diff --git a/_data/sidebar.yml b/_data/sidebar.yml
index 305aa7afcf..553b4a59ce 100644
--- a/_data/sidebar.yml
+++ b/_data/sidebar.yml
@@ -431,6 +431,14 @@
   sectionTitle:
   subgroup: 5
 
+- sbSecId: 1
+  title: GDPR Enforcement
+  link: /dev-docs/modules/gdprEnforcement.html
+  isHeader: 0
+  isSectionHeader: 0
+  sectionTitle:
+  subgroup: 5
+
 - sbSecId: 1
   title: Consent Management - US Privacy (CCPA)
   link: /dev-docs/modules/consentManagementUsp.html
diff --git a/dev-docs/modules/consentManagement.md b/dev-docs/modules/consentManagement.md
index 22ebd538f5..b7b82630d8 100644
--- a/dev-docs/modules/consentManagement.md
+++ b/dev-docs/modules/consentManagement.md
@@ -24,18 +24,19 @@ This consent management module is designed to support the EU General Data Protec
 
 This module works with supported [Consent Management Platforms](https://www.cmswire.com/information-management/what-is-a-consent-management-platform/) (CMPs) to fetch an encoded string representing the user's consent choices and make it available for adapters to consume and process.
 
-{: .alert.alert-info :}
-See also the [Prebid Consent Management - US Privacy Module](/dev-docs/modules/consentManagementUsp.html) for supporting the California Consumer Protection Act (CCPA)
-
 {: .alert.alert-warning :}
 Prebid functionality created to address regulatory requirements does not replace each party's responsibility to determine its own legal obligations and comply with all applicable laws.
 **We recommend consulting with your legal counsel before determining how to utilize these features in support of your overall privacy approach.**
 
-Here's a summary of the interaction process:
+This base EU GDPR consent management module performs these actions:
 
 1. Fetch the user's GDPR consent data from the CMP.
 2. Incorporate this data into the auction objects for adapters to collect.
-3. Proceed with the auction.
+
+The optional [GDPR enforcement module](/dev-docs/modules/gdprEnforcement.html) adds on these actions:
+
+3. Allows the page to define which activities should be enforced at the Prebid.js level.
+4. Actively enforces those activities based on user consent data.
 
 In the case of a new user, CMPs will generally respond only after there is consent information available (i.e., the user has made their consent choices).
 Making these selections can take some time for the average user, so the module provides timeout settings.
@@ -184,10 +185,12 @@ Follow the basic build instructions in the GitHub Prebid.js repo's main [README]
 gulp build --modules=consentManagement,bidAdapter1,bidAdapter2
 {% endhighlight %}
 
+You can also use the [Prebid.js Download](/download.html) page.
+
 ## Adapter Integration
 
 {: .alert.alert-info :}
-Prebid.js adapters don't need to change to support TCF v2.0 if they already support TCF 1.1 -- the consent string is passed through the same bidrequest location. The bidder's endpoint, however, will need to change to support TCF v2.0. Once the endpoint supports TCF2, you can update the documentation.md file as described below above the table showing the list of TCF2-compliant bidders. 
+Prebid.js adapters don't need to change to support TCF v2.0 if they already support TCF 1.1 -- the consent string is passed through the same bidrequest location. The bidder's endpoint, however, will need to change to support TCF v2.0. Once the endpoint supports TCF2, you can update the documentation.md file as described below above the table showing the list of TCF2-compliant bidders.
 
 If you are submitting changes to an adapter to support this approach, please also submit a PR to the [docs repo](https://github.com/prebid/prebid.github.io) to add the `gdpr_supported: true` variable to your respective page in the [bidders directory](https://github.com/prebid/prebid.github.io/tree/master/dev-docs/bidders).  **This will ensure that your adapter's name will automatically appear on the list of adapters supporting GDPR.**
 
@@ -379,7 +382,7 @@ This should be be set to true once the parameters listed above are processed.
 
 ## Adapters Supporting TCF v1.1
 
-Bidders on this list have self-declared their TCF 1.1 support in their https://github.com/prebid/prebid.github.io/tree/master/dev-docs/bidders md file by adding "gdpr_supported: true". 
+Bidders on this list have self-declared their TCF 1.1 support in their https://github.com/prebid/prebid.github.io/tree/master/dev-docs/bidders md file by adding "gdpr_supported: true".
 
 <script src="/assets/js/dynamicTable.js" type="text/javascript"></script>
 
@@ -405,7 +408,7 @@ var idx_gdpr=0;
 
 ## Adapters Supporting TCF v2.0
 
-Bidders on this list have self-declared their TCF 2.0 support in their https://github.com/prebid/prebid.github.io/tree/master/dev-docs/bidders md file by adding "tcf2_supported: true". 
+Bidders on this list have self-declared their TCF 2.0 support in their https://github.com/prebid/prebid.github.io/tree/master/dev-docs/bidders md file by adding "tcf2_supported: true".
 
 <script type="text/javascript">
 var adaptersSupportingGdpr2=[];
@@ -426,3 +429,9 @@ var idx_gdpr=0;
            writeDynamicTable({div: "adaptersTableGdpr2", data: "adaptersSupportingGdpr2", sort: "rowFirst", striped: false} );
         </script>
 </div>
+
+## Further Reading
+
+- [GDPR Enforcement Module](/dev-docs/modules/gdprEnforcement.html)
+- [IAB Transparancy and Consent Framework Policies](https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/)
+- [Prebid Consent Management - US Privacy Module](/dev-docs/modules/consentManagementUsp.html)
diff --git a/dev-docs/modules/gdprEnforcement.md b/dev-docs/modules/gdprEnforcement.md
new file mode 100644
index 0000000000..eb0caf12bc
--- /dev/null
+++ b/dev-docs/modules/gdprEnforcement.md
@@ -0,0 +1,201 @@
+---
+layout: page_v2
+page_type: module
+title: GDPR Enforcement Module
+description: Module to enforce GDPR consent
+module_code : gdprEnforcement
+display_name : GDPR Enforcement
+enable_download : true
+sidebarType : 1
+---
+
+# GDPR Enforcement Module
+{: .no_toc }
+
+* TOC
+{: toc }
+
+{: .alert.alert-warning :}
+This module requires the [EU GDPR consent management module](/dev-docs/modules/consentManagement.html), which reads consent values from the Consent Management Platform (CMP). The GDPR enforcement module
+will then enforce the results. See the base module page for general background, usage, and legal disclaimers.
+
+## Overview
+
+The base [EU GDPR consent management module](/dev-docs/modules/consentManagement.html) performs the following actions:
+
+1. Fetch the user's GDPR consent data from the CMP.
+2. Incorporate this data into the auction objects for adapters to collect.
+
+This GDPR enforcement module adds the following:
+
+3. Allows the page to define which activities should be enforced at the Prebid.js level.
+4. Actively enforces those activities based on user consent data.
+
+The following table details the Prebid.js activities that fall under the [Transparency and Consent Framework (TCF)](https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/) scope:
+
+{: .table .table-bordered .table-striped }
+| TCF Purpose | In-Scope Activity | Enforcement Activity | Optional Controls |
+| --- | --- | --- | --- |
+| Purpose 1 - Store and/or access information on a device | usersync pixels | May prevent one or more vendor usersyncs. | Do not enforce Purpose 1. Do not enforce Purpose 1 vendor signals. Do not enforce Purpose 1 for vendor V. |
+| Purpose 1 - Store and/or access information on a device | user ID modules | May prevent one or more UserID modules from activating. | Do not enforce Purpose 1. Do not enforce Purpose 1 vendor signals. Do not enforce Purpose 1 for vendor V. |
+| Purpose 1 - Store and/or access information on a device | device storage | May prevent one or more adapters or modules from being able to read or write cookies or localstorage in the user's browser. | Do not enforce Purpose 1. Do not enforce Purpose 1 vendor signals. Do not enforce Purpose 1 for vendor V. |
+
+There are plans to add more TCF Purposes and activities in future releases.
+
+## Page Integration
+
+A page needs to define configuration rules about how Prebid.js should enforce each in-scope activity.
+
+{: .alert.alert-warning :}
+**Important Legal Note:** Prebid.org cannot provide legal advice about GDPR or any other governmental regulation. Our aim is to provide a toolkit of functionality that will let publishers configure header bidding as defined by their legal counsel. We will consider feature suggestions, and review any code offered by the community.
+
+These are the fields related to GDPR enforcment that are supported in the [`consentManagement.gdpr`](/dev-docs/modules/consentManagement.html) object:
+
+{: .table .table-bordered .table-striped }
+| Param | Type | Description | Example |
+| --- | --- | --- | --- |
+| gdpr.rules | `Array of Objects` | Lets the publisher override the default behavior. | |
+| gdpr.rules[].purpose | `String` | The only currently supported value is "storage", corresponding to TCF Purpose 1. | "storage" |
+| gdpr.rules[].enforcePurpose | `Boolean` | Determines whether to enforce the purpose consent or not. The default in Prebid.js 3.x is not to enforce purposes. The plan for Prebid.js 4.0 is to enforce consent for Purpose 1 and no others. | true |
+| gdpr.rules[].enforceVendor | `Boolean` | Determines whether to enforce vendor signals for this purpose or not. The default in Prebid.js 3.x is not to enforce vendor signals. The plan for Prebid.js 4.0 to enforce signals for Purpose 1 and no others. | true |
+| gdpr.rules[].vendorExceptions | `Array of Strings` | Defines a list of biddercodes or module names that are exempt from the enforcement of this Purpose. | true |
+
+Note:
+
+- The vendorExceptions list is based on Prebid.js biddercodes instead of Global Vendor List (GVL) IDs, i.e. "rubicon" instead of "52". This was done to accomodate Prebid.js modules and adapters that don't have GVL IDs.  
+
+### Examples
+
+The following examples cover a range of use cases and how Prebid.js supports
+configuration of different business rules.
+
+1) Enforce that the user consents to DeviceAccess as an activity and consider their per-vendor selection.
+
+```
+pbjs.setConfig({
+  consentManagement: {
+    gdpr: {
+      ...
+      rules: [{
+        purpose: "storage",
+        enforcePurpose: true,
+        enforceVendor: true
+      }
+    }
+  }
+});
+```
+
+2) Enforce that the user consents to DeviceAccess as an activity and consider their per-vendor selection. However, BidderA is a special case - the publisher has entrusted BidderA for this activity regardless of what the user says.
+
+      ...
+      rules: [{
+        purpose: "storage",
+        enforcePurpose: true,
+        enforceVendor: true,
+        vendorExceptions: ["bidderA"]
+      }
+
+3) Enforce that the user consents to DeviceAccess as an activity, but don't consider their per-vendor selection.
+
+      ...
+      rules: [{
+        purpose: "storage",
+        enforcePurpose: true,
+        enforceVendor: false,
+      }
+
+4) Enforce that the user consents to DeviceAccess as an activity, but don't consider their per-vendor selection for any bidders except BidderA. BidderA is entrusted to enforce the rules on their own.
+
+      ...
+      rules: [{
+        purpose: "storage",
+        enforcePurpose: true,
+        enforceVendor: false,
+        vendorExceptions: ["bidderA"]
+      }
+
+5) Turn off enforcement of Purpose 1: don't enforce either the user's DeviceAccess consent or their per-vendor selection.
+
+      ...
+      rules: [{
+        purpose: "storage",
+        enforcePurpose: false,
+        enforceVendor: false
+      }
+
+6) Don't enforce the user's DeviceAccess consent, but do consider their per-vendor selection.
+
+      ...
+      rules: [{
+        purpose: "storage",
+        enforcePurpose: false,
+        enforceVendor: true
+      }
+
+7) Don't enforce the user's DeviceAccess consent, but do consider their per-vendor selection; don't enforce vendor selection for BidderA.
+
+      ...
+      rules: [{
+        purpose: "storage",
+        enforcePurpose: false,
+        enforceVendor: true,
+        vendorExceptions: ["bidderA"]
+      }
+
+## Basic Enforcement
+
+Prebid.js does not have access to the Global Vendor List (GVL), so it implements
+a "basic" form of TCF validation using the supplied consent string.
+
+A goal of basic enforcement is to confirm that there's enough evidence of consent to pass data on to vendors who do have access to the GVL and can fully parse and enforce.
+
+Before allowing an activity tied to a TCF-protected Purpose for a given vendor, one of these scenarios must be true:
+
+- Configuration rules enforce both consent and vendor signals and either:
+  - we have the user’s purpose consent and the user’s vendor consent, or
+  - we confirmed the user’s LI (Legitimate Interest) Transparency is established for this purpose and the user’s Vendor LI field didn’t reject this vendor.
+- Configuration rules enforce only purpose consent and either:
+  - we have the user’s purpose consent, or
+  - we confirmed the user’s LI Transparency is established for this purpose.
+- Configuration rules enforce only vendor signals and either:
+  - we have the user’s vendor consent, or
+  - we confirmed the user’s Vendor LI field didn’t reject this vendor
+- Configuration rules enforce neither purpose consent nor vendor signal.
+
+Technically these rules are defined as follows:
+
+1. enforcePurpose[P]==true AND PurposesConsent[P]==1 AND enforceVendor[P,V]==true AND VendorConsentBitfield[V]==1
+1. enforcePurpose[P]==true AND PurposesConsent[P]==1 AND enforceVendor[P,V]==false
+1. enforcePurpose[P]==false AND enforceVendor[P,V]==true AND VendorConsentBitfield[V]==1
+1. enforcePurpose[P]==true AND PurposesLITransparency[P]==1 AND enforceVendor[P,V]==true AND VendorLegitimateInterestBitfield[V]==1
+1. enforcePurpose[P]==true AND PurposesLITransparency[P]==1 AND enforceVendor[P,V]==false
+1. enforcePurpose[P]==false AND enforceVendor[P,V]==true AND VendorLegitimateInterestBitfield[V]==1
+1. enforcePurpose[P]==false AND enforceVendor[P,V]==false
+
+Where:
+
+- P is the Purpose number
+- V is the vendor ID
+- 'enforcePurpose' and 'enforceVendor' are Prebid.js config rules
+- 'PurposesConsent' is the consent string field of the same name
+- 'VendorConsentBitfield' is the consent string 'Vendor Consent Section'
+- 'PurposesLITransparency' is the consent string field of the same name
+- 'VendorLegitimateInterestBitfield' is the consent string 'Vendor Legitimate Interest Section'
+
+See the [IAB TCF Consent String Format](https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IAB%20Tech%20Lab%20-%20Consent%20string%20and%20vendor%20list%20formats%20v2.md) for details.
+
+## Build the Package
+
+Follow the basic build instructions in the GitHub Prebid.js repo's main [README](https://github.com/prebid/Prebid.js/blob/master/README.md). Include the base consent management module and this enforcement module as additional options on the **gulp build** command:
+
+{% highlight bash %}
+gulp build --modules=consentManagement,gdprEnforcement,bidAdapter1,bidAdapter2
+{% endhighlight %}
+
+You can also use the [Prebid.js Download](/download.html) page.
+
+## Further Reading
+
+- [EU GDPR Consent Management Module](/dev-docs/modules/consentManagement.html)
+- [IAB TCF Consent String Format](https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IAB%20Tech%20Lab%20-%20Consent%20string%20and%20vendor%20list%20formats%20v2.md)
diff --git a/dev-docs/modules/index.md b/dev-docs/modules/index.md
index 1db7e6a8e9..41806bdfab 100644
--- a/dev-docs/modules/index.md
+++ b/dev-docs/modules/index.md
@@ -31,7 +31,7 @@ If you are looking for bidder adapter parameters, see [Bidders' Params]({{site.b
 | Module              | Description  |
 |---------------------+--------------|
 | [**Currency**](/dev-docs/modules/currency.html) | Converts bid currency into ad server currency based on data in a supplied exchange rate file. |
-| **ConsentManagement** | Facilitates collecting and passing consent information in support of privacy regulations: [EU GDPR](/dev-docs/modules/consentManagement.html) and [US Privacy](/dev-docs/modules/consentManagementUsp.html) (CCPA). |
+| **ConsentManagement** | Collecting and passing consent information in support of privacy regulations:{::nomarkdown}<ul><li><a href="/dev-docs/modules/consentManagement.html">EU GDPR</a> with optional <a href="/dev-docs/modules/gdprEnforcement.html">GDPR Enforcement</a> module</li><li><a href="/dev-docs/modules/consentManagementUsp.html">US Privacy</a> (CCPA)</li></ul>{:/} |
 | [**Google Ad Manager Express**](/dev-docs/modules/dfp_express.html) | A simplified installation mechanism for publishers that have Google Publisher Tag (GPT) ad calls in their pages. |
 | [**Supply Chain Object**](/dev-docs/modules/schain.html) | Validates and makes the Supply Object available to bidders |
 | [**User ID**](/dev-docs/modules/userId.html) | Sub-modules are available to support a range of identification approaches: Criteo RTUS, DigiTrust, ID5 Universal ID, IdentityLink, PubCommon ID, and Unified ID. |