Permission: Vendor list - GDPR
In this article, we will cover the following configurations specific to a GDPR TCF vendor list:
- Apple data broker
- Bulk edit vendor legal bases
- Custom vendor labels
- Disclosure only purpose
- IAB purposes
- IAB stacks
- Consent scope
- Resolve IAB vendor updates
- Special purposes
- Manage custom purposes
- Manage vendor purposes and restrictions
- Vendor URL mapping
- Advanced settings
To start, click Vendor Management on the left-hand panel and select GDPR TCF from the subsequent menu.
Select a vendor list from the subsequent page of click New to create a new GDPR TCF vendor list.
Apple data broker
The Apple data broker setting is an optional designation that your organization can apply to a vendor on your GDPR TCF vendor list that will impact an end-user's consent string and subsequent experience of your privacy manager. In this article, we will cover:
Note: In order to utilize the apple data broker feature, your organization must fulfill the following pre-requisites:
• Property is utilizing Sourcepoint's Unified SDK
• iOS tracking message is enabled on account
A vendor who is designated as an apple data broker by your organization is only impacted by the designation when an end-user selects Don't Allow Tracking (or some permutation of this user option) in Apple's App Tracking Transparency message.
If an end-user selects Don't Allow Tracking, the following will automatically occur for a vendor designated as an Apple data broker:
- Consent string will not feature the vendor
- Google additional consent string will not feature the vendor
- Vendor grants will return a
FALSEvalue for the vendor
- End-user will be unable to enable vendor from the privacy manager
To designate a vendor as an apple data broker, click the name of a vendor on the vendor list.
Click the checkbox inline with Apple Data Broker and select Apply changes when finished.
Vendors designated as Apple data brokers will be marked in the vendor list builder.
Use the Filter By dropdown menu to narrow down the vendor list to just Apple data brokers.
Bulk edit vendor legal bases
The bulk edit feature enables your organization to efficiently edit the legal basis used for each respective purpose on your vendor list. Use this feature to set the same legal basis for every vendor included in the bulk action for each respective purpose.
From your GDPR TCF vendor list, click the checkbox to the left of the vendor(s) name to select the vendor(s).
With the vendors selected, click the Bulk Actions field and select Bulk Edit from the dropdown menu.
Use the subsequent dialog box to select the legal basis that will be used by the selected vendors for each purpose on your vendor list. Click Update when finished.
Note: If a selected vendor does not support the legal basis you select for the purpose, that vendor's legal basis will not change for that purpose.
Custom vendor labels
Custom vendor labels allow you to add organization specific labels to vendors on your vendor list which will then surface in your property's privacy manager.
Note: Please speak to your Sourcepoint account manager for more information on how to activate custom vendor labels for your account.
Select the name of a vendor from a GDPR TCF vendor list.
From the subsequent modal, click the check box to the left of Custom Vendor Label to add the label to the vendor. You can add a maximum of three custom vendor labels to your vendor list.
Click Apply changes when finished.
The description of the custom vendor label will be configured in the privacy manager builder for the property.
Click Save to confirm all edits.
With the custom vendor label(s) assigned to vendors on your GDPR TCF vendor list, navigate to the privacy manager builder for a property associated with that vendor list.
Select either the PrivacyManagerTCFv2 or PMTCFv2Inline component for your privacy manager.
While focused on either the PrivacyManagerTCFv2 or PMTCFv2Inline component for your privacy manager, navigate to the Settings tab on the right-hand rail and expand the Vendor Content accordion.
Locate the custom vendor label configuration for each of the custom vendor labels used. You can configure:
- Custom vendor label description
- Custom vendor label icon
- Translations for description and icons
Your custom vendor label description and icon will populate in your GDPR TCF privacy manager.
Disclosure only purpose
Note: Only custom purposes can be set as disclosure only. See: Manage custom purposes for more information.
The disclosure only feature allows you to configure a custom purpose that does not have a consent toggle (opt-in/opt out). To enable the feature for a custom purpose, click the custom purpose name from your vendor list.
From the subsequent dialog box, check the box next to Disclosure only and click Apply changes when finished.
When enabled for the custom purpose, vendors can either be configured as Disclosure only or Not Applicable for the custom purpose.
The vendor(s) will appear in your privacy manager under the disclosure only custom purpose which will not have an opt-in/opt-out toggle.
Purposes, created by the IAB, explain how a publisher, website, or other site is using the personal data collected from the user.
GDPR TCF was designed by the IAB to give the user more control over how their data is being used and how they can grant consent. In order to give greater transparency over how their data is processed by sites, the IAB have 10 purposes. These outline all the ways consumer data can be collected by a site in line with the IAB framework.
|1||Store and/or access information on a device||Vendors can store and access information on the device such as cookies and device identifiers presented to an end-users.|
|2||Select basic ads||
To select basic ads vendors can:
N.B. Non-precise means only an approximate location involving at least a radius of 500 meters is permitted.
|3||Create a personalized ads profile||
To create a personalized ads profile vendors can:
|4||Select personalized ads||
To select personalized ads vendors can:
|5||Create a personalized content profile||
To create a personalized content profile vendors can:
Collect information about a user, including a user's activity, interests, visits to sites or apps, demographic information, or location, to create, or edit a user profile for personalizing content.
Combine this information with other information previously collected, including from across websites and apps, to create or edit a user profile for use in personalizing content.
|6||Select personalized content||
To select personalized content vendors can:
|7||Measure ad performance||
To measure ad performance vendors can:
|8||Measure content performance||
To measure content performance vendors can:
|9||Apply market research to generate audience insights||
To apply market research to generate audience insights vendors can:
|10||Develop and improve products||
To develop new products and improve products vendors can:
IAB stacks allow your organization to group the 10 IAB purposes and 2 IAB special features into pre-determined groupings. When configured for your GDPR TCF vendor list, these stacks can be surfaced in lieu of each purpose listed individually in privacy managers for associated properties. Like a folder system for IAB purposes and special features, the individual purposes can be navigated to by the end-user by clicking the stack in the privacy manager.
From a GDPR TCF vendor list builder, click Manage Stacks.
From the IAB stacks tab of the subsequent modal, add pre-configured IAB stacks by clicking the + symbol next to the stack under IAB stacks that can be added to your list.
Selected stacks will be moved under the IAB stacks in your list header.
Note: IAB stacks include multiple permutations of IAB purpose groupings. However, a single IAB purpose in your GDPR TCF vendor list can only be in one IAB stack at a time. As you add IAB stacks to your vendor list, other IAB stacks will be un-addable due to these colliding purposes (i.e. one or more purposes in your added IAB stack also exists in another IAB stack).
Click Apply Changes when finished.
IAB purposes included in IAB stacks will be grouped together in the vendor list builder under the IAB stack name. Any purposes not included in an IAB stack will be listed separately.
Click Save to apply the changes.
The Consent Scope field for a vendor list determines how an end-user's consent preferences are shared across different properties within and outside your organization.
When an end-user selects their consent preferences on your property, the privacy manager will utilize the consent scope for the associated vendor list to share or not share the preferences. The following
Consent Scopes can be selected for a GDPR TCF Vendor List:
|Single Site||An end-user's consent preferences will only be set for the property where the end-user provided their consent..|
An end-user's consent preferences will be shared across a defined group of sites within your Sourcepoint account.
Note: Selecting this option requires that your organization has configured authenticated consent on your properties.
From the vendor list builder, navigate to the Consent Scope field at the top of the page and use the dropdown menu to select a consent scope for the vendor list.
Click Save when finished.
Resolve IAB vendor updates
Occasionally, a vendor on the IAB's Global Vendor List (GVL) will update their declarations with the IAB after their initial registration (or will no longer be declared with the IAB entirely). If the vendor is already added to a vendor list in your Sourcepoint account when this update with the IAB occurs, you will need to confirm/update your vendor list to resolve the discrepancy and align with the new declarations.
In cases where a vendor's IAB declarations or affiliation with the IAB has changed, your vendor list will surface warnings for you to review. Click the Review button for each respective warning to review the vendors that have changed.
The vendor list will be filtered to the changed/deleted vendor(s) and the changes will be highlighted in red.
Review the changes and click Save to confirm the update. You will be prompted to confirm your decision again. Click Confirm & Save.
Note: Vendor list updates that include adding new purposes or new purposes with consent as a legal basis will trigger re-consent campaigns.
In the case of multiple types of GVL updates to your vendor list, use the filter buttons to access the various GVL update lists to navigate between the updates.
When vendors register with the IAB, they can declare special purposes for the collection of end-user data. There are two special purposes that vendors can declare with the IAB:
- Ensure security, prevent fraud, and debug
- Technically deliver ads or content
If a vendor on your vendor list has declared consent requirements for either of these special purposes then they will automatically appear in the privacy manager.
Manage custom purposes
A custom purpose on a GDPR TCF vendor list is a configurable purpose created by your organization and can be applied to vendors on your vendor list.
To add a custom purpose, click + Add Custom Purpose at the bottom of the vendor list builder.
Use the subsequent modal to input a Name and optional Description for the new custom purpose. Click Create purpose when finished.
Note: The Google Consent Mode Category field should only be filled-in if your organization is implementing Google Consent Mode for your property. Click here for more information about Sourcepoint's integration with Google Consent Mode.
The custom purpose will be added to end of the purpose column. Set the legal basis for the new custom purpose for each vendor in your vendor list.
To edit general settings, consent and reject actions, or to delete the custom purpose, click the name of the purpose.
Use the subsequent modal to edit or delete the custom purpose.
Manage vendor purposes and restrictions
GDPR TCF introduced the ability for publishers to allow or set restrictions on how vendors may process end-user data. Your organization can manage restrictions on vendors by selecting the legal basis for a given purpose. This allows your organization to indicate your preferences that take precedence over a vendor’s preference, where applicable.
Your organization should review the purpose and legal basis settings for the vendors it works with in the vendor list.
Note: Your organization can establish its own legal basis for IAB purposes when processing user data, more information can be found here.
The vendor list displays all vendors your organization works with and their legal basis for each IAB and custom purpose. The legal basis can be:
|User Consent||Confirming that the vendor can process end-user data for a specific purpose only if the end-user has provided explicit consent.|
|Legitimate Interest (for some vendors)||
Allowing the vendor to process end-user data without collecting explicit consent for a specific purpose
Note: The end-user can still reject the processing of their data.
|Not Allowed||Your organization is restricting a vendor from processing end-user data for a specific purpose.|
When a new IAB vendor is added to the list, the vendor's preferred legal basis is set for each purpose.
In order to override or set the preferred legal basis for an individual vendor, click the legal basis field inline with the vendor underneath the purpose column.
The TC string will be updated and the vendor will be informed whether they are permitted to process user data for this purpose.
Vendor URL mapping
Vendor URL mapping is intended to be used by publishing systems with Sourcepoint's vendor URL mapping API to help determine if a vendor URL has been defined appropriately in the Sourcepoint system. This API can help developers that are integrating with Content Management Systems (CMS) verify that a URL referenced in content can be related to vendor and purpose consent preferences which can be queried and set based on user actions.
The vendor URL mapping API will return the vendors that have URL mappings which match the
vendorUrls passed in the request. These mapping must be configured within the Sourcepoint portal before this API can be used.
Configure the URL mappings for vendors by selecting a vendor from the list.
Click URL Mappings in the modal and select Add Pattern.
Use the provided fields to configure conditions of the pattern. Your organization can create patterns with multiple condition statements. Additionally, you can configure multiple patterns for the vendor.
Click Apply changes when finished.
Repeat as necessary for other vendors.
Note: Do not create patterns that can be matched to multiple vendors as this will cause errors.
Click Save in vendor list builder to confirm all changes.
The advanced settings modal for a GDPR TCF vendor list allow a user to configure settings that will applied to the entire vendor list.
Click *Advanced settings*.
The following advanced settings can be edited for the GDPR TCF vendor list:
|CMP publisher ID||
Input your organization's own CMP ID (if available) to utilize your own stack descriptions or translations.
|Add all IAB vendors||
Automatically adds all the vendors from the IAB Global Vendor List (GVL) and keeps them updated daily.
|Default IAB vendor consent type||
When an IAB vendor declares both consent and legitimate interest for a particular purpose, the vendor list will use what is selected in the provided field as the default value.
Note: Note: If a default IAB Vendor Consent Type is configured on an individual purpose, that value will override this setting for that particular purpose.
|Write 1st party cookies to root domain||
When enabled, consent selections will be stored/persist across the site’s root domain (e.g. test.com) and its respective subdomains (e.g. finance.test.com).
This will ensure that users do not see the same consent message when moving from root to subdomain or vice versa.
|Write 1st party cookies from the server||
When enabled, the 1st-party cookie will be set by the server by passing a cookie from the server back to your site instead of using the on-site code to set the cookie.
This setting should be enabled if your organization has set up a CNAME subdomain.
|Consent cookies expiration||The length of time (in days) consent cookies are valid.|
|Use special treatment for purpose 1 in countries||Certain countries in European Union may have different interpretations of GDPR legislation. If enabled, then Purpose 1 will not be populated in the first layer message or a privacy manager and will not be registered in the consent string.|
|Display special purposes, features, and disclosure only vendors in message||Determines whether you will show any vendor special features and special purposes in the first layer message.|
|List IAB Purpose 1 and Custom Elements First in the Message||
|Base vendor consent and reject actions on vendor grants||
Vendor grants inform a publisher whether a vendor has been granted consent for all the purposes for which they are asking consent. Generally, this setting is used to manage custom vendors. When enabled, the Vendor List will fire consent and reject actions based on the vendor grant.
Note: A vendor grant only returns a
|Store euconsent-v2 1st party cookie||
A legacy cookie that Sourcepoint continues to support for early adoptees of the platform.
|Disclosed Vendors in TCString||
The Disclosed Vendor segment of a TC String provides a list of vendors that have been disclosed to a user.
By default, this feature is deactivated for all clients.
|Do not store UUIDs server side||
Only available for android apps. When enabled, end-user consent will not be stored in the server.
Note: Enabling this option will remove all user related metrics from Sourcepoint reporting for android apps. You will only be able to report on page view data for android apps.
|Do not use unique user identifiers for reporting purposes||
In order to report on unique users, we send a unique identifier for each user to our reporting pipeline in order to attribute page views and actions that have been made by the same user.
Depending on the jurisdiction you are in, the DPA cookie guidance on this use case may vary and therefore you have the option to restrict this use case if you wish.
Note: Enabling this setting will mean that any reporting metrics that relate to unique users will show the exact same numbers as page views.
Use the subsequent modal to edit the advanced settings for the vendor list. Click Apply Changes when finished.
Manage publishers purposes
If your organization processes end-user data (i.e. acts like a vendor) for its own use then the end-user can be informed and asked to give consent. The Sourcepoint dashboard allows your organization to set your own legal basis for IAB purposes.
An organization that wants to set a frequency-capping first-party cookie should request end-user consent for Purpose 1 "Store and/or access information on a device" in jurisdictions where it is required.
More information from the IAB about Publisher Purposes can be found here.
From the advanced settings modal in your vendor list builder, click Manage Publisher Purposes.
In the subsequent modal, your organization can set the legal bases for IAB purposes. The options for legal bases are:
- User Consent
- Legitimate Interest
- Not Applicable
Please consult with your Data Protection Officer or privacy legal team about the appropriate legal bases for each purpose.