Prebid.js Consent Management: Header Bidding Setup Guide for Publishers
Header bidding lifts publisher CPMs by letting demand partners compete in parallel — but every one of those partners needs a valid consent signal before it can drop a cookie, fingerprint, or fire a pixel. Prebid.js, the de facto open-source header bidding wrapper used by tens of thousands of sites, ships with a Consent Management module that wires your CMP into every auction. Configure it wrong and you either leak data without consent (regulatory risk) or starve bidders of the signal they need (revenue risk). This guide walks publishers through a production-grade setup.
Why Prebid.js Needs a Consent Management Module
When a Prebid.js auction runs, the wrapper makes parallel requests to every configured bidder adapter. Each adapter must include the user's consent string in its bid request — tcfeu (TCF v2.2 for the EU/UK), usp (CCPA/CPRA), and increasingly gpp (the IAB Global Privacy Platform string covering multiple US states). Without these signals, downstream SSPs and DSPs are forced to either treat the user as opted-out, drop the bid entirely, or — worst case — process data unlawfully.
The Prebid Consent Management module sits between your CMP and the bid request pipeline. It calls the standard CMP API (__tcfapi, __uspapi, __gppapi), waits for a consent string, and then injects it into every adapter's bid request payload automatically. It also enforces purpose-based gating when you enable GDPR enforcement, blocking storage access and bidder execution for users who haven't granted the relevant TCF purposes.
Installing and Configuring the Core Module
Prebid.js is built per-publisher from docs.prebid.org/download.html. When you generate your custom build, three modules under "Consent Management" matter:
- consentManagementTcf — handles TCF v2.2 strings for EU, UK, and Switzerland traffic.
- consentManagementUsp — handles the older CCPA/CPRA US Privacy String (still required by many DSPs).
- consentManagementGpp — handles the IAB GPP string, the forward-looking standard now mandated by Google, TTD, and major SSPs.
Include all three if you serve global traffic. Once the build lands on your CDN, configure the modules in your Prebid setup script:
TCF v2.2 configuration
The TCF block tells Prebid which CMP API to call, how long to wait for a string, and what to do on timeout. A typical production config sets cmpApi: 'iab', timeout: 8000 (8 seconds — long enough for a slow CMP banner load), and defaultGdprScope: true so users in unknown jurisdictions are treated as in-scope until proven otherwise. Setting actionTimeout separately controls how long Prebid waits when the user has not yet interacted with the banner — keeping it modest avoids a blank ad slot if a visitor ignores the banner.
US Privacy and GPP
USP is simple: enable the module and Prebid reads the four-character string from __uspapi. GPP is more nuanced because the GPP string can carry multiple section IDs (TCF EU, US National, US California, US Colorado, US Virginia, etc.). Prebid auto-forwards the full string, but bidders inspect specific sections. Make sure your CMP emits the correct GPP sections for each user's jurisdiction — a misconfigured CMP that emits only the US National section to a California user will cause CPRA-compliant DSPs to discard the bid.
Enabling GDPR Enforcement (Purpose-Based Gating)
By default, the consent module passes the TCF string through but does not block anything. To make Prebid actually enforce TCF purposes, enable the gdprEnforcement rule set. This is where most setup mistakes happen — and where the difference between a compliant and non-compliant header bidding stack lives.
The standard ruleset blocks four activities when the relevant purpose lacks consent:
- storage — gated on Purpose 1 (storage and access). When denied, Prebid prevents bidders from reading or writing cookies and localStorage.
- basicAds — gated on Purpose 2 (basic ads). When denied, the bidder is excluded from the auction entirely.
- measurement — gated on Purpose 7. Affects analytics adapters.
- transmitPreciseGeo — gated on Special Feature 1. When denied, Prebid strips precise geolocation from bid requests.
For each rule you set enforcePurpose: true, enforceVendor: true, and a list of vendorExceptions. The vendor exception list is critical: any bidder you list there is allowed to participate even without explicit TCF vendor consent, on the grounds that you have a separate legal basis (e.g., legitimate interest combined with a contractual flow). Use this sparingly — over-broad exceptions are exactly the pattern regulators have begun fining publishers for.
Common Pitfalls That Cost Publishers Revenue or Compliance
Timeout set too low
If timeout is shorter than your CMP's banner render time, Prebid moves on with no consent string. Bidders treat that as no-consent and drop the bid. Measure your CMP's tcfapi('addEventListener') first-call latency at the 95th percentile and set the Prebid timeout above it. 8000 ms is a safe default; 3000 ms is risky if you serve markets where banners take time to localize.
Missing GPP integration on US traffic
Major SSPs and DSPs (Google AdX, TTD, Magnite, PubMatic) now require the GPP string for US opt-out enforcement. If you only emit the legacy USP string, these DSPs will increasingly downgrade or skip your inventory. Audit your bid responses: a sharp CPM drop on US traffic in 2026 is often a missing-GPP signal.
Stale consent strings on SPA navigation
Single-page apps that re-trigger Prebid auctions on route changes must call pbjs.refreshUserIds() and ensure the latest TCF string is fetched. A cached 30-minute-old string can carry the previous user's preferences if your site uses shared sessions.
Missing vendorExceptions for analytics
Publishers often forget that Prebid Analytics adapters (Google Analytics, server-side reporting) are also subject to measurement gating under TCF Purpose 7. If you rely on these for revenue reporting, list them explicitly under the measurement rule's vendor exceptions or accept the data gap on no-consent traffic.
Testing Your Setup Before Production
Prebid.js exposes pbjs.getConfig('consentManagement') in the browser console. Verify the active configuration matches your intent. Then use the Chrome Prebid.js Professor extension or pbjs.getEvents() to inspect the consent string attached to each bid request. Spot-check three scenarios: a fully consented user, a user who clicked "Reject All," and a user who dismissed the banner without interacting. Each should produce a different observable behavior in the bid request payload.
Run the same checks across geographies using a VPN or your CMP's geolocation override flag. EU traffic should produce a TCF string and trigger gdprEnforcement; California traffic should produce a USP and a GPP string; jurisdictionally-unknown traffic should respect your defaultGdprScope setting.
Bringing It Together
A correctly configured Prebid Consent Management stack does three things at once: it keeps your bidders supplied with valid consent signals (preserving CPMs), it enforces TCF and US opt-out rules at the wrapper level (reducing regulatory exposure), and it gives you a single audit point when a regulator asks how your header bidding setup honors user choice. Take the time to set timeouts deliberately, enable GPP alongside USP for US traffic, and review your vendorExceptions list quarterly — the cost of getting this wrong is measured in both fines and lost programmatic revenue.