Submitted by Anthony Matyjas... on October 31, 2014

The use of health data in advertising continues to be a hot topic and the Federal Trade Commission (FTC) has long taken the view that information about health and medical conditions may be sensitive.  In a recent speech before the U.S. Chamber of Commerce, FTC Commissioner Julie Brill stated, “Here in the United States I believe we’ve reached a general consensus… that personal information about health is deeply sensitive.”  She continued, “I believe that realizing all the potential benefits of health data analytics will require us – policymakers, companies, research institutions and other stakeholders – to work to ensure strong, effective protections for health information....”

 The NAI Code of Conduct is the “gold standard” for self-regulation of third party advertising technology companies and related businesses. Nearly 100 NAI members, who are among the most responsible companies in the online advertising ecosystem, provide the foundation for a thriving and diverse market of ad-supported free content and services while also upholding and preserving consumer trust.

At NAI, we want members, brands and. most importantly. consumers to realize all the potential benefits of advertising health-related products and services.  Like Commissioner Brill, we believe that we should have strong, effective protections for health information. Those protections should be developed by industry and enforced by industry. That’s exactly what we’ve done at NAI.

NAI members were the driving force for our organization to take a strong position that certain health conditions are sensitive and merit higher obligations for Interest-Based Advertising (IBA). The NAI Code of Conduct requires Opt-In Consent from consumers for the collection and use of Sensitive Health Data for IBA, and prohibits members from using, or allowing the use of, IBA data other than for marketing purposes. Thus, members are prohibited from using, or allowing the use of, health-related interest segments– or any other interest segments – for purposes such determining eligibility for health insurance, life insurance, or employment.  “Interest segments” are groups of users and certain general interest categories that are inferred based on a variety of factors.  An example of a health-related interest segment would be “migraine sufferer” or a person with “back pain.”

NAI asks members to consider a variety of factors in determining whether a condition is sensitive, while also providing additional guidance on certain categories of health information that NAI staff would consider to be sensitive.  NAI staff guidance to members is that, to determine whether a particular health condition is likely to be precise or sensitive, NAI members should consider the “seriousness of the condition, its prevalence, whether it is something that an average person would consider to be particularly private in nature, whether it is treated by over-the-counter or prescription medications, and whether it can be treated by modifications in lifestyle as opposed to medical intervention.”  We go on to explain that “all types of cancer, mental health-related conditions, and sexually transmitted diseases” are examples of conditions that require Opt-In Consent.

Under this analysis, other conditions such as acne, high blood pressure, heartburn, cold and flu, and cholesterol management are not considered to be sensitive by NAI staff.  The Code does address the use of such interest segments for IBA as well, but does not require opt-in consent. 

However, if, for example, a digital media company is going to create segments on sensitive health categories like AIDS and HIV, anorexia/bulimia, generalized anxiety disorder, sexual dysfunction, sexually transmitted diseases, pregnancy termination, or menopause, NAI believes Opt-In Consent from the consumer is necessary.

Whether or not the source of the data for a segment on AIDS is a person’s medical records is not the question here. The use of medical records for IBA – which we believe is not done – would clearly require express affirmative consent from a patient, regardless of the condition or specific subject matter.

We fully concede that in many cases what is sensitive can be subjective.  For example, one consumer may consider baldness sensitive and another may not. As mentioned earlier, the NAI Code also requires members to publicly disclose any standard interest segments they use for IBA that are related to health conditions or treatments, even if those segments are not sensitive.  In turn, this allows consumers to view a member company’s standard health-related segments, and make their own determination about whether they wish to opt-out of that company’s data collection for IBA.

To be clear, NAI believes that it is both valuable and essential that companies advertise health care products to consumers.  There are many avenues for companies to do so effectively while complying with our high standards by advertising contextually on websites that address related topics, or in response to consumer searches about such topics, or in run of network campaigns, to list just a few examples.

However, if companies save a consumer’s past browsing behavior and use it to target an ad about a sensitive condition, NAI Code requires members to limit such advertising to consumers who have expressed Opt-In Consent.     

We are very proud of our standards regarding the use of health information for IBA.  Our standards on health information have been praised by the FTC (see video of FTC Commissioner Brill at the NAI Summit here) and privacy advocates as examples of responsible industry best practices.  Our Code is not perfect and we always welcome feedback from everyone - NAI members, others companies in the industry, privacy counsel, consumer advocates, and policy makers.  If you have questions about NAI or our health policies, please contact us.  And if you want to be part of the NAI and help develop our standards in the future, join now. 

Submitted by Marc Groman on October 22, 2014

It is my passion for technology, innovation and privacy that first led me to NAI and it has been my privilege to serve as CEO for the past three years, but I've decided to pass the torch.  I am writing this post to share the news that I have decided not to renew my contract with NAI in order to pursue new opportunities and challenges. I have committed to staying until Spring 2015 to ensure a smooth transition while the Board identifies my successor. 

It has been an honor to work with the NAI Board, 12 of the most talented and experienced executives in the ad industry with a vision for both NAI and the future of the third party ad ecosystem.  

I am very proud of the amazing staff that we have attracted to NAI.  Our group of privacy professionals, ad industry veterans, computer scientists and data scientists is simply the best in the business.  It is our people who make NAI the leading self-regulatory association dedicated to responsible data collection and its use for digital advertising.  And the strength and talent of our team gives me full confidence that the future is bright for NAI.

Looking back, NAI has enjoyed many achievements over the past three years.  First, the NAI Code of Conduct has become the “gold standard” for self-regulation of third party advertising technology companies and related businesses.  At the same time, NAI has grown from a small association of ad networks based in Maine to a diverse organization with offices in New York City and Washington, DC.  We now count among our members 100 companies from across the globe that represent every facet of the third party advertising chain, both online and in mobile.  And we’ve created an annual Summit that brings together member organizations, regulators and legislators to discuss key areas of data security and consumer privacy. 

Underpinning all of this work is the recognition that the future of our dynamic industry hinges on the ability of all stakeholders to communicate, collaborate, and tackle the constantly evolving challenges together.

My commitment to self-regulation, innovation, and consumer privacy is not diminished, but I have determined that it is time for me to move on to new challenges.  I believe deeply in the mission of NAI and the value of robust self-regulation.  Successful self-regulation must start with high standards and be backed up with serious, ongoing compliance and enforcement.  NAI has both and I look forward to watching the organization continue to grow and prosper.

As for myself, I will continue to work on these issues, fueled by my passion for technology; the diverse, ad-supported Internet; and my deeply held belief that privacy is, and should always be, a core value of our society.

Submitted by Shaq Katikala on October 17, 2014

A blog post by Shaq Katikala, NAI's Compliance and Technology Fellow

NAI reviews its member companies’ compliance with the NAI Code of Conduct on an ongoing basis. Last year, we used an in-house automated tool that looked for issues in the functionality of opt-out cookies. As members fixed these issues promptly after notification, the tool helped consumers have a more consistent experience when exercising choice on the NAI’s opt-out page. 

Now, the online advertising ecosystem is transitioning away from cookies and moving to mobile devices, location data, and non-cookie technologies. With an eye to the future, NAI recently finished a major upgrade of our automated tool to spot compliance issues with new technologies and new devices. 

The new compliance software provides a more comprehensive view of the online activities of our members by looking at opt-outs, relevant data collection practices, and privacy policies. This tool is designed to detect opt-out errors on desktop browsers, mobile browsers, mobile apps, and other platforms. Using proprietary technology, it will be capable of producing insights on nearly all major forms of online data collection. That includes not just cookies, but location data, personal directory data, client-side storage, and active statistical identifiers. It also includes an integrated privacy policy scanner, which helps spot changes to members' business models and practices that may raise potential compliance questions. 

Ultimately, the updated tool should provide NAI with a unique view of the online advertising ecosystem and the ability to be technology-neutral in enforcing its Code of Conduct. Equipped with enhanced enforcement tools, NAI remains the gold standard of privacy for third party advertisers. The software is currently in its alpha stage and will be deployed shortly.

Submitted by NAI on October 10, 2014

On our blog, we'll be getting to know members of the NAI team by posting special Q&A interviews.  First up, Noga Rosenthal.  Noga is NAI's General Counsel and VP for Compliance & Policy.  

Noga, at NAI, you serve as general counsel and vice president of compliance and policy.   What are your chief responsibilities in that role?  What does an average day look like for you?


The main role that I play is helping our members ensure that they are complying with the NAI Code of Conduct.  I spend a lot of time working with members doing compliance reviews, inspecting members’ privacy policies for compliance with the Code and checking their opt-out mechanisms.

The most interesting part of my job is answering challenging and thought provoking questions from NAI members regarding compliance with the Code.  It’s my job to help members find answers to those questions and how to apply the Code to their business.  These calls from members are always a challenge- which keeps my job always interesting.  They also make me realize how dedicated our are to comply with the Code. 

The best thing about working in ad-tech – and about working at NAI in particular - is that no two days are the same.  The technology is constantly changing and business practices are always evolving to keep up.  That means NAI is evolving, too.   

You joined NAI in 2013, but participated for years before that as an NAI member company representative.  How do you think your background impacts your work and perspective at NAI?

I began my career as a corporate attorney and then joined an ad-tech company where I was responsible for ensuring that users' privacy was considered when designing new products and services.  A key guide to this function was my being a representative of my company in the NAI and its Board.  As a result, I had unique and historical insight into the formation of the NAI policies and the reasoning behind those policies.  For example, I sat in on the drafting of the NAI Codes published in 2008 and 2013.  People might not know this, but NAI members are very much a part of the Code writing process.  The diversity of NAI's membership base means that competing interests are voiced and considered, which is especially valuable when putting together the NAI Code.

But, perhaps more importantly, my background helps me understand technology from the company side.  I understand the different roles companies play in the digital ecosystem which also helps me relate to our members when they have compliance questions.  I’ve been in our members’ positions and I pull from that experience when speaking to members.

You’ve just passed your one-year work anniversary with NAI - Congratulations!  Please share a few highlights of your time with NAI in the past year.

My job is interesting because I have a front row view to watching NAI members, leaders in ad-tech, leading and trying the latest and greatest services and products.  Sometimes I think that just keeping up with the acronyms could be a full time job!  Even with this push to move ahead with new products as quickly as possible, and the competitive pressures to move ahead fast, NAI members have an obvious desire to learn more about best practices and how to apply the Code to new products and services which I find impressive and inspiring.

Over the past six months, our team has once again been working hard with our members to help them ensure that they are in compliance with the NAI Code.  At this point, the NAI is ahead of where it was last year with annual reviews, with over half its members reviewed. The compliance review process should be done by the end of this month.  It has been a true pleasure working with members, talking to their employees, and understanding their business models even better.

You’ve said that now is an especially important time for NAI.  Can you outline some of the items and issues you see on the horizon?

Looking ahead, there is a lot of uncertainty in the ad-tech world.  This uncertainty stems from several places.  First, as I’ve mentioned, the technology is constantly changing and improving.  And, secondly, there is always concern about regulation and how it might impact our industry.

Of course, to see what's on the horizon, we don't have to look any further that our daily lives.   More and more of the activities in our lives now take place online.  And, with increasing regularity, we're accessing the internet from our mobile phones and tablets.  We're sharing personal information and leaving data records.  At NAI, we believe that consumer privacy needs to continue to be an important part of the conversation now and in the future.  NAI members are looking to us for guidance.  With our Code, we give our members the tools to do it right and I’m really proud of that.

These Q&A posts are designed to help readers get to know the NAI team members.  What is something you’d like readers to know about you?

I want people to know that, at NAI, we’re here to help.  We work with members to help them understand the Code by answering questions and providing educational seminars about the Code. We help members comply with the Code by ensuring that their opt outs are functioning properly. It’s clear to me that compliance isn’t simply enforcement for us.  NAI is up-front and transparent and the compliance team members are always available to answer questions.  After all, the Code works best when it is the result of dialogue between NAI and our members.