Permission: Vendor list - GDPR

In this article, we will cover the following configurations specific to a GDPR TCF vendor list:

To start, click Vendor Management on the left-hand panel and select GDPR TCF from the subsequent menu. 

Screen_Shot_2021-12-09_at_2.05.43_PM.png

Select a vendor list from the subsequent page of click New to create a new GDPR TCF vendor list.

Screen_Shot_2021-12-09_at_12.20.39_PM.png


Apple data broker

The Apple data broker setting is an optional designation that your organization can apply to a vendor on your GDPR TCF vendor list that will impact an end-user's consent string and subsequent experience of your privacy manager. In this article, we will cover:

  Note: In order to utilize the apple data broker feature, your organization must fulfill the following pre-requisites:

Property is utilizing Sourcepoint's Unified SDK
iOS tracking message is enabled on account

A vendor who is designated as an apple data broker by your organization is only impacted by the designation when an end-user selects Don't Allow Tracking (or some permutation of this user option) in Apple's App Tracking Transparency message.

If an end-user selects Don't Allow Tracking, the following will automatically occur for a vendor designated as an Apple data broker:

  • Consent string will not feature the vendor
  • Google additional consent string will not feature the vendor
  • Vendor grants will return a FALSE value for the vendor
  • End-user will be unable to enable vendor from the privacy manager

To designate a vendor as an apple data broker, click the name of a vendor on the vendor list. 

Screen_Shot_2021-12-09_at_2.11.30_PM.png

Click the checkbox inline with Apple Data Broker and select Apply changes when finished.

Screen_Shot_2021-12-09_at_2.14.07_PM.png

Vendors designated as Apple data brokers will be marked in the vendor list builder.

Screen_Shot_2021-12-09_at_2.32.57_PM.png

Use the Filter By dropdown menu to narrow down the vendor list to just Apple data brokers.

Screen_Shot_2021-12-09_at_2.33.19_PM.png


Bulk edit vendor legal bases

The bulk edit feature enables your organization to efficiently edit the legal basis used for each respective purpose on your vendor list. Use this feature to set the same legal basis for every vendor included in the bulk action for each respective purpose. 

From your GDPR TCF vendor list, click the checkbox to the left of the vendor(s) name to select the vendor(s).

Screen_Shot_2021-12-10_at_7.02.46_AM.png

With the vendors selected, click the Bulk Actions field and select Bulk Edit from the dropdown menu. 

Screen_Shot_2021-12-10_at_7.47.37_AM.png

Use the subsequent dialog box to select the legal basis that will be used by the selected vendors for each purpose on your vendor list. Click Update when finished. 

  Note: If a selected vendor does not support the legal basis you select for the purpose, that vendor's legal basis will not change for that purpose. 

Screen_Shot_2021-12-10_at_10.05.15_AM.png


Custom vendor labels

Custom vendor labels allow you to add organization specific labels to vendors on your vendor list which will then surface in your property's privacy manager.

  Note: Please speak to your Sourcepoint account manager for more information on how to activate custom vendor labels for your account.

Select the name of a vendor from a GDPR TCF vendor list.

Screen_Shot_2021-12-08_at_2.18.40_PM.png

From the subsequent modal, click the check box to the left of Custom Vendor Label to add the label to the vendor. You can add a maximum of three custom vendor labels to your vendor list.

Click Apply changes when finished.

Screen_Shot_2021-12-08_at_2.19.50_PM.png

The description of the custom vendor label will be configured in the privacy manager builder for the property. 

Click Save to confirm all edits. 

With the custom vendor label(s) assigned to vendors on your GDPR TCF vendor list, navigate to the privacy manager builder for a property associated with that vendor list.

Select either the PrivacyManagerTCFv2 or PMTCFv2Inline component for your privacy manager. 

Screen_Shot_2021-09-30_at_3.11.37_PM.png

While focused on either the PrivacyManagerTCFv2 or PMTCFv2Inline component for your privacy manager, navigate to the Settings tab on the right-hand rail and expand the Vendor Content accordion. 

Screen_Shot_2021-09-30_at_3.11.51_PM.png

Locate the custom vendor label configuration for each of the custom vendor labels used. You can configure:

  • Custom vendor label description
  • Custom vendor label icon 
  • Translations for description and icons

Your custom vendor label description and icon will populate in your GDPR TCF privacy manager. 

Screen_Shot_2021-09-30_at_3.23.30_PM.png


Disclosure only purpose

  Note: Only custom purposes can be set as disclosure only. See: Manage custom purposes for more information. 

The disclosure only feature allows you to configure a custom purpose that does not have a consent toggle (opt-in/opt out). To enable the feature for a custom purpose, click the custom purpose name from your vendor list. 

Screen_Shot_2021-12-14_at_10.54.24_AM.png

From the subsequent dialog box, check the box next to Disclosure only and click Apply changes when finished. 

Screen_Shot_2021-12-14_at_10.56.38_AM.png

When enabled for the custom purpose, vendors can either be configured as Disclosure only or Not Applicable for the custom purpose. 

Screen_Shot_2021-12-14_at_10.58.42_AM.png

The vendor(s) will appear in your privacy manager under the disclosure only custom purpose which will not have an opt-in/opt-out toggle.

Screen_Shot_2021-12-14_at_11.06.20_AM.png


IAB purposes

Purposes, created by the IAB, explain how a publisher, website, or other site is using the personal data collected from the user.

GDPR TCF was designed by the IAB to give the user more control over how their data is being used and how they can grant consent. In order to give greater transparency over how their data is processed by sites, the IAB have 10 purposes. These outline all the ways consumer data can be collected by a site in line with the IAB framework.

ID Purpose name Description
1 Store and/or access information on a device Vendors can store and access information on the device such as cookies and device identifiers presented to an end-users.
2 Select basic ads

To select basic ads vendors can:

  • Use real-time information about the context in which the ad will be shown, to show the ad, including information about the content and the device, such as: device type and capabilities, user agent, URL, and IP address.
  • Use a user’s non-precise geolocation data.
  • Control the frequency of ads shown to a user.
  • Sequence the order in which ads are shown to a user.
  • Prevent an ad from serving in an unsuitable editorial (brand-unsafe) context.

Vendors cannot:

  • Create a personalized ads profile using this information for the selection of future ads without a separate legal basis to create a personalized ads profile.

N.B. Non-precise means only an approximate location involving at least a radius of 500 meters is permitted.

3 Create a personalized ads profile

To create a personalized ads profile vendors can:

  • Collect information about a user, including a user's activity, interests, visits to sites or apps, demographic information, or location, to create, or edit a user profile for use in personalized advertising.
  • Combine this information with other information previously collected, including from across websites and apps, to create, or edit a user profile for use in personalized advertising.
4 Select personalized ads

To select personalized ads vendors can:

  • Select personalized ads based on a user profile or other historical user data, including a user’s prior activity, interests, visits to sites, or apps, location, or demographic information.
5 Create a personalized content profile

To create a personalized content profile vendors can:

Collect information about a user, including a user's activity, interests, visits to sites or apps, demographic information, or location, to create, or edit a user profile for personalizing content.

Combine this information with other information previously collected, including from across websites and apps, to create or edit a user profile for use in personalizing content.

6 Select personalized content

To select personalized content vendors can:

  • Select personalized content based on a user profile or other historical user data, including a user’s prior activity, interests, visits to sites or apps, location, or demographic information.
7 Measure ad performance

To measure ad performance vendors can:

  • Measure whether and how ads were delivered to and interacted with by a user.
  • Provide reporting about ads including their effectiveness and performance.
  • Provide reporting about users who interacted with ads using data observed during the course of the user's interaction with that ad.
  • Provide reporting to publishers about the ads displayed on their property.
  • Measure whether an ad is serving in a suitable editorial environment (brand-safe) context.
  • Determine the percentage of the ad that had the opportunity to be seen and the duration of that opportunity.
  • Combine this information with other information previously collected, including from across websites and apps

Vendors cannot:

  • Apply panel- or similarly-derived audience insights data to ad measurement data without a separate legal basis to apply market research to generate audience insights.
8 Measure content performance

To measure content performance vendors can:

  • Measure and report on how content was delivered to and interacted with by users.
  • Provide reporting, using directly measurable or known information, about users who interacted with the content.
  • Combine this information with other information previously collected, including from across websites and apps.

Vendors cannot:

  • Measure whether and how ads (including native ads) were delivered to and interacted with by a user without a separate legal basis.
  • Apply panel- or similarly derived audience insights data to ad measurement data without a separate legal bases to apply market research to generate audience insights.
9 Apply market research to generate audience insights

To apply market research to generate audience insights vendors can:

  • Provide aggregate reporting to advertisers or their representatives about the audiences reached by their ads, through panel-based and similarly derived insights.
  • Provide aggregate reporting to publishers about the audiences that were served or interacted with content and/or ads on their property by applying panel-based and similarly derived insights.
  • Associate offline data with an online user for the purposes of market research to generate audience insights if vendors have declared to match and combine offline data sources.
  • Combine this information with other information previously collected, including from across websites and apps.

Vendors cannot:

  • Measure the performance and effectiveness of ads that a specific user was served or interacted with, without a separate legal basis to measure ad performance.
  • Measure which content a specific user was served and how they interacted with it, without a separate legal basis to measure content performance.
10 Develop and improve products

To develop new products and improve products vendors can:

  • Use information to improve their existing products with new features and to develop new products.
  • Create new models and algorithms through machine learning.

Vendors cannot:

  • Conduct any other data processing operation allowed under a different purpose under this purpose.

IAB stacks

IAB stacks allow your organization to group the 10 IAB purposes and 2 IAB special features into pre-determined groupings. When configured for your GDPR TCF vendor list, these stacks can be surfaced in lieu of each purpose listed individually in privacy managers for associated properties. Like a folder system for IAB purposes and special features, the individual purposes can be navigated to by the end-user by clicking the stack in the privacy manager.

1.gif

From a GDPR TCF vendor list builder, click Manage Stacks.

Screen_Shot_2021-12-09_at_2.38.15_PM.png

From the IAB stacks tab of the subsequent modal, add pre-configured IAB stacks by clicking the + symbol next to the stack under IAB stacks that can be added to your list.

Selected stacks will be moved under the IAB stacks in your list header.

  Note: IAB stacks include multiple permutations of IAB purpose groupings. However, a single IAB purpose in your GDPR TCF vendor list can only be in one IAB stack at a time. As you add IAB stacks to your vendor list, other IAB stacks will be un-addable due to these colliding purposes (i.e. one or more purposes in your added IAB stack also exists in another IAB stack).

Click Apply Changes when finished.

Screen_Shot_2021-12-09_at_2.41.25_PM.png

IAB purposes included in IAB stacks will be grouped together in the vendor list builder under the IAB stack name. Any purposes not included in an IAB stack will be listed separately.

Screen_Shot_2021-12-09_at_2.41.45_PM.png

Click Save to apply the changes.


Manage vendor cookies

The provenance, duration, and purpose for cookies used by vendors on a vendor list can be documented by your organization. Cookie information documented for each vendor will subsequently be surfaced in privacy managers that use the vendor list to which the vendor belongs.

From the vendor list builder, click the name of a vendor from the list. Cookies can be documented for IAB, custom, and custom ATP vendors.

Screen_Shot_2021-12-09_at_2.46.19_PM.png

Click the Cookies tab in the subsequent modal. Use the provided functions to add, remove, and edit cookies used by the vendor.

  Note: Sourcepoint will ingest vendor declarations from the IAB's Global Vendor List (GVL) and automatically apply those declarations to IAB vendors and surface that information in privacy managers that are using the vendor list. Declarations ingested from the IAB's GVL are uneditable.

Screen_Shot_2021-12-09_at_2.47.29_PM.png

Click Apply changes when finished.

Vendor cookie information will be surfaced in privacy managers on properties associated with the vendor list.

5.png


 


Consent scope

The Consent Scope field for a vendor list determines how an end-user's consent preferences are shared across different properties within and outside your organization.

When an end-user selects their consent preferences on your property, the privacy manager will utilize the consent scope for the associated vendor list to share or not share the preferences. The following

Consent Scopes can be selected for a GDPR TCF Vendor List:

Consent Scope Description
Single Site An end-user's consent preferences will only be set for the property where the end-user provided their consent..
Shared Site

An end-user's consent preferences will be shared across a defined group of sites within your Sourcepoint account.

  Note: Selecting this option requires that your organization has configured authenticated consent on your properties.

From the vendor list builder, navigate to the Consent Scope field at the top of the page and use the dropdown menu to select a consent scope for the vendor list.

Click Save when finished.

Screen_Shot_2021-12-09_at_3.17.42_PM.png


Resolve IAB vendor updates

Occasionally, a vendor on the IAB's Global Vendor List (GVL) will update their declarations with the IAB after their initial registration (or will no longer be declared with the IAB entirely). If the vendor is already added to a vendor list in your Sourcepoint account when this update with the IAB occurs, you will need to confirm/update your vendor list to resolve the discrepancy and align with the new declarations.

In cases where a vendor's IAB declarations or affiliation with the IAB has changed, your vendor list will surface warnings for you to review. Click the Review button for each respective warning to review the vendors that have changed. 

Screen_Shot_2021-12-10_at_10.25.20_AM.png

The vendor list will be filtered to the changed/deleted vendor(s) and the changes will be highlighted in red.

Screen_Shot_2021-12-10_at_10.25.52_AM.png

Review the changes and click Save to confirm the update. You will be prompted to confirm your decision again. Click Confirm & Save

  Note: Vendor list updates that include adding new purposes or new purposes with consent as a legal basis will trigger re-consent campaigns.

Screen_Shot_2021-12-10_at_10.29.06_AM.png

In the case of multiple types of GVL updates to your vendor list, use the filter buttons to access the various GVL update lists to navigate between the updates. 

Screen_Shot_2021-12-10_at_10.33.35_AM.png


Special purposes

When vendors register with the IAB, they can declare special purposes for the collection of end-user data. There are two special purposes that vendors can declare with the IAB:

  1. Ensure security, prevent fraud, and debug
  2. Technically deliver ads or content

If a vendor on your vendor list has declared consent requirements for either of these special purposes then they will automatically appear in the privacy manager.

Screen_Shot_2021-09-13_at_2.01.14_PM.png


Manage custom purposes

A custom purpose on a GDPR TCF vendor list is a configurable purpose created by your organization and can be applied to vendors on your vendor list.

To add a custom purpose, click + Add Custom Purpose at the bottom of the vendor list builder.

Screen_Shot_2021-12-09_at_3.21.47_PM.png

Use the subsequent modal to input a Name and optional Description for the new custom purpose. Click Create purpose when finished.

Screen_Shot_2022-06-30_at_2.06.18_PM.png

  Note: The Google Consent Mode Category field should only be filled-in if your organization is implementing Google Consent Mode for your property. Click here for more information about Sourcepoint's integration with Google Consent Mode. 

The custom purpose will be added to end of the purpose column. Set the legal basis for the new custom purpose for each vendor in your vendor list.

Screen_Shot_2021-12-09_at_3.25.47_PM.png

To edit general settings, consent and reject actions, or to delete the custom purpose, click the name of the purpose.

Screen_Shot_2021-12-09_at_3.28.48_PM.png

Use the subsequent modal to edit or delete the custom purpose. 

Screen_Shot_2021-12-09_at_3.31.17_PM.png


Manage vendor purposes and restrictions

GDPR TCF introduced the ability for publishers to allow or set restrictions on how vendors may process end-user data. Your organization can manage restrictions on vendors by selecting the legal basis for a given purpose. This allows your organization to indicate your preferences that take precedence over a vendor’s preference, where applicable.

Your organization should review the purpose and legal basis settings for the vendors it works with in the vendor list. 

  Note: Your organization can establish its own legal basis for IAB purposes when processing user data, more information can be found here.

The vendor list displays all vendors your organization works with and their legal basis for each IAB and custom purpose. The legal basis can be:

Legal Basis Description
User Consent Confirming that the vendor can process end-user data for a specific purpose only if the end-user has provided explicit consent.
Legitimate Interest (for some vendors)

Allowing the vendor to process end-user data without collecting explicit consent for a specific purpose

  Note: The end-user can still reject the processing of their data.

Not Allowed Your organization is restricting a vendor from processing end-user data for a specific purpose.

When a new IAB vendor is added to the list, the vendor's preferred legal basis is set for each purpose.

In order to override or set the preferred legal basis for an individual vendor, click the legal basis field inline with the vendor underneath the purpose column.

vendorlist_1.jpeg

The TC string will be updated and the vendor will be informed whether they are permitted to process user data for this purpose. 


Advanced settings

The advanced settings modal for a GDPR TCF vendor list allow a user to configure settings that will applied to the entire vendor list. 

Click *Advanced settings*.

Screen_Shot_2021-12-09_at_3.33.03_PM.png

The following advanced settings can be edited for the GDPR TCF vendor list:

Advanced Setting Description
CMP publisher ID

Input your organization's own CMP ID (if available) to utilize your own stack descriptions or translations.

Auto add new vendors

Automatically adds newly discovered vendors on your properties to the Vendor List.

  Note: Only available for organizations with the vendor scanning and categorization feature.

Add all IAB vendors

Automatically adds all the vendors from the IAB Global Vendor List (GVL) and keeps them updated daily.

Default IAB vendor consent type

When an IAB vendor declares both consent and legitimate interest for a particular purpose, the vendor list will use what is selected in the provided field as the default value.

  Note: Note: If a default IAB Vendor Consent Type is configured on an individual purpose, that value will override this setting for that particular purpose.

Write 1st party cookies to root domain Ensures that consent data is written to the root domain of the property (./example.com). This is useful for properties that utilize subdomains so that the data is shared across all subdomains.
Write 1st party cookies from the server Used to set first-party cookies on the site's top-level domain. It requires a domain to be setup at the same top-level domain of your site and uses CNAME to point to a Sourcepoint provided domain.
Consent cookies expiration The length of time (in days) consent cookies are valid.
Use special treatment for purpose 1 in countries Certain countries in European Union may have different interpretations of GDPR legislation. If enabled, then Purpose 1 will not be populated in the first layer message or a privacy manager and will not be registered in the consent string.
Display special purposes, features, and disclosure only vendors in message Determines whether you will show any vendor special features and special purposes in the first layer message.
List IAB Purpose 1 and Custom Elements First in the Message


If enabled then any custom elements for Purpose 1 will be bumped to the top of the list of purposes in the first layer message.

 

Base vendor consent and reject actions on vendor grants

Vendor grants inform a publisher whether a vendor has been granted consent for all the purposes for which they are asking consent. Generally, this setting is used to manage custom vendors. When enabled, the Vendor List will fire consent and reject actions based on the vendor grant.

  Note: A vendor grant only returns a true value when an end-user consents to all purposes for which your organization is requesting. If an end-user consents to only some of the purposes, the vendor grant will return a false value.

Store euconsent-v2 1st party cookie

A legacy cookie that Sourcepoint continues to support for early adoptees of the platform.

Disclosed Vendors in TCString

The Disclosed Vendor segment of a TC String provides a list of vendors that have been disclosed to a user.

By default, this feature is deactivated for all clients. 

Use the subsequent modal to edit the advanced settings for the vendor list. Click Apply Changes when finished.

Screen_Shot_2021-12-09_at_3.34.28_PM.png

Manage publishers purposes

If your organization processes end-user data (i.e. acts like a vendor) for its own use then the end-user can be informed and asked to give consent. The Sourcepoint dashboard allows your organization to set your own legal basis for IAB purposes.

 Example

An organization that wants to set a frequency-capping first-party cookie should request end-user consent for Purpose 1 "Store and/or access information on a device" in jurisdictions where it is required.

More information from the IAB about Publisher Purposes can be found here.

From the advanced settings modal in your vendor list builder, click Manage Publisher Purposes.

Screen_Shot_2021-12-09_at_3.34.28_PM.png

In the subsequent modal, your organization can set the legal bases for IAB purposes. The options for legal bases are:

  • User Consent
  • Legitimate Interest
  • Not Applicable

Please consult with your Data Protection Officer or privacy legal team about the appropriate legal bases for each purpose.

Screen_Shot_2021-12-09_at_3.36.02_PM.png

 

 

Was this article helpful?
0 out of 0 found this helpful