Permission: Vendor list - GDPR

In this article, we will cover the following configurations specific to a GDPR TCF vendor list:

To start, click Vendor Management on the left-hand panel and select GDPR TCF from the subsequent menu. 

Screen_Shot_2023-02-02_at_7.15.38_AM.png

Select a vendor list from the subsequent page of click New to create a new GDPR TCF vendor list.

gdpr.png


Apple data broker

The Apple data broker setting is an optional designation that your organization can apply to a vendor on your GDPR TCF vendor list that will impact an end-user's consent string and subsequent experience of your privacy manager. In this article, we will cover:

  Note: In order to utilize the apple data broker feature, your organization must fulfill the following pre-requisites:

Property is utilizing Sourcepoint's Unified SDK
iOS tracking message is enabled on account

A vendor who is designated as an apple data broker by your organization is only impacted by the designation when an end-user selects Don't Allow Tracking (or some permutation of this user option) in Apple's App Tracking Transparency message.

If an end-user selects Don't Allow Tracking, the following will automatically occur for a vendor designated as an Apple data broker:

  • Consent string will not feature the vendor
  • Google additional consent string will not feature the vendor
  • Vendor grants will return a FALSE value for the vendor
  • End-user will be unable to enable vendor from the privacy manager

To designate a vendor as an apple data broker, click the name of a vendor on the vendor list. 

Screen_Shot_2021-12-09_at_2.11.30_PM.png

Click the checkbox inline with Apple Data Broker and select Apply changes when finished.

Screen_Shot_2021-12-09_at_2.14.07_PM.png

Vendors designated as Apple data brokers will be marked in the vendor list builder.

Screen_Shot_2021-12-09_at_2.32.57_PM.png

Use the Filter By dropdown menu to narrow down the vendor list to just Apple data brokers.

Screen_Shot_2021-12-09_at_2.33.19_PM.png


Bulk edit vendor legal bases

The bulk edit feature enables your organization to efficiently edit the legal basis used for each respective purpose on your vendor list. Use this feature to set the same legal basis for every vendor included in the bulk action for each respective purpose. 

From your GDPR TCF vendor list, click the checkbox to the left of the vendor(s) name to select the vendor(s).

Screen_Shot_2021-12-10_at_7.02.46_AM.png

With the vendors selected, click the Bulk Actions field and select Bulk Edit from the dropdown menu. 

Screen_Shot_2021-12-10_at_7.47.37_AM.png

Use the subsequent dialog box to select the legal basis that will be used by the selected vendors for each purpose on your vendor list. Click Update when finished. 

  Note: If a selected vendor does not support the legal basis you select for the purpose, that vendor's legal basis will not change for that purpose. 

Screen_Shot_2021-12-10_at_10.05.15_AM.png


Custom vendor labels

Custom vendor labels allow you to add organization specific labels to vendors on your vendor list which will then surface in your property's privacy manager.

  Note: Please speak to your Sourcepoint account manager for more information on how to activate custom vendor labels for your account.

Select the name of a vendor from a GDPR TCF vendor list.

Screen_Shot_2021-12-08_at_2.18.40_PM.png

From the subsequent modal, click the check box to the left of Custom Vendor Label to add the label to the vendor. You can add a maximum of three custom vendor labels to your vendor list.

Click Apply changes when finished.

Screen_Shot_2021-12-08_at_2.19.50_PM.png

The description of the custom vendor label will be configured in the privacy manager builder for the property. 

Click Save to confirm all edits. 

With the custom vendor label(s) assigned to vendors on your GDPR TCF vendor list, navigate to the privacy manager builder for a property associated with that vendor list.

Select either the PrivacyManagerTCFv2 or PMTCFv2Inline component for your privacy manager. 

Screen_Shot_2021-09-30_at_3.11.37_PM.png

While focused on either the PrivacyManagerTCFv2 or PMTCFv2Inline component for your privacy manager, navigate to the Settings tab on the right-hand rail and expand the Vendor Content accordion. 

Screen_Shot_2021-09-30_at_3.11.51_PM.png

Locate the custom vendor label configuration for each of the custom vendor labels used. You can configure:

  • Custom vendor label description
  • Custom vendor label icon 
  • Translations for description and icons

Your custom vendor label description and icon will populate in your GDPR TCF privacy manager. 

Screen_Shot_2021-09-30_at_3.23.30_PM.png


Disclosure only purpose

  Note: Only custom purposes can be set as disclosure only. See: Manage custom purposes for more information. 

The disclosure only feature allows you to configure a custom purpose that does not have a consent toggle (opt-in/opt out). To enable the feature for a custom purpose, click the custom purpose name from your vendor list. 

Screen_Shot_2021-12-14_at_10.54.24_AM.png

From the subsequent dialog box, check the box next to Disclosure only and click Apply changes when finished. 

Screen_Shot_2021-12-14_at_10.56.38_AM.png

When enabled for the custom purpose, vendors can either be configured as Disclosure only or Not Applicable for the custom purpose. 

Screen_Shot_2021-12-14_at_10.58.42_AM.png

The vendor(s) will appear in your privacy manager under the disclosure only custom purpose which will not have an opt-in/opt-out toggle.

Screen_Shot_2021-12-14_at_11.06.20_AM.png


IAB purposes

Purposes, created by the IAB, explain how a publisher, website, or other site is using the personal data collected from the user.

GDPR TCF was designed by the IAB to give the user more control over how their data is being used and how they can grant consent. In order to give greater transparency over how their data is processed by sites, the IAB have 10 purposes. These outline all the ways consumer data can be collected by a site in line with the IAB framework.

ID Purpose name Description
1 Store and/or access information on a device Vendors can store and access information on the device such as cookies and device identifiers presented to an end-users.
2 Select basic ads

To select basic ads vendors can:

  • Use real-time information about the context in which the ad will be shown, to show the ad, including information about the content and the device, such as: device type and capabilities, user agent, URL, and IP address.
  • Use a user’s non-precise geolocation data.
  • Control the frequency of ads shown to a user.
  • Sequence the order in which ads are shown to a user.
  • Prevent an ad from serving in an unsuitable editorial (brand-unsafe) context.

Vendors cannot:

  • Create a personalized ads profile using this information for the selection of future ads without a separate legal basis to create a personalized ads profile.

N.B. Non-precise means only an approximate location involving at least a radius of 500 meters is permitted.

3 Create a personalized ads profile

To create a personalized ads profile vendors can:

  • Collect information about a user, including a user's activity, interests, visits to sites or apps, demographic information, or location, to create, or edit a user profile for use in personalized advertising.
  • Combine this information with other information previously collected, including from across websites and apps, to create, or edit a user profile for use in personalized advertising.
4 Select personalized ads

To select personalized ads vendors can:

  • Select personalized ads based on a user profile or other historical user data, including a user’s prior activity, interests, visits to sites, or apps, location, or demographic information.
5 Create a personalized content profile

To create a personalized content profile vendors can:

Collect information about a user, including a user's activity, interests, visits to sites or apps, demographic information, or location, to create, or edit a user profile for personalizing content.

Combine this information with other information previously collected, including from across websites and apps, to create or edit a user profile for use in personalizing content.

6 Select personalized content

To select personalized content vendors can:

  • Select personalized content based on a user profile or other historical user data, including a user’s prior activity, interests, visits to sites or apps, location, or demographic information.
7 Measure ad performance

To measure ad performance vendors can:

  • Measure whether and how ads were delivered to and interacted with by a user.
  • Provide reporting about ads including their effectiveness and performance.
  • Provide reporting about users who interacted with ads using data observed during the course of the user's interaction with that ad.
  • Provide reporting to publishers about the ads displayed on their property.
  • Measure whether an ad is serving in a suitable editorial environment (brand-safe) context.
  • Determine the percentage of the ad that had the opportunity to be seen and the duration of that opportunity.
  • Combine this information with other information previously collected, including from across websites and apps

Vendors cannot:

  • Apply panel- or similarly-derived audience insights data to ad measurement data without a separate legal basis to apply market research to generate audience insights.
8 Measure content performance

To measure content performance vendors can:

  • Measure and report on how content was delivered to and interacted with by users.
  • Provide reporting, using directly measurable or known information, about users who interacted with the content.
  • Combine this information with other information previously collected, including from across websites and apps.

Vendors cannot:

  • Measure whether and how ads (including native ads) were delivered to and interacted with by a user without a separate legal basis.
  • Apply panel- or similarly derived audience insights data to ad measurement data without a separate legal bases to apply market research to generate audience insights.
9 Apply market research to generate audience insights

To apply market research to generate audience insights vendors can:

  • Provide aggregate reporting to advertisers or their representatives about the audiences reached by their ads, through panel-based and similarly derived insights.
  • Provide aggregate reporting to publishers about the audiences that were served or interacted with content and/or ads on their property by applying panel-based and similarly derived insights.
  • Associate offline data with an online user for the purposes of market research to generate audience insights if vendors have declared to match and combine offline data sources.
  • Combine this information with other information previously collected, including from across websites and apps.

Vendors cannot:

  • Measure the performance and effectiveness of ads that a specific user was served or interacted with, without a separate legal basis to measure ad performance.
  • Measure which content a specific user was served and how they interacted with it, without a separate legal basis to measure content performance.
10 Develop and improve products

To develop new products and improve products vendors can:

  • Use information to improve their existing products with new features and to develop new products.
  • Create new models and algorithms through machine learning.

Vendors cannot:

  • Conduct any other data processing operation allowed under a different purpose under this purpose.

IAB stacks

IAB stacks allow your organization to group the 10 IAB purposes and 2 IAB special features into pre-determined groupings. When configured for your GDPR TCF vendor list, these stacks can be surfaced in lieu of each purpose listed individually in privacy managers for associated properties. Like a folder system for IAB purposes and special features, the individual purposes can be navigated to by the end-user by clicking the stack in the privacy manager.

1.gif

From a GDPR TCF vendor list builder, click Manage Stacks.

Screen_Shot_2021-12-09_at_2.38.15_PM.png

From the IAB stacks tab of the subsequent modal, add pre-configured IAB stacks by clicking the + symbol next to the stack under IAB stacks that can be added to your list.

Selected stacks will be moved under the IAB stacks in your list header.

  Note: IAB stacks include multiple permutations of IAB purpose groupings. However, a single IAB purpose in your GDPR TCF vendor list can only be in one IAB stack at a time. As you add IAB stacks to your vendor list, other IAB stacks will be un-addable due to these colliding purposes (i.e. one or more purposes in your added IAB stack also exists in another IAB stack).

Click Apply Changes when finished.

Screen_Shot_2021-12-09_at_2.41.25_PM.png

IAB purposes included in IAB stacks will be grouped together in the vendor list builder under the IAB stack name. Any purposes not included in an IAB stack will be listed separately.

Screen_Shot_2021-12-09_at_2.41.45_PM.png

Click Save to apply the changes.


Consent scope

The Consent Scope field for a vendor list determines how an end-user's consent preferences are shared across different properties within and outside your organization.

When an end-user selects their consent preferences on your property, the privacy manager will utilize the consent scope for the associated vendor list to share or not share the preferences. The following

Consent Scopes can be selected for a GDPR TCF Vendor List:

Consent Scope Description
Single Site An end-user's consent preferences will only be set for the property where the end-user provided their consent..
Shared Site

An end-user's consent preferences will be shared across a defined group of sites within your Sourcepoint account.

  Note: Selecting this option requires that your organization has configured authenticated consent on your properties.

From the vendor list builder, navigate to the Consent Scope field at the top of the page and use the dropdown menu to select a consent scope for the vendor list.

Click Save when finished.

Screen_Shot_2021-12-09_at_3.17.42_PM.png


Resolve IAB vendor updates

Occasionally, a vendor on the IAB's Global Vendor List (GVL) will update their declarations with the IAB after their initial registration (or will no longer be declared with the IAB entirely). If the vendor is already added to a vendor list in your Sourcepoint account when this update with the IAB occurs, you will need to confirm/update your vendor list to resolve the discrepancy and align with the new declarations.

In cases where a vendor's IAB declarations or affiliation with the IAB has changed, your vendor list will surface warnings for you to review. Click the Review button for each respective warning to review the vendors that have changed. 

Screen_Shot_2021-12-10_at_10.25.20_AM.png

The vendor list will be filtered to the changed/deleted vendor(s) and the changes will be highlighted in red.

Screen_Shot_2021-12-10_at_10.25.52_AM.png

Review the changes and click Save to confirm the update. You will be prompted to confirm your decision again. Click Confirm & Save

  Note: Vendor list updates that include adding new purposes or new purposes with consent as a legal basis will trigger re-consent campaigns.

Screen_Shot_2021-12-10_at_10.29.06_AM.png

In the case of multiple types of GVL updates to your vendor list, use the filter buttons to access the various GVL update lists to navigate between the updates. 

Screen_Shot_2021-12-10_at_10.33.35_AM.png


Special purposes

When vendors register with the IAB, they can declare special purposes for the collection of end-user data. There are two special purposes that vendors can declare with the IAB:

  1. Ensure security, prevent fraud, and debug
  2. Technically deliver ads or content

If a vendor on your vendor list has declared consent requirements for either of these special purposes then they will automatically appear in the privacy manager.

Screen_Shot_2021-09-13_at_2.01.14_PM.png


Manage custom purposes

A custom purpose on a GDPR TCF vendor list is a configurable purpose created by your organization and can be applied to vendors on your vendor list.

To add a custom purpose, click + Add Custom Purpose at the bottom of the vendor list builder.

Screen_Shot_2021-12-09_at_3.21.47_PM.png

Use the subsequent modal to input a Name and optional Description for the new custom purpose. Click Create purpose when finished.

Screen_Shot_2022-06-30_at_2.06.18_PM.png

  Note: The Google Consent Mode Category field should only be filled-in if your organization is implementing Google Consent Mode for your property. Click here for more information about Sourcepoint's integration with Google Consent Mode. 

The custom purpose will be added to end of the purpose column. Set the legal basis for the new custom purpose for each vendor in your vendor list.

Screen_Shot_2021-12-09_at_3.25.47_PM.png

To edit general settings, consent and reject actions, or to delete the custom purpose, click the name of the purpose.

Screen_Shot_2021-12-09_at_3.28.48_PM.png

Use the subsequent modal to edit or delete the custom purpose. 

Screen_Shot_2021-12-09_at_3.31.17_PM.png


Manage vendor purposes and restrictions

GDPR TCF introduced the ability for publishers to allow or set restrictions on how vendors may process end-user data. Your organization can manage restrictions on vendors by selecting the legal basis for a given purpose. This allows your organization to indicate your preferences that take precedence over a vendor’s preference, where applicable.

Your organization should review the purpose and legal basis settings for the vendors it works with in the vendor list. 

  Note: Your organization can establish its own legal basis for IAB purposes when processing user data, more information can be found here.

The vendor list displays all vendors your organization works with and their legal basis for each IAB and custom purpose. The legal basis can be:

Legal Basis Description
User Consent Confirming that the vendor can process end-user data for a specific purpose only if the end-user has provided explicit consent.
Legitimate Interest (for some vendors)

Allowing the vendor to process end-user data without collecting explicit consent for a specific purpose

  Note: The end-user can still reject the processing of their data.

Not Allowed Your organization is restricting a vendor from processing end-user data for a specific purpose.

When a new IAB vendor is added to the list, the vendor's preferred legal basis is set for each purpose.

In order to override or set the preferred legal basis for an individual vendor, click the legal basis field inline with the vendor underneath the purpose column.

vendorlist_1.jpeg

The TC string will be updated and the vendor will be informed whether they are permitted to process user data for this purpose. 


Vendor URL mapping

Vendor URL mapping is intended to be used by publishing systems with Sourcepoint's vendor URL mapping API to help determine if a vendor URL has been defined appropriately in the Sourcepoint system. This API can help developers that are integrating with Content Management Systems (CMS) verify that a URL referenced in content can be related to vendor and purpose consent preferences which can be queried and set based on user actions.

The vendor URL mapping API will return the vendors that have URL mappings which match the vendorUrls passed in the request. These mapping must be configured within the Sourcepoint portal before this API can be used.

Configure the URL mappings for vendors by selecting a vendor from the list.

Screen_Shot_2023-02-14_at_1_24_19_PM.jpg

Click URL Mappings in the modal and select Add Pattern.

Screen_Shot_2023-02-14_at_1.32.58_PM.png

Use the provided fields to configure conditions of the pattern. Your organization can create patterns with multiple condition statements. Additionally, you can configure multiple patterns for the vendor.

Click Apply changes when finished.

Screen_Shot_2023-02-14_at_1.32.04_PM.png

Repeat as necessary for other vendors.

  Note: Do not create patterns that can be matched to multiple vendors as this will cause errors.

Click Save in vendor list builder to confirm all changes.


Advanced settings

The advanced settings modal for a GDPR TCF vendor list allow a user to configure settings that will applied to the entire vendor list. 

Click *Advanced settings*.

Screen_Shot_2021-12-09_at_3.33.03_PM.png

The following advanced settings can be edited for the GDPR TCF vendor list:

Advanced Setting Description
CMP publisher ID

Input your organization's own CMP ID (if available) to utilize your own stack descriptions or translations.

Add all IAB vendors

Automatically adds all the vendors from the IAB Global Vendor List (GVL) and keeps them updated daily.

Default IAB vendor consent type

When an IAB vendor declares both consent and legitimate interest for a particular purpose, the vendor list will use what is selected in the provided field as the default value.

  Note: Note: If a default IAB Vendor Consent Type is configured on an individual purpose, that value will override this setting for that particular purpose.

Write 1st party cookies to root domain

When enabled, consent selections will be stored/persist across the site’s root domain (e.g. test.com) and its respective subdomains (e.g. finance.test.com).

This will ensure that users do not see the same consent message when moving from root to subdomain or vice versa. 

Write 1st party cookies from the server

When enabled, the 1st-party cookie will be set by the server by passing a cookie from the server back to your site instead of using the on-site code to set the cookie.

This setting should be enabled if your organization has set up a CNAME subdomain.

Consent cookies expiration The length of time (in days) consent cookies are valid.
Use special treatment for purpose 1 in countries Certain countries in European Union may have different interpretations of GDPR legislation. If enabled, then Purpose 1 will not be populated in the first layer message or a privacy manager and will not be registered in the consent string.
Display special purposes, features, and disclosure only vendors in message Determines whether you will show any vendor special features and special purposes in the first layer message.
List IAB Purpose 1 and Custom Elements First in the Message


If enabled, then any custom elements for Purpose 1 will be bumped to the top of the list of purposes in the first layer message.

 

Base vendor consent and reject actions on vendor grants

Vendor grants inform a publisher whether a vendor has been granted consent for all the purposes for which they are asking consent. Generally, this setting is used to manage custom vendors. When enabled, the Vendor List will fire consent and reject actions based on the vendor grant.

  Note: A vendor grant only returns a true value when an end-user consents to all purposes for which your organization is requesting. If an end-user consents to only some of the purposes, the vendor grant will return a false value.

Store euconsent-v2 1st party cookie

A legacy cookie that Sourcepoint continues to support for early adoptees of the platform.

Disclosed Vendors in TCString

The Disclosed Vendor segment of a TC String provides a list of vendors that have been disclosed to a user.

By default, this feature is deactivated for all clients. 

Do not store UUIDs server side

Only available for android apps. When enabled, end-user consent will not be stored in the server. 

  Note: Enabling this option will remove all user related metrics from Sourcepoint reporting for android apps. You will only be able to report on page view data for android apps.

Do not use unique user identifiers for reporting purposes

In order to report on unique users, we send a unique identifier for each user to our reporting pipeline in order to attribute page views and actions that have been made by the same user.

Depending on the jurisdiction you are in, the DPA cookie guidance on this use case may vary and therefore you have the option to restrict this use case if you wish. 

  Note: Enabling this setting will mean that any reporting metrics that relate to unique users will show the exact same numbers as page views.

Use the subsequent modal to edit the advanced settings for the vendor list. Click Apply Changes when finished.

Screenshot_2023-05-11_at_11.32.32_AM.png

Manage publishers purposes

If your organization processes end-user data (i.e. acts like a vendor) for its own use then the end-user can be informed and asked to give consent. The Sourcepoint dashboard allows your organization to set your own legal basis for IAB purposes.

 Example

An organization that wants to set a frequency-capping first-party cookie should request end-user consent for Purpose 1 "Store and/or access information on a device" in jurisdictions where it is required.

More information from the IAB about Publisher Purposes can be found here.

From the advanced settings modal in your vendor list builder, click Manage Publisher Purposes.

Screen_Shot_2021-12-09_at_3.34.28_PM.png

In the subsequent modal, your organization can set the legal bases for IAB purposes. The options for legal bases are:

  • User Consent
  • Legitimate Interest
  • Not Applicable

Please consult with your Data Protection Officer or privacy legal team about the appropriate legal bases for each purpose.

Screen_Shot_2021-12-09_at_3.36.02_PM.png

Was this article helpful?
0 out of 0 found this helpful