In 2018, the European General Data Protection Regulation (GDPR) introduced a new privacy standard holding subcontractors accountable, regardless of whether they are based in the European Union (EU) or not.


From then on, these organizations failing to comply with their privacy obligations could be fined significant amounts by the respective regulators of the EU countries. Indeed, the GDPR establishes subcontractors as essential actors insofar as they are guarantors of the transparency, traceability, and security of the processed data.


As a consequence, this raised the question for publishers of how to manage vendors' partners and the risks they may present in terms of GDPR compliance. In this article, we look at the nature of vendors, why it is important for publishers to reduce their vendor list, and how to go about it.






What is a vendor?


A vendor is a partner or subcontractor of a publisher, providing a service to the publisher. The Interactive Advertising Bureau (IAB) Europe defines vendors as follows :


“A company that participates in the delivery of digital advertising within a Publisher’s website, app, or other digital content, to the extent that company is not acting as a Publisher or CMP, and that either accesses an end user’s device or processes personal data about end users visiting the Publisher’s content and adheres to the Policies.”


Note that a vendor can be a controller as well as a processor. In any case, the vendor is more or less directly involved in the processing of the publisher's data.


Why is it important for publishers to reduce their vendor list?


It is important for publishers to reduce their vendor list in order to regain control over a complex ecosystem. By limiting its vendor list to a reasonable number of vendors, a publisher is able to: 


  • Reduce the risk of a GDPR breach due to a lack of compliance by one of the vendors

  • Facilitate the enrolment of vendors on its Consent Management Platform (CMP)

  • Ensure that only revenue-generating vendors are retained

  • Obtain and nurture the valuable trust of its audience

  • Optimize the loading time of its site's pages


The question of reducing one's vendor list notably came into the limelight in early 2022 when the Belgian Data Protection Authority APD fined IAB Europe, mentioning that users cannot reasonably give informed consent for hundreds of vendors, rendering user consent invalid as a result.

How to reduce your vendor list?


On average, players in the publishing industry tend to have over 850 vendors declared in their Consent Management Platform (CMP), of whom only 10-15% are actually active on their web pages. Ideally, these two numbers should be identical, or at the very least very close.


In order to solve this and ensure compliance and performance of a webpage, one of the possibilities is to go through this list manually on a frequent basis and update it. However, this method can not only be extremely time-consuming but also very risky from a compliance standpoint, especially if you have a large list of vendors.


Using the Agnostik platform, organizations are able to automatically audit their webpage and CMP, identifying what goes on behind the scenes: Vendors dropping cookies, the compliance level of domains, issues that need fixing, and more. Not only does using Agnostik help save time and ensure compliance, but it also allows webpages to perform at peak performance.


To achieve this, Agnostik uses a tailor-made qualification process using successive filters:


  • Is the vendor declared in the CMP and is it one of the vendors based on legitimate interest according to the TCF 2.0? 

In order to answer this question, it is necessary to understand the notion of legitimate interest, and to be familiar with TCF 2.0. But what is legitimate interest?


"Legitimate interest is one of the legal bases provided for in the GDPR on which personal data processing can be based. The use of this legal basis assumes that the interests (commercial, security of property, etc.) pursued by the organization processing the data do not create an imbalance to the detriment of the rights and interests of the persons whose data are processed."


Source : Commission Nationale de l'Informatique et des Libertés (CNIL), 2019


The TCF 2.0 is an enhanced version of the Transparency Consent Framework (TCF) and fills the gaps from the first iteration.


It allows publishers to take into account a wider range of purposes, greater transparency, and more control regarding GDPR compliance for each purpose. It also includes the notion of legitimate interest and facilitated compliance through a CMP.


  • Is the vendor's headquarters located in a country considered "inadequate"?

What is an "adequate" country? This metric is about the level of data protection in said country.

Adequacy is determined in relation to the level of protection offered by the GDPR. EU countries are considered adequate. In other countries, data protection may be considered partial, as is the case in Canada. Finally, when the level of protection is not equivalent to the GDPR, the country is considered inadequate. 

For some countries, such as North Korea, no information is available about data protection laws that might be in effect.


  • Does the vendor collect personal data? If so, where does it rank on the scale established by the Agnostik Trust Index?

Personal data collection is one of the key elements for Agnostik to assess and rank vendors in its Trust Index (more info below).


  • Has the vendor generated revenue and/or been active over a significant period of time?

Being active implies making requests or submitting trackers. Some vendors do not generate revenue, but their technology is essential to the ecosystem.

  • Does the vendor, even if not declared in the CMP, generate revenue?

Finally, revenue generation is also part of Agnostik's vendor qualification filters. 


Based on the answers to these questions (and more), Agnostik ranks vendors on its Trust Index, assigning a score from A to E. The Facettes platform, developed by Agnostik, automates the application of these filters and provides an overview of all vendors and trackers present on the publisher's site.

New filters are frequently added.


Testimonials from Agnostik customers


Agnostik helps many publishers facilitate their operations and ensure compliance with regulations, thanks to the privacy suite. Among them, Sud Ouest and 20 Minutes came forward with positive feedback about their experience:


“Facettes allows us to have a listing of the sellers who are active on our inventory. We quickly realized that, in the end, there are not 800 active vendors, but far fewer. The data is regularly updated, and at the end of this work, we come to conclusions that allow us to further refine the sorting of vendors. (...)

With the Facettes tool, we have access to a lot of information about vendors, whether it's where they're coming from or how long they've been holding cookies. Each vendor is also ranked by the platform."

Florian PoulainDigital revenue and monetization manager at Sud Ouest



"The objective was to understand which actors and vendors were present on the site, as well as to identify their usefulness. The idea is to measure the real contribution of vendors, and then be able to decide with whom to work. In the end, this means reducing the Global Vendor List (GVL) to the players we really need. 


Frédéric Lecarme, Deputy General Manager at 20 Minutes


Reducing your vendor list and being aware of the vendor ecosystem present in your domains is vital to ensure your compliance. To learn more about Agnostik's solutions, perform a site audit, and reduce your vendor list together, book a call with an expert:


Talk to an expert