Consent Management Platforms under the GDPR: processors and/or controllers?

@inproceedings{Santos2021ConsentMP,
  title={Consent Management Platforms under the GDPR: processors and/or controllers?},
  author={Cristiana Santos and Midas Nouwens and Michal T{\'o}th and Nataliia Bielova and Vincent Roca},
  booktitle={APF},
  year={2021}
}
Consent Management Providers (CMPs) provide consent popups that are embedded in ever more websites over time to enable streamlined compliance with the legal requirements for consent mandated by the ePrivacy Directive and the General Data Protection Regulation (GDPR). They implement the standard for consent collection from the Transparency and Consent Framework (TCF) (current version v2.0) proposed by the European branch of the Interactive Advertising Bureau (IAB Europe). Although the IAB’s TCF… 
Drivers and Obstacles for the Adoption of Consent Management Solutions by Ad-Tech Providers
  • P. Pesch
  • Business
    2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
  • 2021
TLDR
This paper reveals drivers and obstacles for the adoption of the Transparency & Consent Framework (TCF) by ad-tech-vendors, gained in semi-structured interviews with representatives of Global Vendors List (GVL) members.
Limits of Individual Consent and Models of Distributed Consent in Online Social Networks
TLDR
This work introduces both a platform-specific model of “distributed consent” and a cross-platform model of a "consent passport" and finds that low adoption would allow macroscopic subsets of networks to preserve their connectivity and privacy.
Demystifying the Draft EU Artificial Intelligence Act — Analysing the good, the bad, and the unclear elements of the proposed approach
TLDR
An overview of the Act and its implications are presented, drawing on scholarship ranging from the study of contemporary AI practices to the structure of EU product safety regimes over the last four decades, finding that some provisions of the Draft AI Act have surprising legal implications.
Tracking on the Web, Mobile and the Internet-of-Things
  • R. Binns
  • Computer Science
    Foundations and Trends® in Web Science
  • 2022
TLDR
This paper aims to introduce tracking on the web, smartphones, and the Internet of Things, to an audience with little or no previous knowledge, and aims to provide an overarching narrative spanning this large research space.
Automated detection of dark patterns in cookie banners: how to do it poorly and why it is hard to do it any other way
TLDR
An in-depth analysis of the interdisciplinary challenges that automated dark pattern detection poses to artificial intelligence is provided and the accuracy of the trained model is promising, but allows a lot of room for improvement.
On dark patterns and manipulation of website publishers by CMPs
TLDR
The importance of CMPs and design space offered to website publishers is demonstrated, and concerns around the privileged position of C MPs and their strategies influencing website publishers are raised.

References

SHOWING 1-10 OF 39 REFERENCES
Measuring the Emergence of Consent Management on the Web
TLDR
It is estimated that CMP adoption doubled from June 2018 to June 2019 and then doubled again until June 2020 and a long tail exists, showing how privacy aware users incur a significant time cost.
Purposes in IAB Europe's TCF: Which Legal Basis and How Are They Used by Advertisers?
TLDR
The purposes defined in IAB Europe's Transparency and Consent Framework (TCF) and their usage by advertisers are studied and it is suggested that several of them might not be specific or explicit enough to be compliant under the GDPR.
The Impact of the Transparency Consent Framework on Current Programmatic Advertising Practices
TLDR
The impact of the new framework from a programmatic advertising campaign perspective is reflected from a practitioner point of view and implications of missing user consent in five typical techniques which are applied in programmatic campaigns are addressed.
Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence
TLDR
This study provides an empirical basis for the necessary regulatory action to enforce the GDPR, in particular the possibility of focusing on the centralised, third-party CMP services as an effective way to increase compliance.
(Un)informed Consent: Studying GDPR Consent Notices in the Field
TLDR
This work identifies common properties of the graphical user interface of consent notices and conducts three experiments with more than 80,000 unique users on a German website to investigate the influence of notice position, type of choice, and content framing on consent.
Do Cookie Banners Respect my Choice? : Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework
TLDR
This work analyzes the GDPR and the ePrivacy Directive to identify potential legal violations in implementations of cookie banners based on the storage of consent and detects such suspected violations by crawling 1 426 websites that contains TCF banners.
On Compliance of Cookie Purposes with the Purpose Specification Principle
TLDR
It is found out that purposes declared in cookie policies do not comply with the purpose specification principle in 95% of cases in the authors' automatized audit.
Are cookie banners indeed compliant with the law? Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners
TLDR
This work describes how banners are supposed to be implemented to be fully compliant with the ePrivacy Directive and the GDPR and defines 22 operational and fine-grained requirements on cookie banner design that are legally compliant.
We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy
TLDR
It is concluded that the GDPR is making the web more transparent, but there is still a lack of both functional and usable mechanisms for users to consent to or deny processing of their personal data on the Internet.
They Who Must Not Be Identified - Distinguishing Personal from Non-Personal Data Under the GDPR
TLDR
It is concluded that there always remains a residual risk when anonymisation is used and the concluding section links this conclusion more generally to the notion of risk in the GDPR.
...
...