CMPs May Not Be GDPR Compliant

Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Chris Shuptrine, vice president of marketing at Adzerk.

Consent management platforms (CMPs) are ad tech’s response to Europe’s General Data Protection Regulation (GDPR).

These platforms provide tools for collecting user consent for data processing and ad targeting and passing that info to downstream ad partners. CMPs theoretically bring transparency and accountability to the ad supply chain, helping publishers feel confident they are staying above board when displaying programmatic ads.

The only problem is, many CMPs may not actually be GDPR-compliant.

Indeed, there are many reasons why CMPs and the IAB’s consent framework may not satisfy the GDPR. Some of these could be overcome via UX overhauls, while others are more existential and threaten the core tech.

A catch-all ‘I Agree’ button may not work

Most CMPs employ a pop-up with a quick mention about cookies and a choice between “accept” and “deny.” These prompts are clean, intuitive and offer an easy path to providing consent. They also include links for users to dive deeper into how and where their data will be shared.

This flow seems to comply with the GDPR’s Article 7.2: “The request for consent shall be presented in a manner which is clearly distinguishable.”

At the same time, it may violate the GDPR for not being informed or specific enough, two terms used by GDPR and the Article 29 Working Party (G29), a sanctioned EU advisory board. According to the working party’s 15/2011 opinion, “A general consent, without specifying the exact purpose of the treatment, is not acceptable.”

In their words, a generic statement about cookies with a binary consent prompt may not satisfy the threshold for informed consent, even if there’s a “manage consent” link that sends someone to a more detailed breakdown.

Consent strings may not be compliant

A core idea behind the IAB’s Transparency and Consent Framework is the “consent string,” or daisybit, that’s passed in bid requests to the OpenRTB market and designates which vendors can use that data. To whitelist a vendor, a CMP must have contracts or data process agreements in place to share a user’s consent and PII.

But France’s data protection authority CNIL declared in its November 2018 ruling that contracts can’t legally fulfill GDPR’s Article 7. So if a publisher collects consent for a user, that does not give a downstream ad network the right to use or store that data even if the daisybit “provided” permission.

To handle that data, the vendor would need to verify the consent themselves, which is infeasible since the ad partner has no direct interaction with the user.

This ruling is therefore major news, as it implies that ad tech platforms cannot use consent they didn’t themselves collect or verify, thereby potentially rendering consent strings useless.

Giving consent is easy but withdrawing is not

The GDPR dedicates an entire chapter to a subject’s data rights for access, rectification, erasure and objection.

For instance, Article 16 states, “The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data.”

Article 7.3 adds, “The data subject shall have the right to withdraw his or her consent at any time.”

In other words, CMPs must make it easy for users to see, change and delete their consent.

As they are implemented, CMPs may break these rules for two reasons. One, after I tested 15 of the top CMPs, only two provided an obvious way for me to update my consent.

Two, if a user does rectify or revoke consent via the CMP after initially giving it, there’s no obvious way to honor this. For instance, if the consent was shared with 10 vendors, how does the CMP ensure that all 10 companies update the data they have?

And if CMPs can’t honor all the data rights, it’s possible the courts decide they shouldn’t be collecting consent in the first place.

Inadvertent data leakage is very possible

There are many vendors involved in a programmatic ad request, including CMPs, publisher ad servers, ad exchanges, DSPs, DMPs and so on. Even if consent can be legally passed via contracts, CMPs – once sending an OpenRTB request – can’t say for certain who all saw the information, who may have stored it and whether or not there were any data leakage.

In a recent filing, an IAB rep admitted this, saying, “It is technically impossible for the user to have prior information about every data controller in a real-time bidding (RTB) scenario … this would seem, at least prima facie, to be incompatible with consent under GDPR.”

Ultimately, the legality of CMPs will be decided by the courts. It’s possible that regulators are sympathetic to publishers and rule that basic consent prompts and daisybits are better than nothing.

Given that the GDPR arose to address online tracking, however, it’s hard to see this as the most likely scenario. It’ll certainly be an interesting few years as marketers and publishers look to stay above board in a time of such varying opinions.

We can also expect the IAB to continually tweak its framework, such as the update it released this week. While it doesn’t appear to solve the four issues I’ve outlined, it’s a step in the right direction of giving users more control over their data and won’t be the last update.

Follow Adzerk (@adzerk) and AdExchanger (@adexchanger) on Twitter.

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!

1 Comment

  1. We see many top-websites (,,, …) that dont use a CMP and potentially risk a loss in ad revenue. Also we see lots of top-websites (,,, …) that have a CMP but are not aware that their CMP does not follow the IAB policy and is therefore invalid. Unfortunatelly we see sooooo many CMPs out there that do not follow the IAB policy and still claim to be GDPR compliant. To clarify a website is only GDPR compliant if:

    – the user has a EQUAL choice (yes AND no)
    – the user can see/choose all partners
    – the user can see/choose all purposes (not only cookies)
    – processing only starts AFTER consent is given

    To clarify when a CMP is not compliant with the IAB:
    – a CMP using a non registered ID (e.g. 0 or 1) is not compliant
    – a CMP is not compliant if the vendors are not named
    – a CMP is not compliant if alle purposes are not named
    – a CMP is not compliant if the purposes are not named using the standard translations of the IAB
    – a CMP is not compliant if it does not show which vendors will use which purposes
    – a CMP is not compliant if it does not show which vendors will use which features