Vendor list configuration (GDPR TCF)

   Permission: Vendor list - GDPR

In this article, we will cover the following configurations specific to a GDPR TCF vendor list:

To start, click Vendor Management on the left-hand panel and select GDPR TCF from the subsequent menu. 


Select a vendor list from the subsequent page of click New to create a new GDPR TCF vendor list.

landing page 8.23.48 AM.png

Apple data broker

The Apple data broker setting is an optional designation that your organization can apply to a vendor on your GDPR TCF vendor list that will impact an end-user's consent string and subsequent experience of your privacy manager. In this article, we will cover:

  Note: In order to utilize the apple data broker feature, your organization must fulfill the following pre-requisites:

Property is utilizing Sourcepoint's Unified SDK
iOS tracking message is enabled on account

A vendor who is designated as an apple data broker by your organization is only impacted by the designation when an end-user selects Don't Allow Tracking (or some permutation of this user option) in Apple's App Tracking Transparency message.

If an end-user selects Don't Allow Tracking, the following will automatically occur for a vendor designated as an Apple data broker:

  • Consent string will not feature the vendor
  • Google additional consent string will not feature the vendor
  • Vendor grants will return a FALSE value for the vendor
  • End-user will be unable to enable vendor from the privacy manager

To designate a vendor as an apple data broker, click the name of a vendor on the vendor list. 


Click the checkbox inline with Apple Data Broker and select Apply changes when finished.


Vendors designated as Apple data brokers will be marked in the vendor list builder.


Bulk edit vendor legal bases

The bulk edit feature enables your organization to efficiently edit the legal basis used for each respective purpose on your vendor list. Use this feature to set the same legal basis for every vendor included in the bulk action for each respective purpose. 

From your GDPR TCF vendor list, click the checkbox to the left of the vendor(s) name to select the vendor(s).


With the vendors selected, click the Bulk Actions field and select Bulk Edit from the dropdown menu. 


Use the subsequent dialog box to select the legal basis that will be used by the selected vendors for each purpose on your vendor list. Click Update when finished. 

  Note: If a selected vendor does not support the legal basis you select for the purpose, that vendor's legal basis will not change for that purpose. 


Custom vendor labels

Custom vendor labels allow you to add organization specific labels to vendors on your vendor list which will then surface in your property's privacy manager.

  Note: Please speak to your Sourcepoint account manager for more information on how to activate custom vendor labels for your account.

Select the name of a vendor from a GDPR TCF vendor list.


From the subsequent modal, click the check box to the left of Custom Vendor Label to add the label to the vendor. You can add a maximum of three custom vendor labels to your vendor list.

Click Apply changes when finished.


The description of the custom vendor label will be configured in the privacy manager builder for the property. 

Click Save to confirm all edits. 

With the custom vendor label(s) assigned to vendors on your GDPR TCF vendor list, navigate to the privacy manager builder for a property associated with that vendor list.

Select either the PrivacyManagerTCFv2 or PMTCFv2Inline component for your privacy manager. 


While focused on either the PrivacyManagerTCFv2 or PMTCFv2Inline component for your privacy manager, navigate to the Settings tab on the right-hand rail and expand the Vendor Content accordion. 


Locate the custom vendor label configuration for each of the custom vendor labels used. You can configure:

  • Custom vendor label description
  • Custom vendor label icon 
  • Translations for description and icons

Your custom vendor label description and icon will populate in your GDPR TCF privacy manager. 


Disclosure only purpose

  Note: Only custom purposes can be set as disclosure only. See: Manage custom purposes for more information. 

The disclosure only feature allows you to configure a custom purpose that does not have a consent toggle (opt-in/opt out). To enable the feature for a custom purpose, click the custom purpose name from your vendor list. 


From the subsequent dialog box, check the box next to Disclosure only and click Apply changes when finished. 

Screenshot 2023-08-01 at 2.41.45 PM.png

When enabled for the custom purpose, vendors can either be configured as Disclosure only or Not Applicable for the custom purpose. 

Screenshot 2023-08-01 at 2.46.00 PM.png

The vendor(s) will appear in your privacy manager under the disclosure only custom purpose which will not have an opt-in/opt-out toggle.


IAB purposes

IAB stacks

IAB stacks allow your organization to group the 10 IAB purposes and 2 IAB special features into pre-determined groupings. When configured for your GDPR TCF vendor list, these stacks can be surfaced in lieu of each purpose listed individually in privacy managers for associated properties. Like a folder system for IAB purposes and special features, the individual purposes can be navigated to by the end-user by clicking the stack in the privacy manager.


From a GDPR TCF vendor list builder, click Manage Stacks.


From the IAB stacks tab of the subsequent modal, add pre-configured IAB stacks by clicking the + symbol next to the stack under IAB stacks that can be added to your list.

Selected stacks will be moved under the IAB stacks in your list header.

  Note: IAB stacks include multiple permutations of IAB purpose groupings. However, a single IAB purpose in your GDPR TCF vendor list can only be in one IAB stack at a time. As you add IAB stacks to your vendor list, other IAB stacks will be un-addable due to these colliding purposes (i.e. one or more purposes in your added IAB stack also exists in another IAB stack).

Click Apply Changes when finished.


IAB purposes included in IAB stacks will be grouped together in the vendor list builder under the IAB stack name. Any purposes not included in an IAB stack will be listed separately.


Click Save to apply the changes.

Consent scope

The Consent Scope field for a vendor list determines how an end-user's consent preferences are shared across different properties within and outside your organization.

When an end-user selects their consent preferences on your property, the privacy manager will utilize the consent scope for the associated vendor list to share or not share the preferences. The following

Consent Scopes can be selected for a GDPR TCF Vendor List:

Consent Scope Description
Single Site An end-user's consent preferences will only be set for the property where the end-user provided their consent..
Shared Site

An end-user's consent preferences will be shared across a defined group of sites within your Sourcepoint account.

  Note: Selecting this option requires that your organization has configured authenticated consent on your properties.

From the vendor list builder, navigate to the Consent Scope field at the top of the page and use the dropdown menu to select a consent scope for the vendor list.

Click Save when finished.


Resolve IAB vendor updates

Occasionally, a vendor on the IAB's Global Vendor List (GVL) will update their declarations with the IAB after their initial registration (or will no longer be declared with the IAB entirely). If the vendor is already added to a vendor list in your Sourcepoint account when this update with the IAB occurs, you will need to confirm/update your vendor list to resolve the discrepancy and align with the new declarations.

In cases where a vendor's IAB declarations or affiliation with the IAB has changed, your vendor list will surface warnings for you to review. Click the Review button for each respective warning to review the vendors that have changed. 


The vendor list will be filtered to the changed/deleted vendor(s) and the changes will be highlighted in red.


Review the changes and click Save to confirm the update. You will be prompted to confirm your decision again. Click Confirm & Save

  Note: Vendor list updates that include adding new purposes or new purposes with consent as a legal basis will trigger re-consent campaigns.


In the case of multiple types of GVL updates to your vendor list, use the filter buttons to access the various GVL update lists to navigate between the updates. 


Special purposes

When vendors register with the IAB, they can declare special purposes for the collection of end-user data. There are two special purposes that vendors can declare with the IAB:

  1. Ensure security, prevent fraud, and debug
  2. Technically deliver ads or content

If a vendor on your vendor list has declared consent requirements for either of these special purposes then they will automatically appear in the privacy manager.


Manage custom purposes

A custom purpose on a GDPR TCF vendor list is a configurable purpose created by your organization and can be applied to vendors on your vendor list.

To add a custom purpose, click + Add Custom Purpose at the bottom of the vendor list builder.


Use the subsequent modal to input a Name and optional Description for the new custom purpose. Click Create purpose when finished.


  Note: The Google Consent Mode Category field should only be filled-in if your organization is implementing Google Consent Mode for your property. Click here for more information about Sourcepoint's integration with Google Consent Mode. 

The custom purpose will be added to end of the purpose column. Set the legal basis for the new custom purpose for each vendor in your vendor list.


To edit general settings, consent and reject actions, or to delete the custom purpose, click the name of the purpose.


Use the subsequent modal to edit or delete the custom purpose. See the provided links to learn more about user-friendly text and custom illustrations.


Custom purpose user-friendly text

The user-friendly text field for a custom purpose allows your organization to provide a description for the purpose. A custom purpose has a single user-friendly text field.

Screenshot 2023-08-11 at 10.37.47 AM.png

The user-friendly text that you include for the custom purpose will be rendered underneath the custom purpose when expanded in the GDPR TCF privacy manager for the property.

Screenshot 2023-08-11 at 10.59.44 AM.png

Custom purpose custom illustration(s)

Purpose illustration(s) allow your organization to provide more concrete examples of how the purpose is used. The IAB provides one illustration for Purpose 1 and two illustrations for Purpose 2 - 11, respectively. 

For custom purposes, your organization can choose to provide custom illustrations to give examples that are more specific to your organization. From the custom purpose modal, navigate to the Illustration section and click + Add Custom Illustration.

Screenshot 2023-08-11 at 11.48.07 AM.png

Use the provided field to input an example and repeat as desired.

Click Apply changes when finished.

Screenshot 2023-08-11 at 11.50.33 AM.png

The custom illustration(s) will be rendered for the custom purpose when it is expanded in the  GDPR TCF privacy manager for the property. Each custom illustration will be formatted as a separate bullet point.

Manage vendor purposes and restrictions

GDPR TCF introduced the ability for publishers to allow or set restrictions on how vendors may process end-user data. Your organization can manage restrictions on vendors by selecting the legal basis for a given purpose. This allows your organization to indicate your preferences that take precedence over a vendor’s preference, where applicable.

Your organization should review the purpose and legal basis settings for the vendors it works with in the vendor list. 

  Note: Your organization can establish its own legal basis for IAB purposes when processing user data, more information can be found here.

The vendor list displays all vendors your organization works with and their legal basis for each IAB and custom purpose. The legal basis can be:

Legal Basis Description
User Consent Confirming that the vendor can process end-user data for a specific purpose only if the end-user has provided explicit consent.
Legitimate Interest (for some vendors)

Allowing the vendor to process end-user data without collecting explicit consent for a specific purpose

  Note: The end-user can still reject the processing of their data.

Not Allowed Your organization is restricting a vendor from processing end-user data for a specific purpose.

When a new IAB vendor is added to the list, the vendor's preferred legal basis is set for each purpose.

In order to override or set the preferred legal basis for an individual vendor, click the legal basis field inline with the vendor underneath the purpose column.


The TC string will be updated and the vendor will be informed whether they are permitted to process user data for this purpose. 

Vendor URL mapping

Vendor URL mapping is intended to be used by publishing systems with Sourcepoint's vendor URL mapping API to help determine if a vendor URL has been defined appropriately in the Sourcepoint system. This API can help developers that are integrating with Content Management Systems (CMS) verify that a URL referenced in content can be related to vendor and purpose consent preferences which can be queried and set based on user actions.

The vendor URL mapping API will return the vendors that have URL mappings which match the vendorUrls passed in the request. These mapping must be configured within the Sourcepoint portal before this API can be used.

Configure the URL mappings for vendors by selecting a vendor from the list.

Screenshot 2023-08-01 at 3.29.11 PM.png

Click URL Mappings in the modal and select Add Pattern.


Use the provided fields to configure conditions of the pattern. Your organization can create patterns with multiple condition statements. Additionally, you can configure multiple patterns for the vendor.

Click Apply changes when finished.


Repeat as necessary for other vendors.

  Note: Do not create patterns that can be matched to multiple vendors as this will cause errors.

Click Save in vendor list builder to confirm all changes.

Advanced settings

The advanced settings modal for a GDPR TCF vendor list allow a user to configure settings that will applied to the entire vendor list. 

Click *Advanced settings*.


The following advanced settings can be edited for the GDPR TCF vendor list:

Advanced Setting Description
CMP publisher ID

Input your organization's own CMP ID (if available) to utilize your own stack descriptions or translations.

Add all IAB vendors

Automatically adds all the vendors from the IAB Global Vendor List (GVL) and keeps them updated daily.

Default IAB vendor consent type

When an IAB vendor declares both consent and legitimate interest for a particular purpose, the vendor list will use what is selected in the provided field as the default value.

  Note: Note: If a default IAB Vendor Consent Type is configured on an individual purpose, that value will override this setting for that particular purpose.

Write 1st party cookies to root domain

When enabled, consent selections will be stored/persist across the site’s root domain (e.g. and its respective subdomains (e.g.

This will ensure that users do not see the same consent message when moving from root to subdomain or vice versa. 

Write 1st party cookies from the server

When enabled, the 1st-party cookie will be set by the server by passing a cookie from the server back to your site instead of using the on-site code to set the cookie.

This setting should be enabled if your organization has set up a CNAME subdomain.

Consent cookies expiration The length of time (in days) consent cookies are valid.
Use special treatment for purpose 1 in countries Certain countries in European Union may have different interpretations of GDPR legislation. If enabled, then Purpose 1 will not be populated in the first layer message or a privacy manager and will not be registered in the consent string.
Display special purposes, features, and disclosure only vendors in message Determines whether you will show any vendor special features and special purposes in the first layer message.
List IAB Purpose 1 and Custom Elements First in the Message

If enabled, then any custom elements for Purpose 1 will be bumped to the top of the list of purposes in the first layer message.


Base vendor consent and reject actions on vendor grants

Vendor grants inform a publisher whether a vendor has been granted consent for all the purposes for which they are asking consent. Generally, this setting is used to manage custom vendors. When enabled, the Vendor List will fire consent and reject actions based on the vendor grant.

  Note: A vendor grant only returns a true value when an end-user consents to all purposes for which your organization is requesting. If an end-user consents to only some of the purposes, the vendor grant will return a false value.

Store euconsent-v2 1st party cookie

A legacy cookie that Sourcepoint continues to support for early adoptees of the platform.

Disclosed Vendors in TCString

The Disclosed Vendor segment of a TC String provides a list of vendors that have been disclosed to a user.

By default, this feature is deactivated for all clients. 

Do not store UUIDs server side

Only available for android apps. When enabled, end-user consent will not be stored in the server. 

  Note: Enabling this option will remove all user related metrics from Sourcepoint reporting for android apps. You will only be able to report on page view data for android apps.

Do not use unique user identifiers for reporting purposes

In order to report on unique users, we send a unique identifier for each user to our reporting pipeline in order to attribute page views and actions that have been made by the same user.

Depending on the jurisdiction you are in, the DPA cookie guidance on this use case may vary and therefore you have the option to restrict this use case if you wish. If this setting is enabled, Sourcepoint will no longer set the _sp_su cookie (used in our sampling methodology in our reporting pipeline) on your properties associated with the vendor list.

  Note: Enabling this setting will mean that any reporting metrics that relate to unique users will show the exact same numbers as page views.

Use the subsequent modal to edit the advanced settings for the vendor list. Click Apply Changes when finished.


Manage publishers purposes

If your organization processes end-user data (i.e. acts like a vendor) for its own use then the end-user can be informed and asked to give consent. The Sourcepoint dashboard allows your organization to set your own legal basis for IAB purposes.


An organization that wants to set a frequency-capping first-party cookie should request end-user consent for Purpose 1 "Store and/or access information on a device" in jurisdictions where it is required.

More information from the IAB about Publisher Purposes can be found here.

From the advanced settings modal in your vendor list builder, click Manage Publisher Purposes.


In the subsequent modal, your organization can set the legal bases for IAB purposes. The options for legal bases are:

  • User Consent
  • Legitimate Interest
  • Not Applicable

Please consult with your Data Protection Officer or privacy legal team about the appropriate legal bases for each purpose.


Vendor count

The vendor count(s) are ineditable fields that will respectively tally:

  • total number of vendors on your GDPR TCF vendor list
  • number of vendors with a legal basis set for each purpose (except for Disclosure only)


  Note: In order to comply with the IAB GDPR TCF v2.2, your organization will need to surface the total number of vendors on your GDPR TCF vendor list in your first layer message.

Click here for more information on how to add the total vendor count on your GDPR TCF vendor list to a first layer message.

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.