Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Sourcepoint is an enterprise consent management platform built for large publishers and media groups that supports the IAB TCF v2.2 and IAB GPP frameworks, manages multi region privacy regulations and exposes a granular vendor list across thousands of partners.
Sourcepoint is a consent and privacy management platform operated by Sourcepoint Technologies Inc., a Delaware company with European offices in London and Berlin. It is one of the reference CMPs for large publishers and media groups because of its native support for the IAB Transparency and Consent Framework v2.2, the IAB Global Privacy Platform and granular vendor management at scale.
Sourcepoint loads a small JavaScript bootstrap from cdn.privacy-mgmt.com, which fetches the publisher specific message bundle and renders the consent banner. The granular decisions are then propagated to thousands of downstream vendors through the IAB TCF v2.2 String, the Google Additional Consent Mode signal, the IAB GPP for US state laws and the Google Consent Mode v2 ad_storage and analytics_storage flags.
Sourcepoint sets strictly necessary first party cookies (consentUUID, _sp_v1_uid, _sp_v1_consent, _sp_v1_data) that store the consent identifier, the consent string and a hashed visitor identifier. The platform stores a server side consent record with the truncated IP for geolocation, the timestamp, the consent string, the TCF version, the publisher property identifier and the IAB GPP string for US states. No advertising identifier is processed by Sourcepoint itself.
The Sourcepoint cookies fall under the strictly necessary exemption of Article 5(3) ePrivacy because they store the consent decision explicitly requested. Consent for the CMP is therefore not required, but Sourcepoint propagates the IAB TCF v2.2 signal to thousands of vendors, which the Belgian APD targeted in its 2022 decision on IAB Europe. The controller must therefore audit the vendor list, the legitimate interest scope and the data sharing chain.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Sourcepoint hosts its primary platform on AWS US East (Virginia) with EU replicas in Frankfurt and Dublin. The transfer relies on the EU US Data Privacy Framework when applicable and on Standard Contractual Clauses with a Transfer Impact Assessment included in the DPA. Customers can opt in to the EU Only deployment so that the consent payload never leaves the EEA, which is the recommended setup for large EU publishers.
Sign the Sourcepoint DPA, enable the EU Only data residency option when possible, configure the message format following the IAB TCF v2.2 user interface requirements, audit the vendor list (Article 14 GDPR transparency obligations) and disable legitimate interest by default for any purpose that the EDPB Guidelines 8/2020 classify as targeted advertising. Sync Sourcepoint with Google Consent Mode v2 and document the recipients in the cookie register.
Websites using Sourcepoint must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Sourcepoint is deployed for a large publisher, news outlet or programmatic advertising platform because of the IAB TCF v2.2 signal propagation and the volume of vendors involved. The DPIA must document the US transfer leg (EU US Data Privacy Framework, SCCs), the joint controllership relationships introduced by TCF signal sharing, the legitimate interest scope for downstream vendors and the deployment option chosen (US, EU only, hybrid).
Sample consent text
This site uses Sourcepoint to record your cookie and consent preferences across our brand portfolio. The Sourcepoint cookies are strictly necessary and store your decision for up to 12 months. By clicking Accept you consent to the listed advertising partners that we share data with under the IAB Transparency and Consent Framework v2.2; you can adjust your choice at any time via the Privacy preferences link.
Third-party domains contacted
cdn.privacy-mgmt.comsourcepoint.comcdn.privacy-mgmt.comsourcepoint.comwrapper-api.sp-prod.netprivacy-mgmt.comcmp.sp-prod.netmessage.sp-prod.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| consentUUID | first_party | 12 months | Unique identifier of the visitor consent record under IAB TCF v2.2. |
| consentUUID | http_cookie | 12 months | Strictly necessary first party cookie that stores the unique consent identifier returned by the Sourcepoint backend so the consent record can be retrieved on subsequent visits. |
| euconsent-v2 | http_cookie | 12 months | Strictly necessary first party cookie that stores the IAB TCF v2.2 consent string and is read by downstream vendors integrated under the Transparency and Consent Framework. |
| _sp_v1_consent | first_party | 12 months | Stores the IAB TCF consent string and the choices made by the visitor. |
| _sp_v1_data | first_party | 12 months | Stores additional consent metadata used by the Sourcepoint CMP. |
| _sp_v1_uid | http_cookie | 12 months | Strictly necessary first party cookie containing a hashed visitor identifier used by Sourcepoint to correlate the in browser decision with the server side consent record. |
| _sp_v1_data | http_cookie | 12 months | Strictly necessary first party cookie that stores the publisher campaign identifier and the message version delivered to the visitor. |
Sourcepoint is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Sourcepoint sets first party cookies consentUUID, _sp_v1_data, _sp_v1_consent and _sp_v1_uid. They store the consent identifier, the IAB TCF string and the chosen vendor list.
Sourcepoint sets strictly necessary first party cookies that store the consent identifier (consentUUID), the IAB TCF v2.2 consent string (_sp_v1_consent), a hashed visitor identifier (_sp_v1_uid) and the campaign data (_sp_v1_data). Default duration is 12 months. No advertising cookie is set by Sourcepoint itself; the platform only propagates consent to downstream vendors.
No. Sourcepoint is strictly necessary under Article 5(3) ePrivacy. The vendors and trackers it gates still require valid consent.
No. The Sourcepoint cookies fall under the strictly necessary exemption of Article 5(3) ePrivacy because they store the visitor consent decision that has been explicitly requested. Consent is required only for the downstream vendors propagated through the IAB TCF v2.2 signal, not for the consent layer itself.
Legitimate interest plus the proof of consent obligation under Article 7(1) GDPR. Vendor processing is consent based per IAB TCF v2.2.
Sourcepoint is deployed under legitimate interest pursuant to Article 6(1)(f) GDPR for the controller, combined with the legal obligation under Article 5(3) ePrivacy and Article 7(1) GDPR to obtain and document consent for downstream trackers. The IAB TCF v2.2 signal that Sourcepoint propagates relies on consent for marketing purposes per the Belgian APD decision on IAB Europe.
EU consent records are stored in Ireland but some operational logs can transit US infrastructure. Sourcepoint relies on SCCs and the EU US Data Privacy Framework, with a transfer impact assessment recommended.
Sourcepoint Technologies Inc. is a US company and the default production region is AWS US East. EU customers can switch to the EU Only data residency option so that the consent payload remains in Frankfurt or Dublin. When data does flow to the US, it relies on the EU US Data Privacy Framework and on the SCCs included in the Sourcepoint DPA.
A DPIA is usually required because Sourcepoint exposes a large TCF vendor list. Map vendors, document SCCs and DPF safeguards and assess the residual risk.
A DPIA is recommended whenever Sourcepoint is deployed by a publisher with a large vendor list, in regulated sectors (news, finance, health) or when the IAB TCF v2.2 signal is shared with hundreds of partners. The DPIA must analyse the US transfer leg, the joint controllership scope under the TCF, and the legitimate interest declared by downstream vendors.
Configure a two layer banner with equal accept and reject buttons, block all TCF vendors before consent, enable Google Consent Mode v2, set up server side consent propagation and audit the vendor list monthly.
Sign the Sourcepoint DPA, enable EU Only data residency when possible, configure the message format to follow the IAB TCF v2.2 user interface requirements, disable legitimate interest for targeted advertising purposes, integrate Google Consent Mode v2 and document Sourcepoint and the downstream vendors in the cookie register and the privacy notice.
Comparable enterprise CMPs include Didomi, OneTrust, Usercentrics, Trustarc, Cassie and Quantcast Choice (TCF v2.2 capable). For smaller deployments the alternatives are CookieFirst, CookieHub, Iubenda, Axeptio, Cookiebot and the open source Klaro. The right choice depends on publisher size, programmatic stack and need for IAB TCF v2.2 support.
OneTrust, Didomi, TrustArc, Sirdata, Cookiebot, CookieFirst, CookieHub, Axeptio. EU vendors avoid Schrems II concerns.
Refresh the inventory monthly with a scanner, document every vendor and purpose declared in the TCF, and version the policy in your CMS.
Sync the Sourcepoint Vendor List export with your cookie register on each release, monitor the IAB TCF Global Vendor List changes (a new vendor can be added every week) and subscribe to Sourcepoint release notes. Update the privacy notice when a new sub processor or new IAB stack version is introduced.