Back to top


Submitted by Leigh Freund on December 5, 2017

NAI's travel bonanza is continuing at the start of this holiday season.  This postcard comes from London, where the city is alight with holiday decorations and abuzz with the news of a royal engagement.

I’m writing with news that is more regulatory than regal, but it is still important!  Last week, the IAB Europe published a working paper on consent under the General Data Protection Regulation (GDPR), which comes into effect on May 25, 2018, and announced a new technical standard to support the digital advertising ecosystem in meeting the GDPR’s new requirements for user consent.

The working paper and consent standard are products of the IAB Europe’s GDPR Implementation Working Group (GIG), which has been leading this initiative.  The GIG brings together leading experts from across the digital advertising industry, including the NAI and many of our members, to discuss the European Union’s new data protection law, share best practices, and agree on common interpretations and industry positioning on the most important issues for the digital advertising sector.

NAI’s technical and policy staff have been representing our member companies’ interests while actively contributing to the GIG’s progress.

The IAB Europe’s working paper on consent is the third in a series of working papers published by the GIG; all papers are available on the IAB Europe’s website.  The purpose of this paper is to explain the definition of consent under the GDPR, and the practical implications of using consent as a legal basis for processing personal data in the online advertising ecosystem. Download the working paper on consent here.

The consent standard was unveiled at last week’s EDAA 2nd Annual Summit, which brought together 200 participants including advertisers, agencies, ad tech, and media in London.  The standard is a technical mechanism designed to enable websites, advertisers, and their ad technology partners to make robust disclosures regarding data collection and use, as well as obtain, record, and update consumers’ consent for their personal data to be processed, as outlined in the GDPR. Moreover, the mechanism enables transmission of user consent choices throughout the digital advertising ecosystem, increasing accountability in the supply chain by enabling the creation of consent records and an audit trail.

Key features of the consent standard include:

  • Works on mobile devices and desktop devices alike.
  • Enables dynamic disclosure by first parties of third-party advertising partners and the purposes for which they collect and process data.
  • Allows obtaining “global” or “service-specific” affirmative consent, as well as updating consent choices and withdrawing consent.
  • Enables the transmission of user consent choices to third-party advertising partners.
  • Increases accountability in the advertising ecosystem by enabling the creation of consent records and an audit trail.
  • Expedites compliance as it can be deployed before the date of application of the GDPR.

IAB Europe is inviting broader industry engagement over the coming months with an eye toward building cross-industry consensus and fostering a commitment to the standard, the principles around its use, its implementation, and the governance underpinning the tool.

NAI will continue to actively represent its members in the GIG, and work to finalize and implement the consent standard. We also urge NAI members to become independently involved in this industry initiative. Sign up for notifications from the IAB Europe’s mailing list to remain updated on any developments.  More information is available in the full press release here.

Our "postcards from..." series will soon take a short hiatus as the NAI staff spends some time with family and friends over the holidays.  We'll be back in January and first up will be a glimpse at the digital advertising industry's best new technology from CES in Las Vegas.

Best wishes for a very happy holiday season!

Submitted by Leigh Freund on November 29, 2017

Greetings from Brussels, the land of French fries and beer, and now the epicenter of fierce efforts to achieve compliance with the historic European privacy regulation, the General Data Protection Regulation (GDPR).

I had the privilege of representing NAI members at two major privacy events in Brussels: the in-person meeting for the IAB Europe’s GDPR Implementation Working Group and the IAPP Data Protection Congress (DPC) 2017.

First on the agenda was the third in-person meeting of the IAB Europe's GDPR Implementation Working Group (GIG).  It was a great privilege to be able to participate in the GIG, which is comprised of IAB Europe member company representatives (many of whom are also NAI members).  The GIG is committed to helping the digital advertising technology industry create and implement meaningful business and technology solutions to comply with the new privacy requirements of the GDPR and, eventually, the new ePrivacy Regulation.  No small feat!

Here are some take-aways from our meeting:

  • The IAB Europe has provided timely, thoughtful, and visionary leadership in helping companies prepare for the GDPR, as well as tireless efforts to advocate for its members before European institutions. They definitely deserve a round of applause, and maybe one of those tasty Belgian beers! (Click on the link for a recap of IAB’s thought leadership materials on privacy and data protection.)
  • The GIG and its members have done an incredible amount of work in a short time with the goal of enabling digital advertising technology companies to comply with the requirements of the GDPR without infringing on either European citizens' fundamental right to privacy and data protection or advertising companies’ capability to deliver the services and products that are so essential to a free and thriving internet economy.
  • The IAB Europe, as an active leader in the broader advertising industry comprising, publishers, agencies, and marketers, has been working hard to build consensus across the entire European digital advertising industry for an industry-built and supported technology mechanism that will facilitate consumer consent when needed as a legal basis for processing data. Here are some key features of the consent solution, the details of which will be announced soon:
    • The solution will work on both mobile and desktop devices;
    • First parties will be able to dynamically disclose third party advertising partners and the purposes for which they collect and process data, and transmit user consent choices to such third party partners;
    • Consent can be obtained through the tool for either “global” or “service-specific” affirmative consent, and such consent can be updated or withdrawn;
    • Solution participants will have the ability to enable the creation of consent records and an audit trail, creating increased accountability;
    • The consent solution will be deployed before the date of application of the GDPR.
  • The official IAB Europe announcement about the consent solution was released yesterday and includes additional details.

From the GIG meeting, I headed to the IAPP Data Protection Congress 2017. Here are some of my impressions from the DPC:

  • The conference was completely sold out.  The number of attendees and the diversity of the organizations and companies present indicate the seriousness with which the industry is approaching this groundbreaking privacy regulation.
  • If real estate is all about "location, location, location,” then DPC this year was all about "GDPR, GDPR, GDPR." The vast majority of the panels and keynote presentations addressed GDPR readiness and compliance, and the implications for privacy programs - and privacy professionals - across the globe.  Even the vendors at the DPC were focused on GDPR, promoting comprehensive suites of GDPR compliance and management solutions, from internal data mapping and privacy impact assessment tools, to reporting and compliance demonstration solutions.
  • Of course, GDPR isn't the only privacy regulation that will affect digital ad tech companies.  There is great urgency in the halls of the European Parliament to draft and debate an ePrivacy Regulation to replace the current ePrivacy Directive. In a panel addressing the "perfect storm" of the GDPR and ePrivacy Regulation, several policymakers offered guidance for companies.  The EU Commission's Rosa Barcelo and Karolina Mojzesowicz along with Ralf Bendrath, policy advisor to MEP Jan Phillipp Albrecht, said that companies should be mindful of the ePrivacy Directive while waiting for the ePrivacy Regulation.  While the original May timeline for ePrivacy Regulation implementation is no longer realistic, they said, companies should continue to comply with the ePrivacy Directive which requires consent for data processing for digital advertising. In the words of Mr. Bendrath, "online tracking is already illegal [under the e-Privacy Directive].”
  • The conference ended on a controversial note.  German MEP Birgit Sippel, in what was her first public keynote address as the European Parliament's Special Rapporteur for the proposed ePrivacy Regulation, announced, "What we are aiming at is to abolish surveillance-driven advertising."  In response to industry arguments that ePrivacy Regulation restrictions will create consent fatigue and limit online content due to revenue drops, Ms. Sippel responded that businesses are innovative and should be capable of creating meaningful consent without causing consumer fatigue.

The NAI team has also recently arrived back home from a very productive and energetic Q4 NAI Board meeting in San Francisco. We enjoyed our Thanksgiving holiday at home and are soon headed back across the pond to EDAA’s 2017 Summit in London.  No rest for the weary! See you on the other side…of the next postcard. 

Submitted by Leigh Freund on October 13, 2017

你好 Hello from Hong Kong!

The second installment of our “Postcards from…” series comes from the other side of the world at the Shangri-La Kowloon in Hong Kong where I was privileged to represent NAI member companies during the 39th Annual International Conference of Data Protection and Privacy Commissioners on September 25-29, 2017.  The event was hosted by the Honorable Stephen Wong, Hong Kong’s Privacy Commissioner for Personal Data.

The conference theme, "Connecting West with East in Protecting and Respecting Data Privacy,” was echoed throughout the event and my time in Hong Kong.  Southeast Asia is a place steeped in tradition.  Conference participants enjoyed regular welcome teas and showed respect by presenting business cards to our colleagues with two hands.  Nightly light displays showcased Hong Kong's amazingly colorful skyscrapers along Victoria Harbour.

Hong Kong was an apropos venue for the conference.  Commissioner Wong noted that its "one country, two systems" principle makes it uniquely qualified to bridge Eastern and Western data cultures; perhaps that’s one of the reasons Hong Kong boasts one of the largest concentration of data centers in Asia.  The conference was a great opportunity to talk with privacy commissioners and their staff from all over the world. Together, we considered the great opportunities, and great challenges, posed by our increasingly global, data-driven society.

Here are a few highlights from our discussions:

  • Data drives the day: In his opening remarks, Commissioner Wong noted that the age-old saying of industrialization - "He who controls petroleum, controls the world” - has changed.  In today's technologically advanced world, the saying should be, "He who controls data, controls the world." Wong stressed that laws and policies need to balance two necessities: the free flow of data for commerce and the protection of data for privacy.  He explained that a successful data economy depends on transparency and control, and noted that ethical and responsible data use is paramount.
  • Beating breaches: In today’s online marketplace, data breaches happen globally and frequently. Hong Kong, Japan, Korea, and the Philippines have all experienced individual consumer data breaches at a similar scale to the many well-known U.S. data breaches. Security is an increasingly important aspect of consumer privacy. In fact, the Honorable Raymund Liboro, Privacy Commissioner and Chairman of the National Privacy Commission for the Philippines, had a remarkably straightforward recommendation - "If you can't protect it, don't collect it."
  • Self-regulation for success: Participants in a panel hosted and moderated by Bojana Bellamy, President of the Center for Information Policy Leadership, argued that corporate responsibility and best practices are essential to a successful data-driven economy. They explained that the law simply isn't sufficient to protect data, and that accountability and enforcement must embrace a value system that is designed to produce good outcomes. While deterrent sanctions may have a limited effect on future behavior, they advocated a system of motivated voluntary compliance, such as self-regulation, for constructive engagement and effectiveness.
  • Responsible robots: Artificial intelligence and machine learning pose special challenges for data use and ethics. One conference panelist described these technologies as creating a "dilemma" at the intersection of ethics, privacy, artificial intelligence, machine learning, and public policy and regulation. Some conference participants argued for a new approach to data in an AI world, for example, privacy protection, accountability, individual empowerment, and a weighing of societal benefits by a "data steward.”  But others urged caution in such an approach and suggested that existing cultural values, privacy by design frameworks, and risk factors can span cultural differences and build effective ethics structures.  This conversation was a great segue to next year’s 40th ICDPPC themed, Ethics and Dignity.  The 2018 conference will be held jointly in Brussels and Sofia, Bulgaria.

Our next postcard will be mailed from the land of waffles, chocolate, and beer…Brussels!  Our new Vice President for Public Policy, Will Carty, and I will attend the IAPP Data Protection Congress and some key GDPR readiness meetings with our colleagues from the IAB Europe.  Stay tuned!

Submitted by William Lee on September 26, 2017

On the 28th of September at 10am ET, IAB Europe will hold the first in a series of webinars on the General Data Protection Regulation (GDPR), the new EU data protection law which will come into force on the 25 May, 2018. Since the beginning of the year, IAB Europe has been working with members in their GDPR Implementation Working Group (GIG) on figuring out how the GDPR will apply to our industry, and on drafting industry-specific guidance. The NAI has been an active participant in the IAB's GIG.

The first output of the GDPR Implementation Working Group was a paper named the GDPR Compliance Primer - a document which explains the first steps which companies have to undertake to achieve compliance. The work was lead internally by Michele Appello from Improve Digital, who will also be presenting this first webinar on the topic alongside her colleague Vaughan Mackolisky. Registration for the webinar is possible here:

The purpose of this webinar series is to externalize the work of the GDPR Implementation Working Group. The webinars are therefore not meant to be too legal and technical. In particular, this first one is meant to be an introduction to the GDPR - so no prior knowledge is required! The webinars will follow a monthly schedule, and the intention is to carry them through into 2018.

Please feel free to contact Chris Hartsuiker of IAB Europe or NAI staff if you have any further questions about the webinar series, or the GDPR Implementation Working Group.