Prebid.js

Overview

Prebid.js is the most widely deployed open-source header bidding library, used by publishers to run real-time auctions among multiple demand partners before a final ad serving call is made. It loads on publisher pages through a self-hosted or CDN-delivered script bundle and coordinates bid requests to dozens of SSPs and DSPs simultaneously. Because it brokers the transfer of user identifiers and behavioral signals to external bidding endpoints, it has significant privacy implications for site visitors.

What This Script Does

Prebid.js loads as a monolithic JavaScript bundle, typically named prebid.js or pbjs.js, often hosted at the publisher's own origin or via a CDN path. Once initialized, it calls out to multiple bid adapter endpoints — such as prebid-server.rubiconproject.com, ib.adnxs.com, sync.1rx.io, and dozens of others depending on which adapters are configured.

Cookie and storage behavior depends on the adapters enabled. Prebid itself may set a cookie such as _pbjs_userid_optout to persist user opt-out state across sessions. User ID modules (e.g., ID5, SharedID, Unified ID 2.0) set their own cookies or use localStorage keys like _id5id, _pubcid, or __uid2 with expiry ranging from 30 to 365 days. These identifiers are passed as bid parameters to each demand partner.

Data collected and transmitted includes: hashed or raw email addresses (if ID modules are seeded), IP address, User-Agent, page URL, referrer, viewport dimensions, ad slot positions, and any first-party segments defined by the publisher. Each bidder adapter sends a bid request carrying these fields to its respective endpoint, which may perform additional syncs via pixel or iframe.

User syncing (cookie syncing between demand partners and publishers) is managed by Prebid's user sync module, which fires iframe or image pixel requests to bidder endpoints after auction completion. These syncs enable cross-domain identity matching and are a significant privacy vector.

Consent & Compliance

Under GDPR and the ePrivacy Directive, Prebid.js falls squarely in the marketing and analytics categories. The transmission of user identifiers to third-party bidders requires a valid legal basis — consent under Article 6(1)(a) is the standard approach. IAB TCF Purposes 1 (Store and/or access information on a device), 2 (Select basic ads), 3 (Create a personalised ads profile), 4 (Select personalised ads), and 7 (Measure ad performance) are all potentially exercised depending on adapter configuration.

Prebid.js has a built-in GDPR Enforcement Module that reads TCF consent strings and gates bid requests based on vendor consent status. Publishers are responsible for configuring this module correctly; misconfiguration results in bid requests firing without adequate consent.

Under CCPA/CPRA, Prebid supports the US Privacy string (usprivacy) to signal opt-out of sale/sharing to downstream partners, but enforcement depends on each adapter's implementation.

As a US-based ecosystem, participating vendors should maintain EU-US Data Privacy Framework commitments or SCCs for lawful EU data transfers.

Consent category: marketing. The primary purpose is enabling targeted ad placement via real-time bidding, which requires consent under ePrivacy and TCF rules.

Should You Block This Without Consent?

Yes. Prebid.js transmits user identifiers and behavioral signals to multiple third-party advertising endpoints as its core function. Without consent, these transfers violate GDPR Article 6 and the ePrivacy Directive's cookie rules. The script should be blocked until marketing consent is granted and a valid TCF string authorizing the configured demand partners is available.