Consent Management Platforms under the GDPR: processors and/or controllers?
This addresses legal compliance and liability issues for CMP providers and website operators under GDPR, with incremental insights based on empirical and legal analysis.
The paper investigates whether Consent Management Platforms (CMPs) act as data processors or controllers under GDPR, finding through empirical experiments with Quantcast and OneTrust that CMPs process personal data and often qualify as controllers in multiple scenarios.
Consent Management Providers (CMPs) provide consent pop-ups that are embedded in ever more websites over time to enable streamlined compliance with the legal requirements for consent mandated by the ePrivacy Directive and the General Data Protection Regulation (GDPR). They implement the standard for consent collection from the Transparency and Consent Framework (TCF) (current version v2.0) proposed by the European branch of the Interactive Advertising Bureau (IAB Europe). Although the IAB's TCF specifications characterize CMPs as data processors, CMPs factual activities often qualifies them as data controllers instead. Discerning their clear role is crucial since compliance obligations and CMPs liability depend on their accurate characterization. We perform empirical experiments with two major CMP providers in the EU: Quantcast and OneTrust and paired with a legal analysis. We conclude that CMPs process personal data, and we identify multiple scenarios wherein CMPs are controllers.