HAL will be down for maintenance from Friday, June 10 at 4pm through Monday, June 13 at 9am. More information
Skip to Main content Skip to Navigation
Conference papers

Consent Management Platforms under the GDPR: processors and/or controllers?

Cristiana Santos 1 Midas Nouwens 2 Michael Toth 3 Nataliia Bielova 3 Vincent Roca 3
3 PRIVATICS - Privacy Models, Architectures and Tools for the Information Society
Inria Grenoble - Rhône-Alpes, CITI - CITI Centre of Innovation in Telecommunications and Integration of services
Abstract : Consent Management Providers (CMPs) provide consent pop-ups that are embedded in ever more websites over time to enable streamlined compliance with the legal requirements for consent mandated by the ePrivacy Directive and the General Data Protection Regulation (GDPR). They implement the standard for consent collection from the Transparency and Consent Framework (TCF) (current version v2.0) proposed by the European branch of the Interactive Advertising Bureau (IAB Europe). Although the IAB’s TCF specifications characterize CMPs as data processors, CMPs factual activities often qualifies them as data controllers instead. Discerning their clear role is crucial since compliance obligations and CMPs liability depend on their accurate characterization. We perform empirical experiments with two major CMP providers in the EU: Quantcast and OneTrust and paired with a legal analysis. We conclude that CMPs process personal data, and we identify three scenarios wherein CMPs are controllers.
Complete list of metadata

https://hal.inria.fr/hal-03169436
Contributor : Michael Toth Connect in order to contact the contributor
Submitted on : Monday, April 12, 2021 - 7:33:52 PM
Last modification on : Tuesday, May 3, 2022 - 3:02:45 PM
Long-term archiving on: : Tuesday, July 13, 2021 - 7:15:45 PM

File

Sant-etal-21-APF.pdf
Files produced by the author(s)

Identifiers

Collections

Citation

Cristiana Santos, Midas Nouwens, Michael Toth, Nataliia Bielova, Vincent Roca. Consent Management Platforms under the GDPR: processors and/or controllers?. APF 2021 - 9th Annual Privacy Forum, Jun 2021, Oslo, Norway. pp.47-69, ⟨10.1007/978-3-030-76663-4_3⟩. ⟨hal-03169436⟩

Share

Metrics

Record views

1003

Files downloads

658