Permission: Vendor list - GDPR

Vendor lists are configurable registries of authorized third-party vendors who can be authorized to process user data, access users' devices, and/or use the data stored on those devices for specific purposes. In order to guide your organization through the configuration process, we will cover how to do the following: 

Create vendor list with vendor list wizard

To start, click Vendor Management on the left-hand navigation and select GDPR TCF from the panel.


The subsequent page will list all existing vendor lists for the GDPR TCF regulatory framework. Click New

Screenshot 2023-08-01 at 11.12.27 AM.png

When creating a new vendor list, you will automatically activate the vendor list wizard to guide you through the configuration process.

  Note: In order to confirm the configurations made in the wizard you will need to select Save and Close from the wizard modal or the Dismiss icon in the upper-right hand corner of the wizard. If Cancel is selected in the wizard, your configurations since the last save point will be lost.

Regardless of the actions taken within the vendor list wizard, you will need to click Save in the vendor list builder to save your overall configuration. 

In the following sections we will cover the various configurations that are made in each tab:

Select properties and scope


Field Description
Name The internal name for your vendor list.
GDPR Applies Scope 

Determines the geographic regions where Sourcepoint will provide consent strings. When a user is identified as being in the geographic area defined in the vendor list, the consent strings that our system generates will include all preferences.‌

  Note: Be aware that countries/regions selected in this field must match those selected in the geo-targeting condition within your scenario for properties on your vendor list. This ensures consent is saved correctly across subdomains in the right regions

Consent Scope

Determines how an end-user's consent preferences are shared across different properties within and outside your organization.

When an end-user selects their consent preferences on your property, the privacy manager will utilize the consent scope for the associated vendor list to share or not share the preferences.

  • Single Site: An end-user's consent preferences will only be set for the property where the end-user provided their consent.
  • Shared Site: An end-user's consent preferences will be shared across a defined group of sites within your Sourcepoint account. Selecting this option requires that your organization has configured authenticated consent on your properties.

Properties associated with a vendor list will inherit the vendors, purposes, and legal bases configured for the vendor list. This information will be surfaced in privacy managers, OTT messages, and/or first layer messages configured for the property.

  Note: While properties can be added to multiple inactive vendor lists, a property can only be associated with a single active vendor list. Click here to learn more about active statuses for vendor lists.

Consent Cookie Expiration The length of time (in days) before a consent cookie is considered expired.

IAB settings


Field Description
Vendor Legal Basis

For vendors who have declared a flexible legal basis for a purpose, you can set the legal basis to one of the following defaults:

  • Consent
  • Legitimate Interest
  • Vendor Default
Add IAB Special Features

Enable the following IAB-specific special features for your vendor list:

  • Use precise geolocation data
  • Actively scan device characteristics for identification 
Manage IAB Stacks

IAB stacks allow your organization to group the 10 IAB purposes and 2 IAB special features into pre-determined groupings. When configured for your vendor list, these stacks can be surfaced in lieu of each purpose listed individually in privacy managers for associated properties.

  Note: IAB stacks include multiple permutations of IAB purpose groupings. However, a single IAB purpose in your GDPR TCF vendor list can only be in one IAB stack at a time. As you add IAB stacks to your vendor list, other IAB stacks will be un-addable due to these colliding purposes (i.e. one or more purposes in your added IAB stack also exists in another IAB stack).

Advanced IAB Settings

Configure the following IAB settings for your vendor list:

  • Use Special Treatment for Purpose One in Countries: Certain countries in European Union may have different interpretations of GDPR legislation. If enabled, then Purpose 1 will not be populated in the first layer message or a privacy manager and will not be registered in the consent string.
  • Display Special Purposes, Features, and Disclosure Only Vendors in Message: Determines whether you will show any vendor special features and special purposes in the first layer message.
  • List IAB Purpose 1 and Custom Elements first in the message: If enabled then any custom elements for Purpose 1 will be bumped to the top of the list of purposes in the first layer message.
  • Store euconsent-v2 first party cookie: A legacy cookie that Sourcepoint continues to support for early adoptees of the platform.

Custom purposes settings

A custom purpose on a GDPR TCF vendor list is a configurable purpose created by your organization and can be applied to vendors on your vendor list.

From the Custom Purpose Setting tab, you can either create a custom purpose using an entirely manual workflow or leverage a Sourcepoint-provided custom purpose that you can edit. 

First, select all languages that you will support in your messaging experience.


With the languages selected, either click Add New to add a single new custom purpose or use the Select Preset field to select one of more recommended custom purposes and click Apply

  Note: Please be aware that the Sourcepoint recommended purpose Necessary Cookies defaults to a Disclosure only type of purpose (i.e. the custom purpose can only utilize Disclosure only or Not applicable. If you desire to set any other custom purposes to Disclosure only then this must be done in the vendor list builder after you have finished the wizard workflow.


Your custom purpose(s) will be added to the list to input/edit a name, description and default legal basis. You will be required to provide translations for the name and description for each added custom purpose in the languages you have selected.

Click Save to confirm the name, description, legal basis, and translations for your added custom purpose(s).


Add vendors

Vendors can be added to your vendor list either through a vendor scan (if enabled for your organization) or manually. 

When viewing the Vendor Scan Results tab, the data populated in the table is dependent on the type of scanning your organization utilizes for its properties. Please refer to the table below for more information:

Scanning feature Available Data
DIAGNOSE The vendor scan results table will populate vendors and vendor insights found on your property via the scan.  
No Scanning feature The vendor scan results table will not populate any vendors.

Vendors found via scanning can be selected from the table and added by clicking Add to selected vendors. These selected vendors will appear by clicking the View Selected Vendors button.


Known Vendors are vendors recognised by the IAB and/or Sourcepoint and relevant information about the vendor are stored in our systems.

Unknown Vendors are vendors not recognised by the IAB and/or Sourcepoint, no information about the vendor are stored in our systems at the present time though should be added in the future. This happens for example if a vendor is new.

Furthermore, you can manually add a vendor to your vendor list by clicking All System Vendors.


All vendors in our system are divided into categories IAB Vendors, Custom Vendors, Google ATP Vendors.

IAB Vendors are vendors registered with the IAB. These vendors will be added to the purposes they have declared in the GVL and any flexible legal basis will be decided on the default set by vendor list.

Custom Vendors are vendors not registered with the IAB or belong to Google ATP. When adding a custom vendor, it should categorize the vendor's legal basis according to the Default Custom Vendor Consent Type setting in the purpose's vendor list custom settings.

Google ATP Vendors are vendors that belong to Google Ad Tech Providers. Google ATP vendors will be added to your vendor list under the purposes that are the same as Google Advertising Products.

From the tab, you can filter the list of vendors across IAB, Custom, and Google ATP vendors.


Select vendors from the table and click Add to selected vendors. These selected vendors will appear by clicking the View Selected Vendors button.


Add cookies

Click below for detailed information about managing cookie disclosures:

 Additional Resource

Cookie disclosures (GDPR TCF)

Edit vendor list with vendor list wizard

While the vendor list wizard can be used to create a new GDPR TCF vendor list, it can also be used to update/edit that vendor list as well. To re-access the vendor list wizard, navigate to an existing GDPR TCF vendor list and click the   icon.


Use the vendor list wizard to edit your GDPR TCF vendor list.

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.