Skip to Main content Skip to Navigation
Preprints, Working Papers, ...

Consent Management Platforms under the GDPR: processors and/or controllers?

Cristiana Santos 1 Midas Nouwens 2 Michael Toth 3 Nataliia Bielova 3 Vincent Roca 3
3 PRIVATICS - Privacy Models, Architectures and Tools for the Information Society
Inria Grenoble - Rhône-Alpes, CITI - CITI Centre of Innovation in Telecommunications and Integration of services
Abstract : Consent Management Providers (CMPs) provide consent pop-ups that are embedded in ever more websites over time to enable streamlined compliance with the legal requirements for consent mandated by the ePrivacy Directive and the General Data Protection Regulation (GDPR). They implement the standard for consent collection from the Transparency and Consent Framework (TCF) (current version v2.0) proposed by the European branch of the Interactive Advertising Bureau (IAB Europe). Although the IAB’s TCF specifications characterize CMPs as data processors, CMPs factual activities often qualifies them as data controllers instead. Discerning their clear role is crucial since compliance obligations and CMPs liability depend on their accurate characterization. We perform empirical experiments with two major CMP providers in the EU: Quantcast and OneTrust and paired with a legal analysis. We conclude that CMPs process personal data, and we identify three scenarios wherein CMPs are controllers.
Complete list of metadata
Contributor : Michael Toth <>
Submitted on : Monday, April 12, 2021 - 7:33:52 PM
Last modification on : Wednesday, April 14, 2021 - 3:23:17 AM


Files produced by the author(s)


  • HAL Id : hal-03169436, version 1



Cristiana Santos, Midas Nouwens, Michael Toth, Nataliia Bielova, Vincent Roca. Consent Management Platforms under the GDPR: processors and/or controllers?. 2021. ⟨hal-03169436⟩



Record views