Consent Management Platforms under the GDPR: processors and/or controllers?

TL;DR

This paper investigates the roles of Consent Management Providers under GDPR, revealing that they often act as data controllers rather than processors, which impacts their legal obligations.

Contribution

It combines empirical experiments with legal analysis to clarify the actual roles of CMPs in GDPR compliance, challenging existing specifications.

Findings

CMPs process personal data

Multiple scenarios where CMPs are controllers

Legal and empirical analysis of CMP roles

Abstract

Consent Management Providers (CMPs) provide consent pop-ups that are embedded in ever more websites over time to enable streamlined compliance with the legal requirements for consent mandated by the ePrivacy Directive and the General Data Protection Regulation (GDPR). They implement the standard for consent collection from the Transparency and Consent Framework (TCF) (current version v2.0) proposed by the European branch of the Interactive Advertising Bureau (IAB Europe). Although the IAB's TCF specifications characterize CMPs as data processors, CMPs factual activities often qualifies them as data controllers instead. Discerning their clear role is crucial since compliance obligations and CMPs liability depend on their accurate characterization. We perform empirical experiments with two major CMP providers in the EU: Quantcast and OneTrust and paired with a legal analysis. We conclude that CMPs process personal data, and we identify multiple scenarios wherein CMPs are controllers.