Consent Management Platforms under the GDPR: processors and/or controllers?

• URL: http://arxiv.org/abs/2104.06861v1
• Date: Wed, 14 Apr 2021 13:54:02 GMT
• Title: Consent Management Platforms under the GDPR: processors and/or controllers?
• Authors: Cristiana Santos, Midas Nouwens, Michael Toth, Nataliia Bielova, Vincent Roca
• Abstract summary: Consent Management Providers (CMPs) provide consent pop-ups embedded in more websites. CMPs enable compliance with legal requirements for consent mandated by the General Data Protection Regulation (ePrivacy Directive) Although IAB's TCF specifications characterize CMPs as data processors CMPs factual activities often qualifies them as data controllers instead.
• Score: 11.514573594428352
• License: http://creativecommons.org/licenses/by-nc-sa/4.0/
• Abstract: Consent Management Providers (CMPs) provide consent pop-ups that are embedded in ever more websites over time to enable streamlined compliance with the legal requirements for consent mandated by the ePrivacy Directive and the General Data Protection Regulation (GDPR). They implement the standard for consent collection from the Transparency and Consent Framework (TCF) (current version v2.0) proposed by the European branch of the Interactive Advertising Bureau (IAB Europe). Although the IAB's TCF specifications characterize CMPs as data processors, CMPs factual activities often qualifies them as data controllers instead. Discerning their clear role is crucial since compliance obligations and CMPs liability depend on their accurate characterization. We perform empirical experiments with two major CMP providers in the EU: Quantcast and OneTrust and paired with a legal analysis. We conclude that CMPs process personal data, and we identify multiple scenarios wherein CMPs are controllers.

Related papers

• CBCMS: A Compliance Management System for Cross-Border Data Transfer [0.41942958779358674]
  We propose Cross-Border Compliance Management System (CBCMS) for cross-border data transfer. PDL supports the unified management of data processing policies, bridging the gap between natural language policies and machine-processable expressions. CPGM generates compliant data processing policies with high accuracy, achieving up to 25.16% improvement in F1 score.
  arXiv  Detail & Related papers  (2024-12-12T06:48:00Z)
• Certifiably Byzantine-Robust Federated Conformal Prediction [49.23374238798428]
  We introduce a novel framework Rob-FCP, which executes robust federated conformal prediction effectively countering malicious clients. We empirically demonstrate the robustness of Rob-FCP against diverse proportions of malicious clients under a variety of Byzantine attacks.
  arXiv  Detail & Related papers  (2024-06-04T04:43:30Z)
• Privacy Policies and Consent Management Platforms: Growth and Users' Interactions over Time [4.356242302111725]
  Consent platforms (CMPs) have emerged as practical solutions to make it easier for website administrators to manage user consent. This paper presents a detailed analysis of the evolution of CMPs spanning nine years. We observe how even small changes in the design of Privacy Banners have a critical impact on the user's giving or denying their consent to data collection.
  arXiv  Detail & Related papers  (2024-02-28T13:36:27Z)
• Towards an Enforceable GDPR Specification [49.1574468325115]
  Privacy by Design (PbD) is prescribed by modern privacy regulations such as the EU's. One emerging technique to realize PbD is enforcement (RE) We present a set of requirements and an iterative methodology for creating formal specifications of legal provisions.
  arXiv  Detail & Related papers  (2024-02-27T09:38:51Z)
• HasTEE+ : Confidential Cloud Computing and Analytics with Haskell [50.994023665559496]
  Confidential computing enables the protection of confidential code and data in a co-tenanted cloud deployment using specialized hardware isolation units called Trusted Execution Environments (TEEs) TEEs offer low-level C/C++-based toolchains that are susceptible to inherent memory safety vulnerabilities and lack language constructs to monitor explicit and implicit information-flow leaks. We address the above with HasTEE+, a domain-specific language (cla) embedded in Haskell that enables programming TEEs in a high-level language with strong type-safety.
  arXiv  Detail & Related papers  (2024-01-17T00:56:23Z)
• A Multi-solution Study on GDPR AI-enabled Completeness Checking of DPAs [3.1002416427168304]
  General Data Protection Regulation (DPA) requires a data processing agreement (DPA) which regulates processing and ensures personal data remains protected. Checking completeness of DPA according to prerequisite provisions is therefore an essential to ensure that requirements are complete. We propose an automation strategy to address the completeness checking of DPAs against stipulated provisions.
  arXiv  Detail & Related papers  (2023-11-23T10:05:52Z)
• CoCoMoT: Conformance Checking of Multi-Perspective Processes via SMT (Extended Version) [62.96267257163426]
  We introduce the CoCoMoT (Computing Conformance Modulo Theories) framework. First, we show how SAT-based encodings studied in the pure control-flow setting can be lifted to our data-aware case. Second, we introduce a novel preprocessing technique based on a notion of property-preserving clustering.
  arXiv  Detail & Related papers  (2021-03-18T20:22:50Z)
• Data Protection Impact Assessment for the Corona App [0.0]
  SARS-CoV-2 started spreading in Europe in early 2020 and there has been a strong call for technical solutions to combat or contain the pandemic. There has been a strong call for technical solutions with contact tracing apps at the heart of debates. The EU's General Daten Protection Regulation (DPIA) requires controllers to carry out a data protection assessment. We present a scientific DPIA which thoroughly examines three published contact tracing app designs that are considered to be the most "privacy-friendly"
  arXiv  Detail & Related papers  (2021-01-18T19:23:30Z)
• Second layer data governance for permissioned blockchains: the privacy management challenge [58.720142291102135]
  In pandemic situations, such as the COVID-19 and Ebola outbreak, the action related to sharing health data is crucial to avoid the massive infection and decrease the number of deaths. In this sense, permissioned blockchain technology emerges to empower users to get their rights providing data ownership, transparency, and security through an immutable, unified, and distributed database ruled by smart contracts.
  arXiv  Detail & Related papers  (2020-10-22T13:19:38Z)
• GDPR: When the Right to Access Personal Data Becomes a Threat [63.732639864601914]
  We examine more than 300 data controllers performing for each of them a request to access personal data. We find that 50.4% of the data controllers that handled the request, have flaws in the procedure of identifying the users. With the undesired and surprising result that, in its present deployment, has actually decreased the privacy of the users of web services.
  arXiv  Detail & Related papers  (2020-05-04T22:01:46Z)
• Machine Understandable Policies and GDPR Compliance Checking [9.032680855473986]
  Towards SPECIAL H2020 project aims to provide a set of tools that can be used by data controllers that automatically check if personal data sharing complies with obligations set forth with obligations set forth with regulatory obligations set forth with regulatory obligations set forth with regulatory obligations set forth with regulatory obligations set forth with regulatory obligations set forth with regulatory obligations set forth with regulatory obligations set forth with regulatory obligations set forth with regulatory obligations set forth with regulatory obligations set forth with regulatory obligations set forth with regulatory obligations set forth with regulatory obligations set forth with regulatory obligations set forth with regulatory obligations set forth with regulatory obligations set forth with regulatory obligations set forth with regulatory obligations set forth with
  arXiv  Detail & Related papers  (2020-01-24T09:41:47Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.