Consent Management Platforms under the GDPR: processors and/or controllers?

  title={Consent Management Platforms under the GDPR: processors and/or controllers?},
  author={Cristiana Santos and Midas Nouwens and Michal T{\'o}th and Nataliia Bielova and V. Roca},
Consent Management Providers (CMPs) provide consent popups that are embedded in ever more websites over time to enable streamlined compliance with the legal requirements for consent mandated by the ePrivacy Directive and the General Data Protection Regulation (GDPR). They implement the standard for consent collection from the Transparency and Consent Framework (TCF) (current version v2.0) proposed by the European branch of the Interactive Advertising Bureau (IAB Europe). Although the IAB’s TCF… Expand
1 Citations

Figures from this paper

Demystifying the Draft EU Artificial Intelligence Act — Analysing the good, the bad, and the unclear elements of the proposed approach
An overview of the draft AI Act is presented and its implications are analyzed, drawing on scholarship ranging from the study of contemporary AI practices to the structure of EU product safety regimes over the last four decades. Expand


Purposes in IAB Europe's TCF: Which Legal Basis and How Are They Used by Advertisers?
The purposes defined in IAB Europe's Transparency and Consent Framework (TCF) and their usage by advertisers are studied and it is suggested that several of them might not be specific or explicit enough to be compliant under the GDPR. Expand
The Impact of the Transparency Consent Framework on Current Programmatic Advertising Practices
The impact of the new framework from a programmatic advertising campaign perspective is reflected from a practitioner point of view and implications of missing user consent in five typical techniques which are applied in programmatic campaigns are addressed. Expand
Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence
This study provides an empirical basis for the necessary regulatory action to enforce the GDPR, in particular the possibility of focusing on the centralised, third-party CMP services as an effective way to increase compliance. Expand
(Un)informed Consent: Studying GDPR Consent Notices in the Field
This work identifies common properties of the graphical user interface of consent notices and conducts three experiments with more than 80,000 unique users on a German website to investigate the influence of notice position, type of choice, and content framing on consent. Expand
Do Cookie Banners Respect my Choice? : Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework
This work analyzes the GDPR and the ePrivacy Directive to identify potential legal violations in implementations of cookie banners based on the storage of consent and detects such suspected violations by crawling 1 426 websites that contains TCF banners. Expand
On Compliance of Cookie Purposes with the Purpose Specification Principle
It is found out that purposes declared in cookie policies do not comply with the purpose specification principle in 95% of cases in the authors' automatized audit. Expand
We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy
It is concluded that the GDPR is making the web more transparent, but there is still a lack of both functional and usable mechanisms for users to consent to or deny processing of their personal data on the Internet. Expand
They Who Must Not Be Identified - Distinguishing Personal from Non-Personal Data Under the GDPR
In this article, we examine the concept of non-personal data from a law and computer science perspective. The delineation between personal data and non-personal data is of paramount importance toExpand
Multiple Purposes, Multiple Problems: A User Study of Consent Dialogs after GDPR
The results show that participants who see a default button accept cookies for more purposes than the control group, while being less able to correctly recall their choice, and regret it more often and perceive the consent dialog as more deceptive than thecontrol group. Expand
Data Controllers, Data Processors, and the Growing Use of Connected Products in the Enterprise: Managing Risks, Understanding Benefits, and Complying with the GDPR
Modern enterprises increasingly purchase and deploy products and services from third parties that collect data as part of providing the services. In this context, there is a common belief that theExpand