Understanding Prebid US Compliance: What Publishers Need to Know About MSPA, GPP, and USNat Support

In an increasingly regulated US privacy landscape, publishers face complex obligations to collect and transmit user consent signals under overlapping state laws. The stakes are high: non-compliance risks revenue, damages user trust, and can break header bidding flows.

Since July 2023, the IAB’s Multi-State Privacy Agreement (MSPA), the Global Privacy Platform (GPP), and a new generation of technical standards have fundamentally changed how consent is managed and communicated within adtech. Prebid now supports these changes—but understanding the practical implications for Prebid.js, Prebid Server, and monetization teams is critical. This guide breaks down what you need to know, how Prebid handles US Compliance, and what operational adjustments publishers should make.

The Foundations: US Privacy Laws, MSPA, and the Global Privacy Platform (GPP)

2023 marked a turning point for US state privacy enforcement, with California, Virginia, Colorado, Utah, and Connecticut requiring publisher compliance. The IAB introduced the MSPA to unify these requirements, supported by a technical framework known as the GPP—or Global Privacy Platform—allowing for a single, extensible signal that encodes privacy preferences for different regions and regulations.

Within the GPP, each privacy law protocol is stored in a ‘section’ (SID), making it possible for consent strings to represent user choices by state or region, all inside a standardized container. The most relevant SIDs for US operations are 7 through 12, referring to the US National specification and each state’s protocol.

Where does Prebid fit in? Prebid.js and Prebid Server have adapted to read and interpret these GPP signals, automatically translating them into appropriate behavior—like restricting user sync or anonymizing IDs—depending on the encoded user choices and publisher settings.

Key Terms and Roles for Publishers

– MSPA defines whether an ad transaction is subject to contractual privacy restrictions (e.g., ‘Service Provider’ or ‘Opt-Out’ modes).
– GPP strings represent the consolidated privacy signals, including user opt-outs and special provisions for children.
– The shift from the deprecated US Privacy string to the GPP’s USNat and state-level signals is mandatory for ongoing compliance and technical compatibility.

Prebid.js and Prebid Server: How US Compliance Is Handled in Practice

US privacy support depends heavily on your Prebid version, as privacy and consent management features have evolved rapidly. New modules and logic were added across Prebid.js and Prebid Server for MSPA and GPP support, bringing practical changes for publishers focused on the US market.

– Prebid.js gained its first US compliance tools in version 7.30, with major improvements (including Activity Controls and the USNat module) in later releases.
– Prebid Server similarly added GPP passthrough, Activity Controls, and advanced modules for state and national compliance mapping.
– The practical effect: Prebid now reads the GPP string set by your CMP and enforces privacy restrictions during header bidding, usersyncs, EID handling, and the transmission of user data.

Example: A Typical Header Bidding Auction Under USNat

Imagine a user signals ‘Do Not Sell My Info’ per California law. The CMP encodes this opt-out in the GPP string (SID 8). Prebid.js reads that string, normalizes it to the national model (SID 7), and blocks user syncs or use of IDs for targeted advertising, automatically anonymizing bid requests as needed. The logic is consistent, regardless of the specific US state.

Publisher Overrides and Advanced Controls

By default, Prebid follows conservative, privacy-protective logic. However, publishers (or their ad operations/engineering teams) may override the default behavior to align with legal counsel or specific business requirements.

This can include:
– Customizing Activity Controls to relax or tighten privacy restrictions by state, GPC flag, or transaction type.
– Adjusting normalization logic if your legal team interprets MSPA obligations differently. This flexibility is critical for publishers who want control, but it does require close knowledge of the config options.

Normalization, State Differences, and Common Publisher Pitfalls

State privacy laws aren’t identical—each introduces subtle but meaningful differences in how user age, sensitive data types, and consent are defined. Prebid’s normalization process translates different state strings (SIDs 8–12) into a common US National (SID 7) signal, letting you manage US compliance without state-by-state custom config.

Prebid’s default logic is restrictive: in ambiguous situations (e.g., undefined child consent), it defaults to anonymization. This minimizes legal and technical risk for publishers, but comes at the potential cost of limited data access in edge cases where more granular consent might technically exist.

Common Operational Mistakes to Avoid

– Running an outdated Prebid.js or Prebid Server version: Without at least 8.10+ (Prebid.js) or 1.118+ (Prebid Server), you’ll miss critical compliance features and may inadvertently break header bidding in key states.
– Misconfiguring your CMP: If your CMP does not correctly encode GPP strings, downstream modules will misinterpret consent, leading to excessive data blocking or, worse, non-compliance.
– Failing to test Activity Controls across states: Default logic is conservative. If relying on overrides, ensure all scenarios (opt-in, opt-out, child users, GPC signals) work as expected in staging before updating live.

What this means for publishers

For publishers, these changes mean you must treat Prebid compliance not as a one-off technical upgrade, but as an ongoing operational requirement. Staying current with Prebid releases, coordinating closely with your CMP, and monitoring auction logs for unexpected anonymization or data loss are now critical parts of ad ops workflows.

Publishers also have more direct control over how US state privacy choices are enforced—but will need to balance legal risk, operational complexity, and potential revenue impact from more conservative data restrictions.

Practical takeaway

Publishers should immediately audit their Prebid.js and Prebid Server deployments for version compliance, ensuring their stacks support GPP 1.1 and the latest Activity Control modules. Work closely with your CMP to guarantee that GPP strings are correctly populated for all US users, and verify that your setup respects user choices under the law, particularly for children and sensitive data segments.

Document and test your Activity Control configurations—especially if implementing overrides—before going live. Review auction logs regularly to identify any overblocking that could affect monetization. Prioritize regular release upgrades to avoid missing out on evolving compliance features and to stay ahead of both regulatory developments and ad tech changes.