Admin access or Domain access to property (property group) with feature access to vendor list management

Vendor lists are configurable registries of authorized third-party vendors who can be authorized to process user data, access users' devices, and/or use the data stored on those devices for specific purposes. In order to guide your organization through the configuration process In this article, we will cover how:

Create vendor list with vendor list wizard

To start, click Vendor Management on the left-hand navigation and select GDPR TCF from the panel.


The subsequent page will list all existing vendor lists for the GDPR TCF regulatory framework. Click New


When creating a new vendor list, you will automatically activate the vendor list wizard to guide you through the configuration process.

  Note: In order to confirm the configurations made in the wizard you will need to select Save and Close from the wizard modal or the Dismiss icon in the upper-right hand corner of the wizard. If Cancel is selected in the wizard, your configurations since the last save point will be lost.

Regardless of the actions taken within the vendor list wizard, you will need to click Save in vendor list builder to save your overall configuration. 

In the following sections we will cover the various configurations that are made in each tab:

Select properties and scope


Field Description
Name The internal name for your vendor list.
Applies Scope  Determines the geographic regions where Sourcepoint will provide consent strings. When a user is identified as being in the geographic area defined in the vendor list, the consent strings that our system generates will include all preferences.‌
Consent Scope

Determines how an end-user's consent preferences are shared across different properties within and outside your organization.

When an end-user selects their consent preferences on your property, the privacy manager will utilize the consent scope for the associated vendor list to share or not share the preferences.

  • Single Site: An end-user's consent preferences will only be set for the property where the end-user provided their consent.
  • Share Site: An end-user's consent preferences will be shared across a defined group of sites within your Sourcepoint account. Selecting this option requires that your organization has configured authenticated consent on your properties.
Select Property(s) this list applies to

Properties associated with a vendor list will inherit the vendors, purposes, and legal bases configured for the vendor list. This information will be surfaced in privacy managers, OTT messages, and/or first layer messages configured for the property.

  Note: While properties can be added to multiple inactive vendor lists, a property can only be associated with a single active vendor list. Click here to learn more about active statuses for vendor lists.

Consent Cookie Expiration The length of time (in days) before a consent cookie is considered expired.

IAB settings


Field Description
Vendor Legal Basis

For vendors who have declared a flexible legal basis for a purpose, you can set the legal basis to one of the following defaults:

  • Consent
  • Legitimate Interest
  • Vendor Default
Add IAB Special Features

Enable the following IAB-specific special features for your vendor list:

  • Use precise geolocation data
  • Actively scan device characteristics for identification 
Manage IAB Stacks

IAB stacks allow your organization to group the 10 IAB purposes and 2 IAB special features into pre-determined groupings. When configured for your vendor list, these stacks can be surfaced in lieu of each purpose listed individually in privacy managers for associated properties.

  Note: IAB stacks include multiple permutations of IAB purpose groupings. However, a single IAB purpose in your GDPR TCF vendor list can only be in one IAB stack at a time. As you add IAB stacks to your vendor list, other IAB stacks will be un-addable due to these colliding purposes (i.e. one or more purposes in your added IAB stack also exists in another IAB stack).

Advanced IAB Settings

Configure the following IAB settings for your vendor list:

  • Use Special Treatment for Purpose One in Countries: Certain countries in European Union may have different interpretations of GDPR legislation. If enabled, then Purpose 1 will not be populated in the first layer message or a privacy manager and will not be registered in the consent string.
  • Display Special Purposes, Features, and Disclosure Only Vendors in Message: Determines whether you will show any vendor special features and special purposes in the first layer message.
  • List IAB Purpose 1 and Custom Elements first in the message: If enabled then any custom elements for Purpose 1 will be bumped to the top of the list of purposes in the first layer message.
  • Store euconsent-v2 first party cookie: A legacy cookie that Sourcepoint continues to support for early adoptees of the platform.

Custom purposes settings

A custom purpose on a GDPR TCF vendor list is a configurable purpose created by your organization and can be applied to vendors on your vendor list.

From the Custom Purpose Setting tab, you can either create a custom purpose using an entirely manual workflow or leverage a Sourcepoint-provided custom purpose that you can edit. 

First, select all languages that you will support in your messaging experience. 


With the languages selected, either click Add New to add a single new custom purpose or use the Select Default field to select one of more recommended custom purposes and click Apply

  Note: Please be aware that the Sourcepoint recommended purpose Necessary Cookies defaults to a Disclosure only type of purpose (i.e. the custom purpose can only utilize Disclosure only or Not applicable. If you desire to set any other custom purposes to Disclosure only then this must be done in the vendor list builder after you have finished the wizard workflow.


Your custom purpose(s) will be added to the list to input/edit a name, description and default legal basis. You will be required to provide translations for the name and description for each added custom purpose in the languages you have selected.

Click Save to confirm the name, description, legal basis, and translations for your added custom purpose(s).


Add vendors

Vendors can be added to your vendor list either through a vendor scan (if enabled for your organization) or manually. 

When viewing the Vendor Scan Results, the data populated in the table is dependent on the type of scanning your organization utilizes for its properties. Please refer to the table below for more information:

Scanning feature Available Data
DIAGNOSE The vendor scan results table will populate vendors and vendor insights found on your property via the scan.  
Media Trust The vendor scan results table will populate vendors found on your property via the scan. Individual insights for each vendor will not be available. 
No Scanning feature The vendor scan results table will not populate any vendors.

Vendors found via scanning can be selected from the table. These selected vendor will appear in the Selected Vendors panel.


Additionally/optionally, you can manually add a vendor to your vendor list by clicking All System Vendors.

From the tab, you can filter the list of vendors across IAB, Custom, and Google ATP vendors and select individual vendors from the list. These selected vendor will appear in the Selected Vendors panel.


Vendor scan mapping

  Note: The vendor scanning mapping tab is only available for organizations who have DIAGNOSE enabled for their accounts.

The vendor scanning mapping tab allows you to programmatically associate IAB and custom purposes (and their legal basis) with a custom vendor found via scanning based on the vendor's cookie category. 

Cookie categories are defined by the International Chamber of Commerce and include the following:

  • Advertising/Targeting
  • Performance
  • Functionality
  • Strictly Necessary

Custom vendors found via scanning will have associated purposes enabled with the legal basis defaulted to what is set in the wizard.

  Note: Individual changes to a vendor's legal basis for any of the associated purposes will need to be performed manually in the vendor list builder. 

For each cookie category in the list, select which purposes should be mapped to custom vendors found via scan who fall into each category. 


 In the example above, any custom vendor found via scanning who falls into the Functionality cookie category will be added to your vendor list with the IAB purpose Create a personalised ads profile enabled with a legal basis set to User Consent.

Edit vendor list with vendor list wizard

While the vendor list wizard can be used to create a new GDPR TCF vendor list, it can also be used to update/edit that vendor list as well. To re-access the vendor list wizard, navigate to an existing GDPR TCF vendor list and click the   icon.


Use the vendor list wizard to edit your GDPR TCF vendor list. 

Was this article helpful?
1 out of 1 found this helpful