Consent Management Platforms Under the GDPR: Processors and/or Controllers? (original) (raw)

Abstract

Consent Management Providers (CMPs) provide consent pop-ups that are embedded in ever more websites over time to enable streamlined compliance with the legal requirements for consent mandated by the ePrivacy Directive and the General Data Protection Regulation (GDPR). They implement the standard for consent collection from the Transparency and Consent Framework (TCF) (current version v2.0) proposed by the European branch of the Interactive Advertising Bureau (IAB Europe). Although the IAB’s TCF specifications characterize CMPs as data processors, CMPs factual activities often qualifies them as data controllers instead. Discerning their clear role is crucial since compliance obligations and CMPs liability depend on their accurate characterization. We perform empirical experiments with two major CMP providers in the EU: Quantcast and OneTrust and paired with a legal analysis. We conclude that CMPs process personal data, and we identify multiple scenarios wherein CMPs are controllers.

A preliminary version of this paper is presented for discussion only, with no official proceedings at ConPro’21: https://www.ieee-security.org/TC/SPW2021/ConPro/.

Similar content being viewed by others

Notes

1. 1. Standardization is used within the meaning of streamline at scale consent implementation.
2. 1. For the sake of uniformity, we call it “Consent Signal” in the rest of the paper.

References

1. Deceived by design: How tech companies use dark patterns to discourage us from exercising our rights to privacy (2018). https://www.forbrukerradet.no/undersokelse/no-undersokelsekategori/deceived-by-design
2. Working Party: Opinion 1/2010 on the concepts of “controller” and “processor” WP 169 (2010). https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf
3. Advocate General Mengozzi: Opinion of Advocate General Mengozziin Jehovah’s witnesses, C-25/17, ECLI:EU:C:2018:57, paragraph 68 (2018)
   Google Scholar
4. Agencia Española de Protección de Datos (Spanish DPA): Guide on use of cookies (2021). https://www.aepd.es/sites/default/files/2021-01/guia-cookies-en.pdf
5. Article 29 Working Party: Opinion 2/2010 on online behavioural advertising (WP 171) (2010). https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp171_en.pdf
6. Bielova, N., Santos, C.: Call for Feedback to the EDPB regarding Guidelines 07/2020 on the concepts of controller and processor in the IAB Europe Transparency and Consent Framework (2020). http://www-sop.inria.fr/members/Nataliia.Bielova/opinions/EDPB-contribution-controllers-processors.pdf
7. Commission Nationale de l’Informatique et des Libertés (CNIL): Shaping Choices in the Digital World (2019). https://linc.cnil.fr/sites/default/files/atoms/files/cnil_ip_report_06_shaping_choices_in_the_digital_world.pdf
8. Commission Nationale de l’Informatique et des Libertés (French DPA): French guidelines on cookies: Deliberation No 2020–091 of September 17, 2020 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 amended to read and write operations in a user’s terminal (in particular to “cookies and other tracers”) (2020). https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000042388179
9. Cookiebot: Cookie scanner - revealer of hidden tracking, September 2020. https://www.cookiebot.com/en/cookie-scanner/
10. Cookiepedia Official website. https://cookiepedia.co.uk/
11. CookiePro: Lesson 3: Scan Results and Categorizing Cookies, July 2020). https://community.cookiepro.com/s/article/UUID-309d4544-c927-fe00-da50-60ed7668c6b5
12. CookiePro: Scanning a Website, November 2020. https://community.cookiepro.com/s/article/UUID-621498be-7e5c-23af-3bfd-e772340b4933
13. CookiePro by OneTrust: CookiePro Free IAB TCF 2.0 CMP Builder (nd). https://www.cookiepro.com/iab-tcf-2-builder/
14. Court of Justice of the European Union: Case 582/14 - Patrick Breyer v Germany (2016). ECLI:EU:C:2016:779
    Google Scholar
15. Crownpeak: Vendor categories (nd). https://community.crownpeak.com/t5/Universal-Consent-Platform-UCP/Vendor-Categories/ta-p/665
16. Danish DPA (Datatilsynet): Guide on consent (2019). www.datatilsynet.dk/media/6562/samtykke.pdf
17. Data Protection Commission (Irish DPA): Guidance note on the use of cookies and other tracking technologies (2020). https://www.dataprotection.ie/sites/default/files/uploads/2020-04/Guidance%20note%20on%20cookies%20and%20other%20tracking%20technologies.pdf
18. Data Protection Commission (Irish DPA): Report by the DPC on the Use of Cookies and Other Tracking Technologies (2020). https://www.dataprotection.ie/en/news-media/press-releases/report-dpc-use-cookies-and-other-tracking-technologies
19. Degeling, M., Utz, C., Lentzsch, C., Hosseini, H., Schaub, F., Holz, T.: We value your privacy ... now take some cookies: measuring the GDPR’s impact on web privacy. In: Network and Distributed Systems Security Symposium (2019)
    Google Scholar
20. Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32009L0136. Accessed 31 Oct 2019
21. Europe, I: Transparency and consent string with global vendor & CMP list formats (final vol 2.0): About the transparency & consent string (TC String) (2020). https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IAB%20Tech%20Lab%20-%20Consent%20string%20and%20vendor%20list%20formats%20v2.md#about-the-transparency-consent-string-tc-string. Accessed 14 Jan 2021
22. European Court of Justice: Case 25/17 Jehovan todistajat, ECLI:EU:C:2018:551
    Google Scholar
23. European Court of Justice: Case C-40/17 Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV, ECLI:EU:C:2019:629
    Google Scholar
24. European Court of Justice: Case C-210/16 Wirtschaftsakademie Schleswig-Holstein, ECLI:EU:C:2018:388
    Google Scholar
25. European Data Protection Board: Guidelines 05/2020 on consent, Version 1.1 (2020). https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf. Accessed 4 May 2020
26. European Data Protection Board: Guidelines 07/2020 on the concepts of controller and processor in the GDPR Version 1.0 (2020). https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-072020-concepts-controller-and-processor_en
27. Evidon: Quantcast-related pages on Evidon Company Directory (2017). https://info.evidon.com/companies?q=Quantcast. Consulted 8 Jan 2021
28. Finck, M., Pallas, F.: They who must not be identified - distinguishing personal from non-personal data under the GDPR. Int. Data Priv. Law 10 (2020)
    Google Scholar
29. Fouad, I., Bielova, N., Legout, A., Sarafijanovic-Djukic, N.: Missed by filter lists: detecting unknown third-party trackers with invisible pixels. In: Proceedings on Privacy Enhancing Technologies (PoPETs) (2020). Published online 08 May 2020, https://doi.org/10.2478/popets-2020-0038
30. Fouad, I., Santos, C., Al Kassar, F., Bielova, N., Calzavara, S.: On compliance of cookie purposes with the purpose specification principle. In: 2020 International Workshop on Privacy Engineering, IWPE (2020). https://hal.inria.fr/hal-02567022
31. Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (general data protection regulation) (text with EEA relevance). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32016R0679
32. Gray, C.M., Kou, Y., Battles, B., Hoggatt, J., Toombs, A.L.: The dark (patterns) side of UX design. In: Proceedings of the CHI Conference Human Factors in Computing Systems, p. 534 (2018)
    Google Scholar
33. Gray, C.M., Santos, C., Bielova, N., Toth, M., Clifford, D.: Dark patterns and the legal requirements of consent banners: an interaction criticism perspective. In: ACM CHI 2021 (2020). https://arxiv.org/abs/2009.10194
34. Greek DPA (HDPA): Guidelines on Cookies and Trackers (2020). http://www.dpa.gr/APDPXPortlets/htdocs/documentSDisplay.jsp?docid=84,221,176,170,98,24,72,223
35. Hils, M., Woods, D.W., Böhme, R.: Measuring the emergence of consent management on the web. In: ACM Internet Measurement Conference (IMC 2020) (2020)
    Google Scholar
36. Hintze, M.: Data controllers, data processors, and the growing use of connected products in the enterprise: managing risks, understanding benefits, and complying with the GDPR. Cybersecurity (2018)
    Google Scholar
37. IAB Europe: Transparency and Consent String with Global Vendor and CMP List Formats (Final vol 2.0) (2019). https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IABTechLab-Consentstringandvendorlistformatsv2.md. Accessed 12 Feb 2021
38. IAB Europe: IAB Europe Transparency & Consent Framework Policies (2020). https://iabeurope.eu/wp-content/uploads/2020/11/TCF_v2-0_Policy_version_2020-11-18-3.2a.docx-1.pdf
39. IAB Europe: Vendor List TCF v2.0 (2020). https://iabeurope.eu/vendor-list-tcf-v2-0/
40. Information Commissioner’s Office: Data controllers and data processors: what the difference is and what the governance implications are (2018). https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/controllers-and-processors/
41. Information Commissioner’s Office: Guidance on the use of cookies and similar technologies (2019). https://ico.org.uk/media/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf
42. Jared Spool: Do users change their settings? (2011). https://archive.uie.com/brainsparks/2011/09/14/do-users-change-their-settings/
43. Johnson, E.J., Bellman, S., Lohse, G.L.: Defaults, framing and privacy: why opting in-opting out. Mark. Lett. 13, 5–15 (2002)
    Article Google Scholar
44. Johnson, E.J., Goldstein, D.G.: Do defaults save lives? Science 302, 1338–1339 (2003)
    Article Google Scholar
45. Machuletz, D., Böhme, R.: Multiple purposes, multiple problems: a user study of consent dialogs after GDPR. In: Proceedings on Privacy Enhancing Technologies (PoPETs), pp. 481–498 (2020)
    Google Scholar
46. Maier, G., Feldmann, A., Paxson, V., Allman, M.: On dominant characteristics of residential broadband internet traffic. In: Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement Conference, pp. 90–102 (2009)
    Google Scholar
47. Matte, C., Santos, C., Bielova, N.: Purposes in IAB Europe’s TCF: which legal basis and how are they used by advertisers? In: Antunes, L., Naldi, M., Italiano, G.F., Rannenberg, K., Drogkaris, P. (eds.) APF 2020. LNCS, vol. 12121, pp. 163–185. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-55196-4_10. https://hal.inria.fr/hal-02566891
    Chapter Google Scholar
48. Matte, C., Bielova, N., Santos, C.: Do cookie banners respect my choice? Measuring legal compliance of banners from IAB Europe’s transparency and consent framework. In: IEEE Symposium on Security and Privacy (IEEE S&P 2020) (2020)
    Google Scholar
49. Mishra, V., Laperdrix, P., Vastel, A., Rudametkin, W., Rouvoy, R., Lopatka, M.: Don’t count me out: on the relevance of IP address in the tracking ecosystem. In: Huang, Y., King, I., Liu, T., van Steen, M. (eds.) WWW 2020: The Web Conference 2020, Taipei, Taiwan, 20–24 April 2020, pp. 808–815. ACM/IW3C2 (2020). https://doi.org/10.1145/3366423.3380161
50. Nouwens, M., Liccardi, I., Veale, M., Karger, D., Kagal, L.: Dark patterns after the GDPR: scraping consent pop-ups and demonstrating their influence. In: CHI (2020)
    Google Scholar
51. OneTrust PreferenceChoice: Consent management platform (CMP). https://www.preferencechoice.com/consent-management-platform/. Accessed 20 Jan 2021
52. Pawlata, H., Caki, G.: The impact of the transparency consent framework on current programmatic advertising practices. In: 4th International Conference on Computer-Human Interaction Research and Applications (2020)
    Google Scholar
53. Quantcast: Quantcast Choice (2020). https://www.quantcast.com/products/choice-consent-management-platform/
54. Quantcast: Quantcast Choice - User Guide (2020). https://help.quantcast.com/hc/en-us/articles/360052725133-Quantcast-Choice-User-Guide
55. Quantcast: Quantcast Choice Terms of Service (2020). https://www.quantcast.com/legal/quantcast-choice-terms-of-service/
56. Quantcast: Quantcast Measure and Q for Publishers Terms of Service (2020). https://www.quantcast.com/legal/measure-terms-service/
57. Quantcast: Quantcast Privacy Policy (2020). https://www.quantcast.com/privacy
58. Quantcast: Quantcast Choice - Universal Tag Implementation Guide (TCF v2) (2021). https://help.quantcast.com/hc/en-us/articles/360052746173-Quantcast-Choice-Universal-Tag-Implementation-Guide-TCF-v2-
59. Quantcast: Quantcast Measure (2021). https://www.quantcast.com/products/measure-audience-insights/
60. Santos, C., Bielova, N., Matte, C.: Are cookie banners indeed compliant with the law? Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners. Technol. Regul. 91–135 (2020). https://doi.org/10.26116/techreg.2020.009
61. Signatu: Trackerdetect (nd). https://signatu.com/product/trackerdetect/
62. Thaler, R.H., Sunstein, C.R.: Nudge: Improving Decisions About Health, Wealth, and Happiness. Yale University Press (2008)
    Google Scholar
63. TrustArc: Cookie Consent Manager (nd). https://trustarc.com/cookie-consent-manager/
64. Utz, C., Degeling, M., Fahl, S., Schaub, F., Holz, T.: (Un)informed consent: studying GDPR consent notices in the field. In: Conference on Computer and Communications Security (2019)
    Google Scholar

Download references

Acknowledgements

We would like to thank Daniel Woods, Triin Siil, Johnny Ryan and anonymous reviewers of ConPro’21 and APF’21 for useful comments and feedback that has lead to this paper. This work has been partially supported by the ANR JCJC project PrivaWeb (ANR-18-CE39-0008) and by the Inria DATA4US Exploratory Action project.

Author information

Authors and Affiliations

1. Inria, Paris, France
   Michael Toth, Nataliia Bielova & Vincent Roca
2. Utrecht University, Utrecht, The Netherlands
   Cristiana Santos
3. Aarhus University, Aarhus, Denmark
   Midas Nouwens

Authors

1. Cristiana Santos
   You can also search for this author inPubMed Google Scholar
2. Midas Nouwens
   You can also search for this author inPubMed Google Scholar
3. Michael Toth
   You can also search for this author inPubMed Google Scholar
4. Nataliia Bielova
   You can also search for this author inPubMed Google Scholar
5. Vincent Roca
   You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence toCristiana Santos .

Editor information

Editors and Affiliations

1. University of Oslo, Oslo, Norway
   Nils Gruschka
2. Department of Computer Science, University of Porto, Porto, Portugal
   Luís Filipe Coelho Antunes
3. Goethe University Frankfurt, Frankfurt, Germany
   Kai Rannenberg
4. ENISA, Athens, Greece
   Prokopios Drogkaris

Rights and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Cite this paper

Santos, C., Nouwens, M., Toth, M., Bielova, N., Roca, V. (2021). Consent Management Platforms Under the GDPR: Processors and/or Controllers?. In: Gruschka, N., Antunes, L.F.C., Rannenberg, K., Drogkaris, P. (eds) Privacy Technologies and Policy. APF 2021. Lecture Notes in Computer Science(), vol 12703. Springer, Cham. https://doi.org/10.1007/978-3-030-76663-4\_3

Download citation

• .RIS
• .ENW
• .BIB
• DOI: https://doi.org/10.1007/978-3-030-76663-4\_3
• Published: 19 May 2021
• Publisher Name: Springer, Cham
• Print ISBN: 978-3-030-76662-7
• Online ISBN: 978-3-030-76663-4
• eBook Packages: Computer ScienceComputer Science (R0)

Publish with us