ConsentManager and Data Protection – What Belongs in the Privacy Policy

When a website operator uses ConsentManager, it processes web server log data, device data, browser information, coarse location data and consent cookies or LocalStorage entries for the purpose of obtaining, documenting and managing consent under Section 25 TDDDG (German implementation of the ePrivacy Directive) and Article 7 GDPR. This page sets out, in compact form, which processing operations are typically associated with ConsentManager and which mandatory disclosures must therefore appear in the privacy policy of a website.

The following information is based on the publicly available statements of the provider and on publicly researchable sources; it does not replace a case-by-case legal review.

A. Purpose and Functionality of ConsentManager

ConsentManager is a Consent Management Platform (CMP) that enables website operators to obtain, document and manage end-user consent to cookies and other storage operations on the user's device, as well as to subsequent data processing. Technically, a JavaScript file provided by the vendor is embedded in the <head> of the website (typically delivered from cdn.consentmanager.net). On page load, the script displays a consent banner, captures the user's choice and exposes that choice to other scripts and tag managers on the website.

According to the provider, ConsentManager supports the IAB Transparency & Consent Framework (TCF v2.x), Google Consent Mode v2, cross-device consent synchronisation as well as interfaces for mobile apps (iOS, Android, Flutter) and CTV/HbbTV. This page is limited to the typical embedding of the CMP as a script in a website (web integration). Other functions such as app SDKs are not covered here.

ConsentManager falls into the tool category Consent Management. Unlike, for example, a tracking or marketing tool, the CMP is not itself a marketing instrument; it serves to fulfil the website operator's legal obligations relating to consent and transparency requirements.

B. Mandatory Disclosures Regarding ConsentManager in the Privacy Policy

The GDPR requires that, in addition to general information about the website operator, the rights of the data subject and the competent supervisory authority, the privacy policy contains certain mandatory disclosures for each tool used. Specifically for the use of ConsentManager, these are in particular:

• the purposes of processing (Art. 13(1)(c) GDPR),
• the legal bases of processing (Art. 13(1)(c) GDPR),
• where processing is based on a balancing of interests, the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients of the personal data (Art. 13(1)(e) GDPR),
• where applicable, any transfer to a third country and its legal basis (Art. 13(1)(f) GDPR),
• the storage period or the criteria used to determine it (Art. 13(2)(a) GDPR),
• where data is not collected directly from the data subject, the categories of personal data processed (Art. 14(1)(d) GDPR).

The following sections break these mandatory disclosures down for ConsentManager.

It should also be noted that it is not necessary to list each individual tool – including ConsentManager – with its own template paragraph in the privacy policy. The practice common in many lawyer-drafted templates of providing a separate paragraph for every service used has established itself as poor practice: it leads to long, hard-to-read and barely maintainable privacy policies that tend to undermine rather than support the transparency requirement of Article 12(1) GDPR. A topic-oriented approach is preferable, describing processing operations across themes such as server operation, newsletter, tracking, sales and consent management, and naming the specific service providers used – including ConsentManager – in an annex as recipients.

C. Provider of ConsentManager

According to the publicly available information of the provider, the contracting party for the use of ConsentManager is:

• Company: consentmanager AB
• Address: Haltegelvägen 1b, 72348 Västerås, Sweden
• Country of establishment: Sweden (EU/EEA)
• Data protection officer: Peter Hense, attorney at law (reachable via the contact form provided by the vendor)

consentmanager AB is established in an EU member state; according to the provider, no third-country transfer takes place because data processing and storage occur exclusively on servers in Europe. According to the provider, servers are operated in Germany at PlusServer GmbH (Cologne). According to publicly available information, there is no US parent company; a DPF certification is therefore not relevant for the data processing within the CMP.

The provider's privacy notice is available at https://www.consentmanager.net/de/datenschutz/; information on data processing on behalf can be found at https://www.consentmanager.net/dpa/.

D. ConsentManager – Data Processing Step by Step

1. Collection: When a page that integrates ConsentManager is loaded, the user's browser fetches the CMP script from a provider domain (e.g. cdn.consentmanager.net). The provider thereby receives the web server log data typical for any HTTP request. The script then determines device and browser information, displays the consent banner and captures the user's choice.
2. Storage: The chosen consent is stored as a consent string and/or consent cookie in the user's browser (LocalStorage and/or cookie). The provider also stores consent records in its infrastructure for later proof, and according to its own information operates servers in Europe (Germany).
3. Use: Other scripts and tag managers on the website query the consent status and adjust their behaviour accordingly (e.g. activating or blocking tracking scripts). The provider itself offers the website operator reporting features, statistics and interfaces.
4. Transfer: According to the provider, no transfer of consent data to third parties takes place insofar as the CMP function is concerned. Sub-processors are used for supplementary services; consent data is not passed on to external advertising networks.
5. Deletion: The typical consent lifecycle ends when the cookie or LocalStorage entry expires (often twelve months, after which consent is sought again) or when the user revokes consent. The provider states that consent records are retained for the duration of the statutory documentation obligation.

E. Data Collected When Using ConsentManager

When ConsentManager is used, the following data is typically processed for website visitors: the IP address at the time the banner is displayed and the consent is given, a timestamp of the choice, the choice itself (consent string, where applicable in IAB-TCF format), a pseudonymous identifier in a consent cookie or LocalStorage entry, as well as technical browser and device information (user agent, operating system, language, screen size). Based on the IP address, the provider can derive the user's coarse location (city/region level).

This data can be classified into the following standardised data categories:

• Web server log data: data automatically received by the provider's web server with each request, in particular IP address, date, time and time zone, URL of the requested resource (script), referrer, information on browser, operating system and device, and additional technical metadata.
• Device data: information about the user's device, e.g. device type, operating system, screen resolution and screen size.
• Browser information: information about the browser used, e.g. browser name and browser version.
• Coarse location data: the user's coarse location at city or region level derived from the IP address; particularly relevant for determining whether a banner needs to be displayed at all (geo-targeting to EU/EEA).
• Consent data (a specific form of cookie/LocalStorage and account-like identifiers): pseudonymous consent identifier, choice made, timestamp, banner version and language, and where applicable the full TCF consent string.

According to the provider, this data is not linked to directly identifying information (name, email) within the CMP function.

F. Purposes of Processing When Using ConsentManager

The website operator uses the data processed via ConsentManager to obtain consent in a legally compliant manner, to give the user a choice, to enforce that choice both server-side and client-side, and to document the consent. In addition, technical data is processed to provide the banner itself, to detect errors and to protect against abuse.

The purposes typically pursued with ConsentManager can be classified into the following standardised purpose categories:

• Service provision: displaying the consent banner, capturing and technically enforcing the user's choice, providing consent information to downstream scripts, and detecting and remedying errors in the banner lifecycle.
• Security and abuse prevention: detecting and preventing automated abuse attempts (e.g. repeated triggering of the banner logic by bots), session control and authentication against the CMP backend.
• Compliance: meeting the statutory obligations to obtain and manage consent under Section 25 TDDDG and Art. 6(1)(a), Art. 7 GDPR, in particular informing the user and controlling tag firing.
• Compliance with retention obligations: retaining consent records to fulfil the documentation obligation under Art. 7(1) GDPR.
• Legal claims: assertion, exercise or defence of legal claims, e.g. proof of consent in disputes or supervisory proceedings.

When using ConsentManager as a pure consent solution, the data is not used for user profile creation, individual marketing or general product improvement in the sense of classical tracking tools.

G. Legal Bases for ConsentManager

ConsentManager falls into the tool category Consent Management. The CMP serves to fulfil the website operator's statutory obligations under Section 25 TDDDG (consent to storage operations on the user's device) and Article 7 GDPR (obtaining and proving consent), as well as the transparency requirement under Articles 12, 13 GDPR.

Based on generally recognised standards, the following legal bases typically come into consideration for the use of ConsentManager:

• Art. 6(1)(c) GDPR – legal obligation: where processing is necessary to comply with a legal obligation (in particular proof of consent under Art. 7(1) GDPR and the design of consent under Section 25 TDDDG).
• Art. 6(1)(f) GDPR – legitimate interests: where a specific legal obligation does not apply, the operation of a CMP is regularly based on the website operator's legitimate interest in compliance, security, abuse prevention and the assertion of legal rights; this includes in particular the interest in technically ensuring and being able to demonstrate compliance with data protection requirements.
• Section 25(2)(2) TDDDG: it is widely held that setting and reading the CMP's own consent cookie or LocalStorage entry is strictly necessary in order to provide the telemedia service expressly requested by the user (namely the storage of the user's choice); a separate consent for the consent storage operation itself is therefore not additionally required.

The applicable legal basis is fact-dependent and is to be determined by the website operator on a case-by-case basis. Where reliance is placed on Art. 6(1)(f) GDPR, the legitimate interests must be specifically named in the privacy policy.

H. Specifics and Notes on ConsentManager

• EU establishment and EU hosting: According to the provider, the contracting party is consentmanager AB based in Sweden; data processing is carried out on servers in Germany. According to this information, no third-country transfer takes place; a DPF status is therefore not relevant.
• DPA / data processing on behalf: For the processing of consent data, the provider typically acts as a processor and offers a corresponding data processing agreement. Conclusion of a DPA under Art. 28 GDPR is regularly mandatory; website operators should sign and document the DPA before going live.
• Sub-processors: The provider uses sub-processors for hosting and supplementary services (including PlusServer GmbH as host). Website operators should regularly check the sub-processor list for updates.
• Opt-out and revocation: Users can revoke or adjust their consent at any time via the CMP banner or a "privacy" icon provided by the vendor. A separate opt-out with the provider is not required for the CMP function, since the CMP itself serves the purpose of enabling revocation.
• Settings for the website operator: Key data-protection-relevant configurations include the selection of integrated vendors and purposes (TCF), the geographical scope of the banner (e.g. EU/EEA only), the lifetime of consent storage, the correct default of "no consent", and integration with tag managers and Google Consent Mode v2.
• Scope of functions covered: This page addresses the web integration as a CMP script. Mobile SDKs (iOS/Android/Flutter) and CTV/HbbTV integrations follow the same basic concept but raise additional issues (e.g. ATT on iOS) that are not covered here.

I. FAQ on ConsentManager and Data Protection

J. Conclusion and Call to Action

ConsentManager is an EU-based Consent Management Platform with European hosting that supports website operators in obtaining, enforcing and documenting consent. According to the provider, the data processed within the CMP function is essentially limited to technical access data and the consent choice itself; a classical tracking or marketing character is not associated with the pure consent function. Contracting party, DPA content, sub-processors and hosting location are to be verified by the website operator on a case-by-case basis.

For the privacy policy itself, the following applies: it is usually of little benefit to include each individual tool – including ConsentManager – with its own template paragraph. This makes the privacy policy long, confusing and hard to maintain, contrary to the transparency requirement of Article 12(1) GDPR. A structured, topic-oriented approach is preferable, explaining processing operations across topic blocks (server operation, newsletter, tracking, sales, consent management …) and listing the specific service providers used – including ConsentManager – in an annex as recipients. This is precisely the methodology of the matterius generator.

K. Curator