Initially, GDPR created a lot of trouble for publishers. While users finally had control of their personal data, publishers felt they had very little control over third-party vendors and partners on how user data was processed. That’s when IAB introduced pubvendors.json in support of GDPR consent framework.

Between publishers and vendors, exchange of audience is a big deal. Hence, publishers felt a framework was needed for them to exercise better control over ‘which vendor can use what part of the audience data and to what extent.’ Consequently, pubvendors.json was created.

What is Pubvendors.json?

In the shortest definition, pubvendors.json is a list of vendors created by publishers. More specifically, it’s a file publishers host on their domain, indexing the following information:

  • Vendors they’re partners with, on a legitimate-interest basis
  • Audience data usage and rights granted to those vendors
  • Other vendors they are open to get consent for

For vendors who are a part of the IAB Transparency and Consent framework, the pubvendors.json file acts as a book of rule telling them how much audience data they can access, what they can do with that data, and what the publisher’s GDPR policy looks like.

Why Was Pubvendors.json Needed?

With GDPR came in two different approaches to data security compliance viz. legitimate interest and consent. But what were these?

The legitimate interest represented how publishers legally justify the use of their audience data. While consent meant that publishers will have to inform their users about how they plan to use their data and ask for permission to do so.

Legitimate interest and consent based GDPR

Going by the rules, publishers felt the GDPR standards are stricter towards publishers who’ll have to follow the consent based route than those who had adopted legitimate interest. Hence, they demanded a framework which would give publishers the authority to control vendors’ limits/rights on processing their audience data; regardless of which basis they follow一legitimate interest or consent.

How Does Pubvendors.json Work?

GDPR plays a significant factor in the publisher-vendor relationship. How? Publishers and vendors (like DSPs, SSPs, DMPs) deal in data. Whenever a publisher onboards a new vendor, for example a data management platform to create audience segments, the DMP (vendor) gets access to that data. And the publisher knows it.

What happens is the vendor uses the received data for self advertising/ad serving purposes. This is the point where there’s a need for the publisher to define data rules for the vendor. There’s a cycle to how it works:

First, publishers need to comply with GDPR. For that, they’ll either follow the legitimate interest route or consent route. Second, vendors need to comply with publishers, hence their GDPR policies. In order to partner with the publisher, the vendor needs to know about the vendor-rules defined by the publisher. That’s where pubvendors.json works.

The pubvendors.json file pre-informs the vendors about how much data access they will get, whether they are allowed to run personalized ads on the publishers’ audience or not, and others. The rules stated in the publisher’s pubvendors.json file is dependent on the route he/she follows.

If you noticed above, pubvendors.json lists the vendors that publishers have partnered with on a legitimate interest basis. So, in a case a publisher’s pubvendors.json file states about working on a consent basis, the vendors infer that they should plan their partnership with the publisher accordingly; before beginning to serve personalized ads to that publishers’ audience.

For instance, vendors use the publisher’s ads.txt file to know who is the authorised seller of their ad inventory. Likewise, with pubvendors.json, they learn about how vendors are operating and what basis (legitimate interest or consent) the publisher is following in compliance with GDPR.

The Intent of Pubvendors.json

The technical specifications of pubvendors.json are intended for the following:

  1. Give publishers a standard to publicly index and whitelist vendors.
  2. Allow vendors to verify the publisher’s GDPR settings.
  3. Enable vendors to confirm the consent management platform consent strings.
  4. Empower publishers to design a pre-vendor ‘data limit, purpose, and feature’ framework.
  5. Get the vendor rights and activities on the publisher data more organized and monitored.

How do Publishers Benefit from Pubvendors.json?

For new publishers (or for those new to this concept), pubvendors.json might sound complex. Honestly, it’s not. It’s as simple as implementing ads.txt or robots.txt, once understood. Likewise, the yields of pubvendors.json are also in the publishers’ favor.

The updated GDPR framework empowers them to exercise granular control over how they wish their website visitors to be (or not to be) targeted with personalized ads.

Moreover, consent strings are added to help the supply-side space remain on the same page as publishers about ‘how to use the publishers audience data.’ Eventually, all of this made vendors more accountable towards publishers.

Also read: Sellers.json: IAB’s New Move to Increase Programmatic Transparency

Things Publishers Should Know About Pubvendors.json

What do publishers need?

A consent management platform in place would be needed to follow the consent-based route. The CMP generates a consent string which identifies the consent status of the vendor. It also informs who can run personalized ads and who cannot.

What problems are publishers facing?

A lot publishers are either incorrectly implementing consent frameworks or not serving ads to their EU audience in fear of compliance breach. Others are simply operating with paywalls.

When did it become necessary?

The day GDPR came into effect, which was May 25th 2018, that was also the time when IAB declared that they are on the verge of introducing the additional support tech, pubvendors.json.

Is it mandatory?

Till date, no. However, debates are drifting towards making pubvendors.json mandatory for publishers, so as to ensure that vendors follow and stick to the ad serving rules.

Whom to add to the list?

DSPs, SSPs, DMPs, programmatic partners, and any sort of third-party data providers that are used to build and/or manage audience segments should be a part of the list. Here, intent is to publicly clarify the relationship between the publisher and the vendor w.r.t. data exchange.

How to create the file?

You may ask your developer to create the pubvendos.json file (the same way they might have implemented ads.txt). Or, you may just go with one of the many pubvendors.json manager tools.

How to integrate the file?

You may ask your developer to create the pubvendos.json file (the same way they might have implemented ads.txt). Or, you may just go with one of the many pubvendors.json manager tools.

Ideally, as stated above, the publisher would need a CMP that supports the file. Once created, the file named pubvendors.json can be placed on a known path of the website domain just like ads.txt, example:

    "publisherVendorsVersion": 1,         // [Required] Version of the pubvendors.json specification    "version": 1,                         // [Required] Increment on each update of this file
    "globalVendorListVersion": 1,         // [Required] The version of the GVL this was created from
    "updatedAt": "2019-03-28T00:00:00Z",  // [Required] Updated for every modification
    "vendors": [                          // [Required] Whitelist vendors
            "id": 1                       // [Required] ID of vendor
            "id": 2
            "id": 3

What about updates?

Updates to the existing pubvendors.json will be required every time a new vendor is onboarded. Untimely update may cause loss or compliance breach. As a solution, publishers can choose pubvendors.json manager tools which do the manual legwork for them and help them do the monitoring.

Any limitations?

Accuracy. Publishers will have to ensure they have hands-on knowledge on their vendors (DSP, SSP, DMP) so as to properly assign the data rights.

The good thing?

Alongside the accountability of vendors towards publishers, pubvendors.json is in consideration to be made mandatory in order to make both legitimate interest and consent basis route equally favorable for publishers.

Final advice?

Knowing the direct impact of ads on user experience, publishers are working more and more towards showing personalized ads, the right way. However, with data security and bad UX becoming the most prevalent challenges, pubvendors.json is yet another way to combat it.


Shubham is a digital marketer with rich experience working in the advertisement technology industry. He has vast experience in the programmatic industry, driving business strategy and scaling functions including but not limited to growth and marketing, Operations, process optimization, and Sales.

Write A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts