union: Case 582/14 - Patrick Breyer v Germany (2016). ECLI:EU:C:2016:779

  15. Crownpeak: Vendor categories (nd). https://community.crownpeak.com/t5/Universal-Consent-Platform-UCP/Vendor-Categories/ta-p/665

  16. Danish DPA (Datatilsynet): Guide on consent (2019). www.datatilsynet.dk/media/6562/samtykke.pdf

  17. Data Protection Commission (Irish DPA): Guidance note on the use of cookies and other tracking technologies (2020). https://www.dataprotection.ie/sites/default/files/uploads/2020-04/Guidance%20note%20on%20cookies%20and%20other%20tracking%20technologies.pdf

  18. Data Protection Commission (Irish DPA): Report by the DPC on the Use of Cookies and Other Tracking Technologies (2020). https://www.dataprotection.ie/en/news-media/press-releases/report-dpc-use-cookies-and-other-tracking-technologies

  19. Degeling, M., Utz, C., Lentzsch, C., Hosseini, H., Schaub, F., Holz, T.: We value your privacy ... now take some cookies: measuring the GDPR’s impact on web privacy. In: Network and Distributed Systems Security Symposium (2019)

  20. Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32009L0136. Accessed 31 Oct 2019

  21. Europe, I: Transparency and consent string with global vendor & CMP list formats (final vol 2.0): About the transparency & consent string (TC String) (2020). https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IAB%20Tech%20Lab%20-%20Consent%20string%20and%20vendor%20list%20formats%20v2.md#about-the-transparency-consent-string-tc-string. Accessed 14 Jan 2021

  22. European Court of Justice: Case 25/17 Jehovan todistajat, ECLI:EU:C:2018:551

  23. European Court of Justice: Case C-40/17 Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV, ECLI:EU:C:2019:629

  24. European Court of Justice: Case C-210/16 Wirtschaftsakademie Schleswig-Holstein, ECLI:EU:C:2018:388

  25. European Data Protection Board: Guidelines 05/2020 on consent, Version 1.1 (2020). https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf. Accessed 4 May 2020

  26. European Data Protection Board: Guidelines 07/2020 on the concepts of controller and processor in the GDPR Version 1.0 (2020). https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-072020-concepts-controller-and-processor_en

  27. Evidon: Quantcast-related pages on Evidon Company Directory (2017). https://info.evidon.com/companies?q=Quantcast. Consulted 8 Jan 2021

  28. Finck, M., Pallas, F.: They who must not be identified - distinguishing personal from non-personal data under the GDPR. Int. Data Priv. Law 10 (2020)

  29. Fouad, I., Bielova, N., Legout, A., Sarafijanovic-Djukic, N.: Missed by filter lists: detecting unknown third-party trackers with invisible pixels. In: Proceedings on Privacy Enhancing Technologies (PoPETs) (2020). Published online 08 May 2020, https://doi.org/10.2478/popets-2020-0038

  30. Fouad, I., Santos, C., Al Kassar, F., Bielova, N., Calzavara, S.: On compliance of cookie purposes with the purpose specification principle. In: 2020 International Workshop on Privacy Engineering, IWPE (2020). https://hal.inria.fr/hal-02567022

  31. Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (general data protection regulation) (text with EEA relevance). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32016R0679

  32. Gray, C.M., Kou, Y., Battles, B., Hoggatt, J., Toombs, A.L.: The dark (patterns) side of UX design. In: Proceedings of the CHI Conference Human Factors in Computing Systems, p. 534 (2018)

  33. Gray, C.M., Santos, C., Bielova, N., Toth, M., Clifford, D.: Dark patterns and the legal requirements of consent banners: an interaction criticism perspective. In: ACM CHI 2021 (2020). https://arxiv.org/abs/2009.10194

  34. Greek DPA (HDPA): Guidelines on Cookies and Trackers (2020). http://www.dpa.gr/APDPXPortlets/htdocs/documentSDisplay.jsp?docid=84,221,176,170,98,24,72,223

  35. Hils, M., Woods, D.W., Böhme, R.: Measuring the emergence of consent management on the web. In: ACM Internet Measurement Conference (IMC 2020) (2020)

  36. Hintze, M.: Data controllers, data processors, and the growing use of connected products in the enterprise: managing risks, understanding benefits, and complying with the GDPR. Cybersecurity (2018)

  37. IAB Europe: Transparency and Consent String with Global Vendor and CMP List Formats (Final vol 2.0) (2019). https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IABTechLab-Consentstringandvendorlistformatsv2.md. Accessed 12 Feb 2021

  38. IAB Europe: IAB Europe Transparency & Consent Framework Policies (2020). https://iabeurope.eu/wp-content/uploads/2020/11/TCF_v2-0_Policy_version_2020-11-18-3.2a.docx-1.pdf

  39. IAB Europe: Vendor List TCF v2.0 (2020). https://iabeurope.eu/vendor-list-tcf-v2-0/

  40. Information Commissioner’s Office: Data controllers and data processors: what the difference is and what the governance implications are (2018). https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/controllers-and-processors/

  41. Information Commissioner’s Office: Guidance on the use of cookies and similar technologies (2019). https://ico.org.uk/media/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf

  42. Jared Spool: Do users change their settings? (2011). https://archive.uie.com/brainsparks/2011/09/14/do-users-change-their-settings/

  43. Johnson, E.J., Bellman, S., Lohse, G.L.: Defaults, framing and privacy: why opting in-opting out. Mark. Lett. 13, 5–15 (2002)

  44. Johnson, E.J., Goldstein, D.G.: Do defaults save lives? Science 302, 1338–1339 (2003)

  45. Machuletz, D., Böhme, R.: Multiple purposes, multiple problems: a user study of consent dialogs after GDPR. In: Proceedings on Privacy Enhancing Technologies (PoPETs), pp. 481–498 (2020)

  46. Maier, G., Feldmann, A., Paxson, V., Allman, M.: On dominant characteristics of residential broadband internet traffic. In: Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement Conference, pp. 90–102 (2009)

  47. Matte, C., Santos, C., Bielova, N.: Purposes in IAB Europe’s TCF: which legal basis and how are they used by advertisers? In: Antunes, L., Naldi, M., Italiano, G.F., Rannenberg, K., Drogkaris, P. (eds.) APF 2020. LNCS, vol. 12121, pp. 163–185. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-55196-4_10. https://hal.inria.fr/hal-02566891

  48. Matte, C., Bielova, N., Santos, C.: Do cookie banners respect my choice? Measuring legal compliance of banners from IAB Europe’s transparency and consent framework. In: IEEE Symposium on Security and Privacy (IEEE S&P 2020) (2020)

  49. Mishra, V., Laperdrix, P., Vastel, A., Rudametkin, W., Rouvoy, R., Lopatka, M.: Don’t count me out: on the relevance of IP address in the tracking ecosystem. In: Huang, Y., King, I., Liu, T., van Steen, M. (eds.) WWW 2020: The Web Conference 2020, Taipei, Taiwan, 20–24 April 2020, pp. 808–815. ACM/IW3C2 (2020). https://doi.org/10.1145/3366423.3380161

  50. Nouwens, M., Liccardi, I., Veale, M., Karger, D., Kagal, L.: Dark patterns after the GDPR: scraping consent pop-ups and demonstrating their influence. In: CHI (2020)

  51. OneTrust PreferenceChoice: Consent management platform (CMP). https://www.preferencechoice.com/consent-management-platform/. Accessed 20 Jan 2021

  52. Pawlata, H., Caki, G.: The impact of the transparency consent framework on current programmatic advertising practices. In: 4th International Conference on Computer-Human Interaction Research and Applications (2020)

  53. Quantcast: Quantcast Choice (2020). https://www.quantcast.com/products/choice-consent-management-platform/

  54. Quantcast: Quantcast Choice - User Guide (2020). https://help.quantcast.com/hc/en-us/articles/360052725133-Quantcast-Choice-User-Guide

  55. Quantcast: Quantcast Choice Terms of Service (2020). https://www.quantcast.com/legal/quantcast-choice-terms-of-service/

  56. Quantcast: Quantcast Measure and Q for Publishers Terms of Service (2020). https://www.quantcast.com/legal/measure-terms-service/

  57. Quantcast: Quantcast Privacy Policy (2020). https://www.quantcast.com/privacy

  58. Quantcast: Quantcast Choice - Universal Tag Implementation Guide (TCF v2) (2021). https://help.quantcast.com/hc/en-us/articles/360052746173-Quantcast-Choice-Universal-Tag-Implementation-Guide-TCF-v2-

  59. Quantcast: Quantcast Measure (2021). https://www.quantcast.com/products/measure-audience-insights/

  60. Santos, C., Bielova, N., Matte, C.: Are cookie banners indeed compliant with the law? Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners. Technol. Regul. 91–135 (2020). https://doi.org/10.26116/techreg.2020.009

  61. Signatu: Trackerdetect (nd). https://signatu.com/product/trackerdetect/

  62. Thaler, R.H., Sunstein, C.R.: Nudge: Improving Decisions About Health, Wealth, and Happiness. Yale University Press (2008)

  63. TrustArc: Cookie Consent Manager (nd). https://trustarc.com/cookie-consent-manager/

  64. Utz, C., Degeling, M., Fahl, S., Schaub, F., Holz, T.: (Un)informed consent: studying GDPR consent notices in the field. In: Conference on Computer and Communications Security (2019)

Download references

Acknowledgements

We would like to thank Daniel Woods, Triin Siil, Johnny Ryan and anonymous reviewers of ConPro’21 and APF’21 for useful comments and feedback that has lead to this paper. This work has been partially supported by the ANR JCJC project PrivaWeb (ANR-18-CE39-0008) and by the Inria DATA4US Exploratory Action project.

Author information

Authors and Affiliations

  1. Inria, Paris, France

    Michael Toth, Nataliia Bielova & Vincent Roca

  2. Utrecht University, Utrecht, The Netherlands

    Cristiana Santos

  3. Aarhus University, Aarhus, Denmark

    Midas Nouwens

Authors
  1. Cristiana Santos
  2. Midas Nouwens
  3. Michael Toth
  4. Nataliia Bielova
  5. Vincent Roca

Corresponding author

Correspondence to Cristiana Santos.

Editor information

Editors and Affiliations

  1. University of Oslo, Oslo, Norway

    Nils Gruschka

  2. Department of Computer Science, University of Porto, Porto, Portugal

    Luís Filipe Coelho Antunes

  3. Goethe University Frankfurt, Frankfurt, Germany

    Kai Rannenberg

  4. ENISA, Athens, Greece

    Prokopios Drogkaris

About this paper

Cite this paper

Santos, C., Nouwens, M., Toth, M., Bielova, N., Roca, V. (2021). Consent Management Platforms Under the GDPR: Processors and/or Controllers?. In: Gruschka, N., Antunes, L.F.C., Rannenberg, K., Drogkaris, P. (eds) Privacy Technologies and Policy. APF 2021. Lecture Notes in Computer Science(), vol 12703. Springer, Cham. https://doi.org/10.1007/978-3-030-76663-4_3

Download citation

Keywords

Publish with us

Policies and ethics