FAQ's About the NAI Code

  1. How does the NAI Code of Conduct work?
  2. What version of the NAI Code will be in effect in 2015?
  3. Does the Code cover business practices on mobile devices?
  4. What is the purpose of the commentary to the Code?
  5. How detailed should my privacy policy be in describing my data collection and use practices?
  6. There are already new developments that are not covered in the NAI Code. Doesn’t this create a major gap in your program?
  7. When was the NAI Code last revised?
  8. Who can enforce the NAI Code?

How does the NAI Code of Conduct work?

The Network Advertising Initiative’s Code of Conduct is a set of self-regulatory principles that help guide NAI members’ approach to privacy and data governance in connection with the collection and use of data for Interest-Based Advertising (IBA). NAI members include ad networks, exchanges, platforms, creative optimization firms, yield optimization firms, sharing utilities and other technology providers.

NAI member companies generally collect data for Interest-Based Advertising that is not customarily regarded to be personally identifiable information (PII) and is not defined as such in the NAI Code. Nevertheless, the Code requires NAI members to provide notice and choice with respect to the data collected and utilized to offer Interest-Based Advertising. The Code also limits the types of data that member companies can use for Interest Based Advertising purposes, and imposes a host of substantive restrictions on member companies' collection, use, and transfer of data used for Interest-Based Advertising.

What version of the NAI Code will be in effect in 2015? 

The Update to the 2015 Code of Conduct is effective as of June 1, 2015.

The 2013 Code of Conduct is effective from January 1, 2014, to May 31, 2015. Members' compliance obligations prior to January 1, 2014, were subject to the requirements of the 2008 version of the NAI Code. For more information about the history of the NAI code, click here.

Does the Code cover business practices on mobile devices?

As of September 1, 2015 the NAI is enforcing the 2015 Update to the Code of Conduct, which addresses member company practices in web browsers, on mobile devices. The NAI began enforcement of the 2015 Update to the Mobile Application Code, which addresses member company practices in mobile applications, on member on January 1, 2016.

The NAI encourages its member companies to commence a close review of both the 2015 Update to the Mobile Application Code. NAI recommends that members evaluate the steps necessary to bring their Cross-App Advertising businesses into compliance over the coming months and to identify possible technical or other issues that may affect their ability to fully implement the provisions in the 2015 Update to the Mobile Application Code. Specifically, members may begin working on updating their notices and user controls. The NAI’s goal is to help members bring their business in line with the NAI’s high standards prior to actual enforcement and compliance review by the NAI.

What is the purpose of the commentary to the Code?

The commentary to the NAI Code of Conduct was added for two principal reasons: 1) to provide additional information to explain the intent of the Code, and 2) to offer non-binding, illustrative guidance on ways to comply with the NAI Code. Information in the commentary is not intended to be either exhaustive or exclusive. In fact, this is made clear in the Code Commentary section, which states:

The purpose of the commentary is not to add substantive obligations on member companies or to alter the principles set forth in the Code itself. Instead, the commentary’s purpose is to explain the intent behind certain provisions of the Code. The commentary is also intended to provide examples of possible measures member companies may take to meet the substantive obligations of the Code.

How detailed should my privacy policy be in describing my data collection and use practices?

We recognize that members hear conflicting views from regulators and privacy advocates on what to include in privacy policies. On the one hand, a common criticism we hear from regulators and advocates is that privacy policies are too long and detailed, too “legalistic,” and that consumers don’t read them. On the other hand, regulators, advocates and class action lawyers have filed complaints, enforcement actions or lawsuits charging that privacy policies lack adequate detail. This creates an obvious Catch-22 for industry. As data collection becomes more complex, finding a way to balance the pressure for more and more detailed disclosures with countervailing pressures for simplified privacy statements is an increasing challenge. 

The NAI position is that notices should generally describe a member company’s data collection, use, disclosure and practices. NAI Code sets forth what descriptions and notice the NAI expects in a member’s privacy policy or privacy disclosure including, for instance, a description of Interest-Based Advertising activities undertaken by the member company and the types of data collected or used for Interest-Based Advertising. There is no “one size fits all” answer or template that NAI uses when evaluating a member’s privacy policy, since members engage in different practices and activities. 

The Commentary also suggests that members should describe their data collection and use practices in as clear and concise a manner as possible, and to disclose technologies used for Interest-Based Advertising and Ad Delivery and Reporting. However, NAI recognizes that it is important to strike the balance between conciseness and thoroughness.

Therefore, during the Code compliance review process, NAI staff will carefully review the member’s privacy policy, in conjunction with responses to the annual compliance review questionnaire, and will provide input from the NAI perspective about the level of detail that NAI staff believes is necessary to meet the notice requirements of the NAI Code. Again, the NAI cannot offer legal advice and compliance with the NAI Code does not necessarily assure compliance with all applicable regulations. Nor does compliance with the NAI Code indicate how other stakeholders might interpret the level of required disclosure in a member’s privacy policy in any given instance. 

There are already new developments that are not covered in the NAI Code. Doesn’t this create a major gap in your program? 

Technological changes involving digital activities are occurring at a dizzying rate. One of the strengths of self-regulation is that our system is nimble and flexible, and allows us to respond more quickly than regulation or legislation to those changes through our code update process. This involves a constant evaluation of changes, consideration by our Board and members of how our principles should be applied to new technologies, new uses and new situations, and also allows us to tap into our members’ expertise in developing possible updates. Our ability to consider member input that reflects application of general principles, as well as practical operational considerations, is what allows our Code to enjoy such strong support from members. Where there are evolving developments, we need time to gain some practical experience to be sure that we making the right sort of recommendations when we update the Code.

When was the NAI Code last revised?

The NAI's Self-Regulatory Code of Conduct was last updated in 2015.

The Code was first adopted in 2000, revised in 2008, and further revised in 2013. The Code is regularly reviewed in an effort to anticipate and respond to practical questions, technical and business process changes in our industry, and new issues raised by policymakers and advocates.

In response to questions from members, NAI staff worked with members to update the Code in 2015 in order intends to clarify certain obligations present in the 2013 Code of Conduct and the accompanying commentary in response to questions received by the NAI, rather than add new substantive requirements for member companies. For example, this Code clarifies that the practice of Retargeting currently carries the same obligations and requirements under the Code as Interest-Based Advertising (IBA). In addition, the Code explains that members' "Interest-Based Advertising" activities based on sensitive health conditions or treatments require "Opt-In Consent." Although these interpretations were discussed in the commentary to the 2013 Code of Conduct, they have been moved directly into the text of the Code in this 2015 update for additional clarity and emphasis that NAI staff views them as Code requirements.

The latest revision to the Code, completed in 2013, was the result of the convening of a Code Revision Working Group in February 2012. The Working Group was composed of dozens of NAI member companies who held numerous meetings over several months.  The Working Group, the NAI Board of Directors and NAI staff members evaluated and discussed the current advertising ecosystem and various, proposed updates to the Code. From that work, the NAI developed an updated draft Code of Conduct that was put out for public comment in March 2013. Both prior to publishing the draft and during the comment period, NAI staff solicited and received feedback and comments from the NAI's diverse membership. The 2013 NAI Code was formally approved by the NAI Board of Directors and announced at the NAI Summit in May 2013. It became effective on January 1, 2014. To review the final 2013 Code of Conduct, click here.

Who can enforce the NAI Code?

The NAI Code is a self-regulatory code. Only the NAI staff is authorized to interpret the requirements of the NAI Code and to enforce the NAI Code. Where NAI staff determines that there is an instance of non-compliance with the Code by a member, and a member refuses to implement the recommended steps to bring its practices into compliance, the NAI enforcement procedures allow NAI to refer the matter to the Federal Trade Commission (FTC). The referral is based on a theory that the member committed to adhere to the requirements of the NAI Code and failed to do so. In making such a referral, NAI does not ask the FTC to interpret its Code, but simply to address the member’s failure to comply with NAI’s interpretation and application of the NAI Code.