Consent Management Platforms Under the GDPR: Processors and/or Controllers?

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12703)


Consent Management Providers (CMPs) provide consent pop-ups that are embedded in ever more websites over time to enable streamlined compliance with the legal requirements for consent mandated by the ePrivacy Directive and the General Data Protection Regulation (GDPR). They implement the standard for consent collection from the Transparency and Consent Framework (TCF) (current version v2.0) proposed by the European branch of the Interactive Advertising Bureau (IAB Europe). Although the IAB’s TCF specifications characterize CMPs as data processors, CMPs factual activities often qualifies them as data controllers instead. Discerning their clear role is crucial since compliance obligations and CMPs liability depend on their accurate characterization. We perform empirical experiments with two major CMP providers in the EU: Quantcast and OneTrust and paired with a legal analysis. We conclude that CMPs process personal data, and we identify multiple scenarios wherein CMPs are controllers.


Consent management providers IAB Europe TCF Data controllers GDPR Consent 



We would like to thank Daniel Woods, Triin Siil, Johnny Ryan and anonymous reviewers of ConPro’21 and APF’21 for useful comments and feedback that has lead to this paper. This work has been partially supported by the ANR JCJC project PrivaWeb (ANR-18-CE39-0008) and by the Inria DATA4US Exploratory Action project.


  1. 1.
    Deceived by design: How tech companies use dark patterns to discourage us from exercising our rights to privacy (2018).
  2. 2.
    Working Party: Opinion 1/2010 on the concepts of “controller” and “processor” WP 169 (2010).
  3. 3.
    Advocate General Mengozzi: Opinion of Advocate General Mengozziin Jehovah’s witnesses, C-25/17, ECLI:EU:C:2018:57, paragraph 68 (2018)Google Scholar
  4. 4.
    Agencia Española de Protección de Datos (Spanish DPA): Guide on use of cookies (2021).
  5. 5.
    Article 29 Working Party: Opinion 2/2010 on online behavioural advertising (WP 171) (2010).
  6. 6.
    Bielova, N., Santos, C.: Call for Feedback to the EDPB regarding Guidelines 07/2020 on the concepts of controller and processor in the IAB Europe Transparency and Consent Framework (2020).
  7. 7.
    Commission Nationale de l’Informatique et des Libertés (CNIL): Shaping Choices in the Digital World (2019).
  8. 8.
    Commission Nationale de l’Informatique et des Libertés (French DPA): French guidelines on cookies: Deliberation No 2020–091 of September 17, 2020 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 amended to read and write operations in a user’s terminal (in particular to “cookies and other tracers”) (2020).
  9. 9.
    Cookiebot: Cookie scanner - revealer of hidden tracking, September 2020.
  10. 10.
    Cookiepedia Official website.
  11. 11.
    CookiePro: Lesson 3: Scan Results and Categorizing Cookies, July 2020).
  12. 12.
  13. 13.
    CookiePro by OneTrust: CookiePro Free IAB TCF 2.0 CMP Builder (nd).
  14. 14.
    Court of Justice of the European Union: Case 582/14 - Patrick Breyer v Germany (2016). ECLI:EU:C:2016:779Google Scholar
  15. 15.
  16. 16.
    Danish DPA (Datatilsynet): Guide on consent (2019).
  17. 17.
    Data Protection Commission (Irish DPA): Guidance note on the use of cookies and other tracking technologies (2020).
  18. 18.
    Data Protection Commission (Irish DPA): Report by the DPC on the Use of Cookies and Other Tracking Technologies (2020).
  19. 19.
    Degeling, M., Utz, C., Lentzsch, C., Hosseini, H., Schaub, F., Holz, T.: We value your privacy ... now take some cookies: measuring the GDPR’s impact on web privacy. In: Network and Distributed Systems Security Symposium (2019)Google Scholar
  20. 20.
    Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009. Accessed 31 Oct 2019
  21. 21.
    Europe, I: Transparency and consent string with global vendor & CMP list formats (final vol 2.0): About the transparency & consent string (TC String) (2020). Accessed 14 Jan 2021
  22. 22.
    European Court of Justice: Case 25/17 Jehovan todistajat, ECLI:EU:C:2018:551Google Scholar
  23. 23.
    European Court of Justice: Case C-40/17 Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV, ECLI:EU:C:2019:629Google Scholar
  24. 24.
    European Court of Justice: Case C-210/16 Wirtschaftsakademie Schleswig-Holstein, ECLI:EU:C:2018:388Google Scholar
  25. 25.
    European Data Protection Board: Guidelines 05/2020 on consent, Version 1.1 (2020). Accessed 4 May 2020
  26. 26.
    European Data Protection Board: Guidelines 07/2020 on the concepts of controller and processor in the GDPR Version 1.0 (2020).
  27. 27.
    Evidon: Quantcast-related pages on Evidon Company Directory (2017). Consulted 8 Jan 2021
  28. 28.
    Finck, M., Pallas, F.: They who must not be identified - distinguishing personal from non-personal data under the GDPR. Int. Data Priv. Law 10 (2020)Google Scholar
  29. 29.
    Fouad, I., Bielova, N., Legout, A., Sarafijanovic-Djukic, N.: Missed by filter lists: detecting unknown third-party trackers with invisible pixels. In: Proceedings on Privacy Enhancing Technologies (PoPETs) (2020). Published online 08 May 2020,
  30. 30.
    Fouad, I., Santos, C., Al Kassar, F., Bielova, N., Calzavara, S.: On compliance of cookie purposes with the purpose specification principle. In: 2020 International Workshop on Privacy Engineering, IWPE (2020).
  31. 31.
    Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (general data protection regulation) (text with EEA relevance).
  32. 32.
    Gray, C.M., Kou, Y., Battles, B., Hoggatt, J., Toombs, A.L.: The dark (patterns) side of UX design. In: Proceedings of the CHI Conference Human Factors in Computing Systems, p. 534 (2018)Google Scholar
  33. 33.
    Gray, C.M., Santos, C., Bielova, N., Toth, M., Clifford, D.: Dark patterns and the legal requirements of consent banners: an interaction criticism perspective. In: ACM CHI 2021 (2020).
  34. 34.
  35. 35.
    Hils, M., Woods, D.W., Böhme, R.: Measuring the emergence of consent management on the web. In: ACM Internet Measurement Conference (IMC 2020) (2020)Google Scholar
  36. 36.
    Hintze, M.: Data controllers, data processors, and the growing use of connected products in the enterprise: managing risks, understanding benefits, and complying with the GDPR. Cybersecurity (2018)Google Scholar
  37. 37.
    IAB Europe: Transparency and Consent String with Global Vendor and CMP List Formats (Final vol 2.0) (2019). Accessed 12 Feb 2021
  38. 38.
    IAB Europe: IAB Europe Transparency & Consent Framework Policies (2020).
  39. 39.
    IAB Europe: Vendor List TCF v2.0 (2020).
  40. 40.
    Information Commissioner’s Office: Data controllers and data processors: what the difference is and what the governance implications are (2018).
  41. 41.
    Information Commissioner’s Office: Guidance on the use of cookies and similar technologies (2019).
  42. 42.
    Jared Spool: Do users change their settings? (2011).
  43. 43.
    Johnson, E.J., Bellman, S., Lohse, G.L.: Defaults, framing and privacy: why opting in-opting out. Mark. Lett. 13, 5–15 (2002)CrossRefGoogle Scholar
  44. 44.
    Johnson, E.J., Goldstein, D.G.: Do defaults save lives? Science 302, 1338–1339 (2003)CrossRefGoogle Scholar
  45. 45.
    Machuletz, D., Böhme, R.: Multiple purposes, multiple problems: a user study of consent dialogs after GDPR. In: Proceedings on Privacy Enhancing Technologies (PoPETs), pp. 481–498 (2020)Google Scholar
  46. 46.
    Maier, G., Feldmann, A., Paxson, V., Allman, M.: On dominant characteristics of residential broadband internet traffic. In: Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement Conference, pp. 90–102 (2009)Google Scholar
  47. 47.
    Matte, C., Santos, C., Bielova, N.: Purposes in IAB Europe’s TCF: which legal basis and how are they used by advertisers? In: Antunes, L., Naldi, M., Italiano, G.F., Rannenberg, K., Drogkaris, P. (eds.) APF 2020. LNCS, vol. 12121, pp. 163–185. Springer, Cham (2020). Scholar
  48. 48.
    Matte, C., Bielova, N., Santos, C.: Do cookie banners respect my choice? Measuring legal compliance of banners from IAB Europe’s transparency and consent framework. In: IEEE Symposium on Security and Privacy (IEEE S&P 2020) (2020)Google Scholar
  49. 49.
    Mishra, V., Laperdrix, P., Vastel, A., Rudametkin, W., Rouvoy, R., Lopatka, M.: Don’t count me out: on the relevance of IP address in the tracking ecosystem. In: Huang, Y., King, I., Liu, T., van Steen, M. (eds.) WWW 2020: The Web Conference 2020, Taipei, Taiwan, 20–24 April 2020, pp. 808–815. ACM/IW3C2 (2020).
  50. 50.
    Nouwens, M., Liccardi, I., Veale, M., Karger, D., Kagal, L.: Dark patterns after the GDPR: scraping consent pop-ups and demonstrating their influence. In: CHI (2020)Google Scholar
  51. 51.
    OneTrust PreferenceChoice: Consent management platform (CMP). Accessed 20 Jan 2021
  52. 52.
    Pawlata, H., Caki, G.: The impact of the transparency consent framework on current programmatic advertising practices. In: 4th International Conference on Computer-Human Interaction Research and Applications (2020)Google Scholar
  53. 53.
  54. 54.
  55. 55.
    Quantcast: Quantcast Choice Terms of Service (2020).
  56. 56.
    Quantcast: Quantcast Measure and Q for Publishers Terms of Service (2020).
  57. 57.
    Quantcast: Quantcast Privacy Policy (2020).
  58. 58.
    Quantcast: Quantcast Choice - Universal Tag Implementation Guide (TCF v2) (2021).
  59. 59.
  60. 60.
    Santos, C., Bielova, N., Matte, C.: Are cookie banners indeed compliant with the law? Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners. Technol. Regul. 91–135 (2020).
  61. 61.
    Signatu: Trackerdetect (nd).
  62. 62.
    Thaler, R.H., Sunstein, C.R.: Nudge: Improving Decisions About Health, Wealth, and Happiness. Yale University Press (2008)Google Scholar
  63. 63.
    TrustArc: Cookie Consent Manager (nd).
  64. 64.
    Utz, C., Degeling, M., Fahl, S., Schaub, F., Holz, T.: (Un)informed consent: studying GDPR consent notices in the field. In: Conference on Computer and Communications Security (2019)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2021

Authors and Affiliations

  1. 1.InriaParisFrance
  2. 2.Utrecht UniversityUtrechtThe Netherlands
  3. 3.Aarhus UniversityAarhusDenmark

Personalised recommendations