Improve compliance score with Diagnose

In this article, we will cover strategies that your organization can leverage using Diagnose's dashboards to improve the compliance score of your properties. 

Review vendors triggered prior to consent

As per GDPR and the ePrivacy Directive, only vendors with a strictly necessary function should trigger prior to consent.

The first step to improve a publisher's compliance score is typically to understand the vendors that trigger on your properties prior to consent. Below are strategies you can implement to analyze vendors triggered prior to consent using the Vendors Triggered Prior to Consent Dashboard:

Referrer vendors Prioritize by prevalence Prioritize by activity on site Sort by vendor type Historical tags on-page

We recommend examining the referrer vendors who trigger prior to consent, and identifying any common themes. A referrer vendor is the vendor who it identified as owning the last web address accessed by the browser prior to triggering the vendor in question.

 Story from the field

A publisher found that 90% of vendors triggered prior to consent were being triggered by a single referrer vendor. By moving the referrer vendor behind consent, this publisher was able to restrict all of these vendors from firing before consent and improve their compliance score within 24 hours.

Review non-disclosed vendors observed

Below are recommendations on how to improve your compliance score using the Non-disclosed Vendors Observed dashboard depending on your CMP.

Sourcepoint CMP Other CMP Provider

If your sites are integrated with the Sourcepoint CMP, we will automatically pull in all of the vendors from your vendor list into Diagnose, so we can ensure that every vendor who is on your vendor list has been accounted for in the scans.

However, many publishers find that our scans identify vendors who are active on their site, but have not yet been added to the vendor list. It is a requirement to declare all of the technology vendors active on your site, and this list will help manage those not on the vendor list. Additionally, many of our publishers have been able to identify vendors with historical integrations who they no longer have partnerships with and remove them from the site. Sort by prevalence on your properties to identify technology that is on-site.


Review disclosed vendors

Having a large vendor list is not in itself non-compliant, but it can be cumbersome to manage and more often than not, most publishers are not actually working with all 800+ vendors in the TCF Framework.

The more vendors in your vendor list means that all of those vendors have access to your end-user's data. If you have surplus vendors to the ones that you actually use, then you are leaving yourself open to data leakages as end-user data is passed through a longer chain.


Reduce your vendor list to partners you actually work with. Use the Disclosed Vendors dashboard to understand the vendors who are in your vendor list, but have less than 2% prevalence in the scans running on your site. Because they are seen so few times, you can remove them from your list, with almost no revenue impact. Most publishers work with between 150-200 vendors within the TCF list, and a reduction in 500+ vendors has little to no impact on revenue.

Additionally, reducing the size of your TCString can also benefit the performance of your site and ads loading, since ad partners will receive the consent string sooner.


 Story from the field

One of our publishers removed 200+ vendors from their list after Diagnose identified a large number of vendors with less than 2% prevalence. The result was a 0% decrease in revenue and a much more manageable list of vendors. 

Review cookies with long lifespans

It is a GDPR requirement that personal data is not kept for longer than 13 months. Due to this declared lifespan, most cookies should not have a duration of more than 13 months and it is up to the vendor to set these durations. Below is a strategy to implement using the Cookies with Long Lifespans dashboard:


Sort the Cookies with Long Lifespans dashboard by highest-lowest in prevalence to understand how common these cookies are on your properties and prioritise those with a prevalence higher than 20%.

  • For first party cookies (those managed by your organization), ensure the duration is either 13 months, or talk to your DPO to understand if a longer duration is strictly necessary.
  • For third party cookies, reach out to your partnership directly and ask them to reduce the lifespan or for an explanation of the set duration. Pass this by your DPO to be sure.


Review possible fingerprinting

The allowance of vendors who use technology similar to fingerprinting can differ per publisher; some clients allow this behaviour while others do not allow this behaviour. It is up to your Privacy Team or DPO to define your internal policy regarding this behaviour. 


If your organization does not allow fingerprinting, use the Possible Fingerprinting dashboard to approach specific vendors and understand why our systems have picked up the similar technology and to define what they are doing. Sort by prevalence to identify more common vendors.


Review data leaving the EEA

The Data Leaving the EEA dashboard helps to identify vendors who have servers located outside the EEA which can be a compliance risk under GDPR.


Use this dashboard to understand the partners you work with who have non-EU servers and either ensure you have adequate agreements in place with your DPO or reach out to these vendors for clarification. Sort by prevalence to identify more common vendors.


Was this article helpful?
1 out of 1 found this helpful



Article is closed for comments.