Skip to Main content Skip to Navigation
Preprints, Working Papers, ...

Consent Management Platforms under the GDPR: processors and/or controllers?

Cristiana Santos 1 Midas Nouwens 2 Michael Toth 3 Nataliia Bielova 3 Vincent Roca 3
3 PRIVATICS - Privacy Models, Architectures and Tools for the Information Society
Inria Grenoble - Rhône-Alpes, CITI - CITI Centre of Innovation in Telecommunications and Integration of services
Abstract : Consent Management Providers (CMPs) provide consent pop-ups that are embedded in ever more websites over time to enable streamlined compliance with the legal requirements for consent mandated by the ePrivacy Directive and the General Data Protection Regulation (GDPR). They implement the standard for consent collection from the Transparency and Consent Framework (TCF) (current version v2.0) proposed by the European branch of the Interactive Advertising Bureau (IAB Europe). Although the IAB’s TCF specifications characterize CMPs as data processors, CMPs factual activities often qualifies them as data controllers instead. Discerning their clear role is crucial since compliance obligations and CMPs liability depend on their accurate characterization. We perform empirical experiments with two major CMP providers in the EU: Quantcast and OneTrust and paired with a legal analysis. We conclude that CMPs process personal data, and we identify three scenarios wherein CMPs are controllers.
Complete list of metadata

https://hal.inria.fr/hal-03169436
Contributor : Michael Toth <>
Submitted on : Monday, April 12, 2021 - 7:33:52 PM
Last modification on : Wednesday, April 14, 2021 - 3:23:17 AM

File

Sant-etal-21-APF.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-03169436, version 1

Collections

Citation

Cristiana Santos, Midas Nouwens, Michael Toth, Nataliia Bielova, Vincent Roca. Consent Management Platforms under the GDPR: processors and/or controllers?. 2021. ⟨hal-03169436⟩

Share

Metrics

Record views

79