Permission: Vendor list - GDPR

In this article, we will cover the following configurations specific to a GDPR Standard vendor list:

To start, click Vendor Management on the left-hand panel and select GDPR Standard from the menu.


Select a vendor list from the subsequent page or click New to create a new GDPR Standard vendor list.

Screenshot 2023-08-02 at 5.36.16 AM.png

Apple data broker

The Apple data broker setting is an optional designation that your organization can apply to a vendor on your GDPR Standard vendor list that will impact an end-user's consent string and subsequent experience of your privacy manager. In this article, we will cover:

  Note: In order to utilize the apple data broker feature, your organization must fulfill the following pre-requisites:

Property is utilizing Sourcepoint's Unified SDK
iOS tracking message is enabled on account

A vendor who is designated as an apple data broker by your organization is only impacted by the designation when an end-user selects Don't Allow Tracking (or some permutation of this user option) in Apple's App Tracking Transparency message.

If an end-user selects Don't Allow Tracking, the following will automatically occur for a vendor designated as an Apple data broker:

  • Vendor grants will return a FALSE value for the vendor
  • End-user will be unable to enable vendor from the privacy manager

To designate a vendor as an apple data broker, click the name of a vendor on the vendor list. 


Click the checkbox inline with Apple Data Broker and select Apply changes when finished.


Vendors designated as Apple data brokers will be marked in the vendor list builder.


Disclosure only purpose

The disclosure only feature allows you to configure a custom purpose that does not have a consent toggle (opt-in/opt out). To enable the feature for a custom purpose, click the custom purpose name from your vendor list. 


From the subsequent dialog box, check the box next to Disclosure only and click Apply changes when finished. 

Screenshot 2023-08-02 at 6.03.35 AM.png

When enabled for the custom purpose, vendors can either be configured as Disclosure only or Not Applicable for the custom purpose. 


Manage custom purposes

A custom purpose on a GDPR Standard vendor list is a configurable purpose created by your organization and can be applied to vendors on your vendor list.

To add a custom purpose, click + Add Custom Purpose at the bottom of the vendor list builder.


Use the subsequent modal to input a Name and optional Description for the new custom purpose. Click Create purpose when finished.


  Note: The Google Consent Mode Category field should only be filled-in if your organization is implementing Google Consent Mode for your property. Click here for more information about Sourcepoint's integration with Google Consent Mode. 

The custom purpose will be added to end of the purpose column. Set the legal basis for the new custom purpose for each vendor in your vendor list.


To edit general settings, consent and reject actions, or to delete the custom purpose, click the name of the purpose. 


Use the subsequent modal to edit or delete the custom purpose. Click here for more information on custom illustrations.


Custom purpose custom illustration

The custom illustration field for a custom purpose enables your organization to provide examples of how the purpose is used. Each configured custom illustration will be automatically added as a bullet point underneath the custom purpose when it is expanded in the privacy manager.

From the custom purpose modal, navigate to the Illustration section and click + Add Custom Illustration.

Screenshot 2023-08-10 at 10.07.05 AM.png

Use the provided field to input an example and repeat as desired.

Click Apply changes when finished. 

Screenshot 2023-08-10 at 10.43.33 AM.png

Manage custom stacks

Custom stacks allow your organization to group purposes in your vendor list into pre-determined groupings. When configured, these stacks can be surfaced in lieu of each purpose listed individually in privacy managers for associated properties. Like a folder system for purposes, the individual purposes can be navigated to by the end-user by clicking the stack in the privacy manager.


Click Manage Stacks at the bottom of the vendor list builder.


From the subsequent modal, input a name, optional description in the provided fields and select the custom purposes that should be included in the stack. Click Create Custom Stack.

  Note: A custom purposes can only be included in a single custom stack at any given time.

Repeat as necessary and click Apply Changes when finished.


The purposes included in the custom stacks will be grouped together in the vendor list builder under the custom stack name. Any purposes not included in a custom stack will be listed separately.

Click Save to apply the changes.

Consent scope

The Consent Scope field for a vendor list determines how an end-user's consent preferences are shared across different properties within and outside your organization.

When an end-user selects their consent preferences on your property, the privacy manager will utilize the consent scope for the associated vendor list to share or not share the preferences. The following

Consent Scopes can be selected for a GDPR Standard Vendor List:

Consent Scope Description
Single Site An end-user's consent preferences will only be set for the property where the end-user provided their consent..
Shared Site

An end-user's consent preferences will be shared across a defined group of sites within your Sourcepoint account.

  Note: Selecting this option requires that your organization has configured authenticated consent on your properties.

From the vendor list builder, navigate to the Consent Scope field at the top of the page and use the dropdown menu to select a consent scope for the vendor list.

Click Save when finished.


Vendor URL mapping

Vendor URL mapping is intended to be used by publishing systems with Sourcepoint's vendor URL mapping API to help determine if a vendor URL has been defined appropriately in the Sourcepoint system. This API can help developers that are integrating with Content Management Systems (CMS) verify that a URL referenced in content can be related to vendor and purpose consent preferences which can be queried and set based on user actions.

The vendor URL mapping API will return the vendors that have URL mappings which match the vendorUrls passed in the request. These mapping must be configured within the Sourcepoint portal before this API can be used.

Configure the URL mappings for vendors by selecting a vendor from the list.


Click URL Mappings in the modal and select Add Pattern.


Use the provided fields to configure conditions of the pattern. Your organization can create patterns with multiple condition statements. Additionally, you can configure multiple patterns for the vendor.

Click Apply changes when finished.


Repeat as necessary for other vendors.

  Note: Do not create patterns that can be matched to multiple vendors as this will cause errors.

Click Save in vendor list builder to confirm all changes.

Advanced settings

The advanced settings modal for a GDPR Standard vendor list allow a user to configure settings that will applied to the entire vendor list. 

Click *Advanced settings*.


The following advanced settings can be edited for the GDPR Standard vendor list:

Advanced Setting Description
Write 1st party cookies to root domain

When enabled, consent selections will be stored/persist across the site’s root domain (e.g. and its respective subdomains (e.g.

This will ensure that users do not see the same consent message when moving from root to subdomain or vice versa. 

Write 1st party cookies from the server

When enabled, the 1st-party cookie will be set by the server by passing a cookie from the server back to your site instead of using the on-site code to set the cookie.

This setting should be enabled if your organization has set up a CNAME subdomain.

Consent cookies expiration The length of time (in days) consent cookies are valid.
Base vendor consent and reject actions on vendor grants

Vendor grants inform a publisher whether a vendor has been granted consent for all the purposes for which they are asking consent. Generally, this setting is used to manage custom vendors. When enabled, the Vendor List will fire consent and reject actions based on the vendor grant.

  Note: A vendor grant only returns a true value when an end-user consents to all purposes for which your organization is requesting. If an end-user consents to only some of the purposes, the vendor grant will return a false value.

Do not store UUIDs server side

Only available for android apps. When enabled, end-user consent will not be stored in the server. 

  Note: Enabling this option will remove all user related metrics from Sourcepoint reporting for android apps. You will only be able to report on page view data for android apps.

Do not use unique user identifiers for reporting purposes

In order to report on unique users, we send a unique identifier for each user to our reporting pipeline in order to attribute page views and actions that have been made by the same user.

Depending on the jurisdiction you are in, the DPA cookie guidance on this use case may vary and therefore you have the option to restrict this use case if you wish. If this setting is enabled, Sourcepoint will no longer set the _sp_su cookie (used in our sampling methodology in our reporting pipeline) on your properties associated with the vendor list.

  Note: Enabling this setting will mean that any reporting metrics that relate to unique users will show the exact same numbers as page views.

Use the subsequent modal to edit the advanced settings for the vendor list. Click Apply Changes when finished.


Vendor count

The vendor count(s) are ineditable fields that will respectively tally:

  • total number of vendors on your GDPR Standard vendor list
  • number of vendors with a legal basis set for each purpose (except for Disclosure only)


Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.