Submitted by Ryan Cliche on November 13, 2014

Organizations ranging from PLI to the International Association of Privacy Professionals (IAPP) frequently call on NAI Board members to serve as faculty and lecturers when these groups organize sessions on digital advertising and privacy. That’s because our Board includes leaders in the industry, both on the privacy front and in terms of practical and in depth knowledge of the ad industry.

Last week, we wrote about NAI’s participation in the International Association of Privacy Professional’s Digital Advertising & Privacy conference (IAPP) in NYC. The sold out event featured several NAI members as speakers and panelists. NAI was specifically highlighted by Maneesha Mithal, the Associate Director of the Federal Trade Commission’s (FTC) Division of Privacy and Identity Protection , who stated that NAI’s program is the type of self-regulatory program “we are talking about...self-regulation with teeth."

NAI again demonstrated this week why it is the leading self-regulatory association dedicated to responsible data collection and its use for digital advertising. Four NAI leaders participated as faculty in a one-day PLI program “Tracking and Targeting Customers and Prospects.”

NAI Board member Shane Wiley, who is Vice President of Privacy & Data Governance, Yahoo!, opened with a technical deep dive. He covered how cookies, local storage, device IDs, and other common Internet technologies work as well as the nuts and bolts of server calls and cookie syncing.

NAI Vice-Chair Alan Chapell, who is President of Chapell and Associates, followed with a discussion of AdTech business models, from IBA to contextual to cross device targeting and attribution. He further discussed different business models from networks to DMPs to SSPs, DSPs, and exchanges. Alan explored the basics of addressability and reviewed the history and development of privacy rules for digital advertising including the genesis of NAI back in 2000.

Alan looked ahead at what privacy lawyers should be thinking about as they advise clients regarding new business models. He suggested that lawyers need to consider the different sources of data such as online, offline, mobile, iTV, IoTs, and wearables. He noted that different sources, at least today, raise different issues. As one example, how will self-regulation or legislation address data collection by devices that have no interface with consumers? Lawyers should think about how data is collected (active v. passive) as well as the type of entity that is obtaining the data. That may include ecommerce platforms, ISPs, ad servers, exchanges or credit bureaus. Alan concluded his session by examining privacy controls such as DNT, platform level controls, browser level controls, and NAI’s industry-wide opt-out page for interest-based advertising (IBA).

NAI’s newest Board member, Ted Lazarus, Director, of Google’s Legal Department, led an engaging discussion about the role of privacy counsel in today's rapidly evolving digital ad ecosystem. He highlighted the need for companies to have policies and procedures in place to help ensure that privacy issues are addressed early in the development of new technologies and business models. Ted noted that there often will not be direct precedent or clear industry standards when developing policies for new business models, and suggested that lawyers look to existing self-regulatory codes such as the NAI Self-Regulatory Code of Conduct as potential guidance.

NAI President & CEO Marc Groman explained that the NAI’s role is to help promote consumer privacy and trust in this market by creating and enforcing high standards for responsible data collection and use practices online and in mobile environments among its members. Marc further explained that the NAI accomplishes this through a body of self-regulatory policies – the NAI Code – and through a robust compliance and enforcement program that helps members meet these high standards, and holds them accountable.

It was a great day that once again showed why the NAI Board is so unique. Our Board members are not only experts in privacy, but they are industry leaders in business and advertising. They understand privacy issues and online advertising, and thus can craft thoughtful, practical, scalable standards that benefit everyone. In sum, our Board members are privacy executive all-stars from the advertising industry - a unique talent pool in its composition and depth, with a cross-section of experience.

Submitted by Noga Rosenthal on November 7, 2014

I attended the International Association of Privacy Professional’s Digital Advertising & Privacy conference in NYC.  The sold out event hit some of the hottest and most critical issues in privacy today and also showcased why NAI is the leading self-regulatory association dedicated to responsible data collection and its use for digital advertising. 

Not only did the conference speakers and panelists include several NAI members and staff, but NAI was specifically highlighted by a federal regulator who hailed the “great work” undertaken by our organization.

In the keynote address by Maneesha Mithal, the Associate Director of the Federal Trade Commission’s (FTC) Division of Privacy and Identity Protection, she praised self-regulation, and specifically called out NAI.  Mithal stated that, at the FTC, NAI’s program is the type of self-regulatory program “we are talking about...self-regulation with teeth."   That high praise from a federal regulator makes us proud!

Later in the day, Lael Bellany, Chief Privacy Counsel of the Weather Channel, noted that when she partners with third parties she always does her due diligence by first asking for NAI membership. She demands an explanation from any network or third party who is not an NAI member.  She praised both the NAI’s standards and our hallmark compliance program.

Our own Marc Groman (NAI’s President and CEO) had earlier opened the conference with a presentation - Ad Tech 101 for Privacy Counsel.  This introductory session about the digital advertising industry helped set the stage for the panels to follow, covering everything from cookies, cookie syncing and new tracking technologies to an overview of the diverse players in the digital advertising ecosystem.  Marc explained the value that responsible third parties bring to the table, helping brands reach the right consumers at the right time with the right ads while also helping publishers maximize revenue for their ad inventory. 

The first panel of the day covered onboarding offline data and featured Becky Burr, Deputy General Counsel & CPO of NAI member company, Neustar.  The key takeaway from this panel was how NAI members apply the NAI Code of Conduct to onboarding offline data and best practices for maintaining the separation between Personal Identifiable Information and Non-Personally Identifiable Information.

That panel was followed by our own Shaq Katikala, NAI's Compliance and Technology Fellow, who conducted the first-ever public demonstration of NAI’s state-of-the art privacy policy scanner.  (Read Shaq’s earlier blog post for more information.)  As our members know, NAI staff reviews member’s privacy policies on an annual basis to help members ensure that they are in compliance with the NAI Code of Conduct.

The NAI is now utilizing this tool that scans member’s privacy policy on a continuous basis in an effort to move towards real time compliance and ongoing checks.  The scanner helps pick up any changes to a member’s privacy policy, helps flag any business model changes as indicated in a privacy policy, and helps staff stay connected with members.  As always, it is the NAI’s goal to find potential issues before they could become a problem for both consumers and our member companies. 

The use of precise location information for mobile advertising was also addressed on a panel in the afternoon that included The Weather Channel’s Lael Bellamy and the FTC’s Melinda Claybaugh, who confirmed that the FTC views this information as sensitive and requires higher obligations than other types of data.  The panel discussed the challenges of obtaining consent for the use of location information by third parties as well as the lack of specificity about what is meant by “precise” location v. location generally.

The day wrapped up with a lively panel about cross-device.  NAI Board Members Alexis Goltra, Chief Privacy Officer and Asst. General Counsel for Privacy & Security at Oracle, and David Wainberg, Privacy & Policy Counsel at AppNexus, led this discussion.  One take away was the need for self-regulation to step into this space and help industry define best practices, particularly concerning what type of choice should be offered to consumers around data collection and use in cross-device advertising. 

In sum, the panels generated animated discussions around the broad range of issues and challenges facing all NAI members.  The panelists represented all facets of the ad tech industry, bringing their experience and knowledge to an engaged and curious audience.  We are proud of the number of NAI members and staff who participated on these panels, showing the central role of the NAI in the ad tech industry.

Submitted by Anthony Matyjas... on October 31, 2014

The use of health data in advertising continues to be a hot topic and the Federal Trade Commission (FTC) has long taken the view that information about health and medical conditions may be sensitive.  In a recent speech before the U.S. Chamber of Commerce, FTC Commissioner Julie Brill stated, “Here in the United States I believe we’ve reached a general consensus… that personal information about health is deeply sensitive.”  She continued, “I believe that realizing all the potential benefits of health data analytics will require us – policymakers, companies, research institutions and other stakeholders – to work to ensure strong, effective protections for health information....”

 The NAI Code of Conduct is the “gold standard” for self-regulation of third party advertising technology companies and related businesses. Nearly 100 NAI members, who are among the most responsible companies in the online advertising ecosystem, provide the foundation for a thriving and diverse market of ad-supported free content and services while also upholding and preserving consumer trust.

At NAI, we want members, brands and. most importantly. consumers to realize all the potential benefits of advertising health-related products and services.  Like Commissioner Brill, we believe that we should have strong, effective protections for health information. Those protections should be developed by industry and enforced by industry. That’s exactly what we’ve done at NAI.

NAI members were the driving force for our organization to take a strong position that certain health conditions are sensitive and merit higher obligations for Interest-Based Advertising (IBA). The NAI Code of Conduct requires Opt-In Consent from consumers for the collection and use of Sensitive Health Data for IBA, and prohibits members from using, or allowing the use of, IBA data other than for marketing purposes. Thus, members are prohibited from using, or allowing the use of, health-related interest segments– or any other interest segments – for purposes such determining eligibility for health insurance, life insurance, or employment.  “Interest segments” are groups of users and certain general interest categories that are inferred based on a variety of factors.  An example of a health-related interest segment would be “migraine sufferer” or a person with “back pain.”

NAI asks members to consider a variety of factors in determining whether a condition is sensitive, while also providing additional guidance on certain categories of health information that NAI staff would consider to be sensitive.  NAI staff guidance to members is that, to determine whether a particular health condition is likely to be precise or sensitive, NAI members should consider the “seriousness of the condition, its prevalence, whether it is something that an average person would consider to be particularly private in nature, whether it is treated by over-the-counter or prescription medications, and whether it can be treated by modifications in lifestyle as opposed to medical intervention.”  We go on to explain that “all types of cancer, mental health-related conditions, and sexually transmitted diseases” are examples of conditions that require Opt-In Consent.

Under this analysis, other conditions such as acne, high blood pressure, heartburn, cold and flu, and cholesterol management are not considered to be sensitive by NAI staff.  The Code does address the use of such interest segments for IBA as well, but does not require opt-in consent. 

However, if, for example, a digital media company is going to create segments on sensitive health categories like AIDS and HIV, anorexia/bulimia, generalized anxiety disorder, sexual dysfunction, sexually transmitted diseases, pregnancy termination, or menopause, NAI believes Opt-In Consent from the consumer is necessary.

Whether or not the source of the data for a segment on AIDS is a person’s medical records is not the question here. The use of medical records for IBA – which we believe is not done – would clearly require express affirmative consent from a patient, regardless of the condition or specific subject matter.

We fully concede that in many cases what is sensitive can be subjective.  For example, one consumer may consider baldness sensitive and another may not. As mentioned earlier, the NAI Code also requires members to publicly disclose any standard interest segments they use for IBA that are related to health conditions or treatments, even if those segments are not sensitive.  In turn, this allows consumers to view a member company’s standard health-related segments, and make their own determination about whether they wish to opt-out of that company’s data collection for IBA.

To be clear, NAI believes that it is both valuable and essential that companies advertise health care products to consumers.  There are many avenues for companies to do so effectively while complying with our high standards by advertising contextually on websites that address related topics, or in response to consumer searches about such topics, or in run of network campaigns, to list just a few examples.

However, if companies save a consumer’s past browsing behavior and use it to target an ad about a sensitive condition, NAI Code requires members to limit such advertising to consumers who have expressed Opt-In Consent.     

We are very proud of our standards regarding the use of health information for IBA.  Our standards on health information have been praised by the FTC (see video of FTC Commissioner Brill at the NAI Summit here) and privacy advocates as examples of responsible industry best practices.  Our Code is not perfect and we always welcome feedback from everyone - NAI members, others companies in the industry, privacy counsel, consumer advocates, and policy makers.  If you have questions about NAI or our health policies, please contact us.  And if you want to be part of the NAI and help develop our standards in the future, join now. 

Submitted by Marc Groman on October 22, 2014

It is my passion for technology, innovation and privacy that first led me to NAI and it has been my privilege to serve as CEO for the past three years, but I've decided to pass the torch.  I am writing this post to share the news that I have decided not to renew my contract with NAI in order to pursue new opportunities and challenges. I have committed to staying until Spring 2015 to ensure a smooth transition while the Board identifies my successor. 

It has been an honor to work with the NAI Board, 12 of the most talented and experienced executives in the ad industry with a vision for both NAI and the future of the third party ad ecosystem.  

I am very proud of the amazing staff that we have attracted to NAI.  Our group of privacy professionals, ad industry veterans, computer scientists and data scientists is simply the best in the business.  It is our people who make NAI the leading self-regulatory association dedicated to responsible data collection and its use for digital advertising.  And the strength and talent of our team gives me full confidence that the future is bright for NAI.

Looking back, NAI has enjoyed many achievements over the past three years.  First, the NAI Code of Conduct has become the “gold standard” for self-regulation of third party advertising technology companies and related businesses.  At the same time, NAI has grown from a small association of ad networks based in Maine to a diverse organization with offices in New York City and Washington, DC.  We now count among our members 100 companies from across the globe that represent every facet of the third party advertising chain, both online and in mobile.  And we’ve created an annual Summit that brings together member organizations, regulators and legislators to discuss key areas of data security and consumer privacy. 

Underpinning all of this work is the recognition that the future of our dynamic industry hinges on the ability of all stakeholders to communicate, collaborate, and tackle the constantly evolving challenges together.

My commitment to self-regulation, innovation, and consumer privacy is not diminished, but I have determined that it is time for me to move on to new challenges.  I believe deeply in the mission of NAI and the value of robust self-regulation.  Successful self-regulation must start with high standards and be backed up with serious, ongoing compliance and enforcement.  NAI has both and I look forward to watching the organization continue to grow and prosper.

As for myself, I will continue to work on these issues, fueled by my passion for technology; the diverse, ad-supported Internet; and my deeply held belief that privacy is, and should always be, a core value of our society.