Back to top

Blog

Submitted by Leigh Freund on September 21, 2017

Some 150 years ago, post offices around the world received the first picture postcards.  Designed to be mailed without envelopes and kept as souvenirs, the photos themselves brought news.  They were decorated with the images of the day – the newly constructed Eiffel Tower perhaps or the happenings at the Chicago World’s Fair. 

These days, when I travel, I still like the tradition of picking up a few postcards from the hotel gift shop; to me, they represent a snapshot in time of places seen, people met, and things accomplished.

NAI is launching a new blog series this week with the same idea.  Titled “Postcards from…,” the series is intended to give our readers real-time, up-to-date information on NAI’s activities, across the country and around the world, on behalf of our members.  We hope these posts will be fun, informative, and inspiring.

First up – Postcards from… Maine.

The NAI staff and Board of Directors recently returned from a two-day trip to Portland, Maine, where we conducted our second annual Strategic Board Meeting and Retreat (photos below). We accomplished a lot in two short days thanks to our amazing, talented, smart, energetic, and fun Board.  I was really impressed with the level of thought, preparation, and commitment all of the Board members put into the meeting. Particular thanks go out to the new Board members, who jumped right in and participated as the experienced privacy pros they are!

In addition to our slate of outstanding Board members, we were also thrilled to welcome some esteemed guests for a true consumer privacy master class.  Trevor Hughes (CEO, IAPP), Omer Tene (VP, IAPP), and Jules Polonetsky (CEO, FPF) attended part of our meeting and shared their thoughts on the state of consumer privacy in the world today.  They offered an amazing history lesson on our industry.  And we were fortunate to get guidance on NAI's future from those who were so integral to NAI's past.

Here are some takeaways from our discussions:

  • NAI should maintain its focus on building an unimpeachable infrastructure and record of integrity.
  • NAI should continue efforts to educate regulators, both in the US and throughout the world, on the industry and the work we're doing.  The NAI staff, Board members, and member companies should lead this effort as the smartest people in the world on these issues.
  • NAI should foster open communications with platform providers.  We are right now trying to find coordination and collaboration on consumer privacy and technology solutions with the platforms that provide the infrastructure of our ecosystem.
  • NAI should retain its commitment to transparency.  The issues facing our industry are not new, even if technology is.  Organizations like NAI are more important than ever, and transparency among companies and with outside media is a core benefit of NAI.
  • NAI should allow for evolution in the classifications of PII and non-PII.  We should focus privacy efforts on the transparency of data use, and allow additional uses for de-identified or pseudonomized data, rather than trying to retain potentially dated definitions that no longer realistically protect privacy in today's marketplace.

It is clear that we have a lot to do! As is the norm for us, we have put forth an aggressive list of goals and targets for NAI over the next year or two. The NAI staff and I stand ready to put in work to achieve our goals, and we will be counting on NAI Board and our members for support and guidance along the way.

In short, regardless of the current regulatory environment in the U.S., we have no intention of taking our foot off of the gas in our quest to provide strong guidance and principled stances on consumer privacy measures.  The NAI staff agrees strongly with this position, and we really appreciated the remarks of the Board and our esteemed guests in support of that stance.

Please look for additional communications as we work to execute on the vision laid out for NAI so ably by the Board; we will be posting updates and important information in these blog posts, in our bi-weekly newsletter, and in upcoming webinars.

Next up…Hong Kong!  I am heading to Hong Kong next week where I will have the privilege of being NAI's representative to the 39th Annual International Conference of Data Protection and Privacy Commissioners. This year's meeting will focus on "Connecting West with East in Protecting and Respecting Data Privacy."  I have sharpened pencils in my bag and will pick up some postcards.  Stay tuned.

Submitted by Leigh Freund on September 18, 2017

“Robust self-regulation” – What does it mean?  

The answers can be found in NAI’s annual Compliance Report, the yearly review of our members’ adherence to the NAI Code of Conduct and Mobile Application Code (Codes).

The NAI Compliance Report is the culmination each year of our most important program, the compliance process. The NAI sets high standards for self-regulation, but these standards would be meaningless without the NAI’s insistence on accountability. That’s where the NAI compliance program comes into play.  The compliance program starts even before a company officially joins the NAI.  To even be accepted as an NAI member, companies must subject themselves to a stringent review of their privacy practices as part of their membership application process so that we can be certain of their commitment to transparency and accountability.  And that’s just the beginning. Once approved for membership, each NAI member company must go through a similar review every year by NAI staff to ensure compliance with our Codes.  It is a time consuming and expensive undertaking for the companies, and it shows their commitment to consumer privacy and industry best practices.  That’s robust self-regulation.

I also am sometimes asked:  “How can it be robust-self-regulation without imposing high penalties for violations?”

Our member companies are leaders in the ad-tech industry and make extraordinary efforts to ensure compliance with the Codes. However, even the most well intentioned companies do make mistakes. Each year our staff finds that some member companies have various non-material violations of the Code such as malfunctioning privacy links and privacy disclosures that may not have provided adequate information regarding new products, such as data collection and use in mobile applications. As a result of the NAI’s automated monitoring of links and disclosures, these problems are addressed preemptively as soon as they are spotted and communicated to members. The NAI's rigorous compliance approach encourages collaborative dialogue between NAI staff and its members that creates a comprehensive, disciplined partnership that enhances the overall health of the digital advertising ecosystem and benefits consumers. The NAI’s compliance staff worked with each member company throughout the year to monitor and ensure compliance. This enabled the NAI and its members to spot potential problems and to resolve issues promptly, before they turn into larger complications affecting greater numbers of consumers.

In contrast, material violations are willful and/or very serious violations of our Codes, such as failure to provide consumer choice for an extended period of time, deliberately misleading statements in disclosures, failure to implement NAI guidance document requirements, or refusal to cooperate with NAI staff. Effectively, the availability of sanctions ensures that members cooperate with NAI staff and make any requested changes expeditiously. The NAI did not find any material violations of the Code during the latest (2016) compliance review period.  

I encourage you to read our latest compliance report, the NAI 2016 Annual Compliance Report. The report provides a summary of the NAI staffs’ findings from our compliance monitoring processes of our 108 member companies during the 2016 period (January 1, 2016, to December 31, 2016).

Another great aspect of self-regulation is that it can quickly adapt to the ever-changing technologies in the ad-tech industry. In 2016, the NAI began regulating Cross-App Advertising (CAA) through enforcement of its Mobile Application Code (App Code). The 2016 Compliance Report shows that the NAI found that all member companies provided an Opt-Out mechanism for CAA. However, some of these mechanisms needed more comprehensive opt-out instructions.  The NAI worked closely with member companies to help them draft improvements where needed. Ultimately, the NAI’s compliance reviews indicate that all 108 members met their obligations under the provisions of the Codes. 

What’s in store for the future? The NAI always leverages the findings of the annual Compliance Report to further strengthen our self-regulatory program.  This year, the NAI began enforcing two new guidance documents, addressing the use of Non-Cookie Technologies in web browsers, and Cross-Device Linking for IBA and CAA purposes. The 2017 compliance reviews include these guidance documents, and companies will be held accountable for meeting these requirements. The NAI is conducting advance work with its members and industry stakeholders to examine terminology, including the continuing relevance of maintaining a distinction between Non-Personal Identifiable Information (non-PII) and Personal Identifiable Information (PII). As data collection and use for targeted advertising on connected TVs becomes more prevalent, the NAI is also actively working to draft Guidance addressing this new ecosystem. The NAI is also continuing to develop, expand, and improve its suite of technical monitoring tools in both web and mobile application environments.

The NAI compliance program is self-regulation at its best: robust, continuous monitoring and enforcement throughout the year and adaptable to changing technologies.

Submitted by NAI on August 16, 2017

NAI 2016 Annual Compliance Report FAQs

1. What is the annual NAI compliance Report?

The NAI and its members invest enormous resources towards working to ensure that consumer choices are honored and data privacy is respected through a rigorous compliance and robust enforcement process.  The report provides to the public the results of the NAI’s compliance program each year. Through publication of this report, consumers, regulators and others gain visibility into the NAI’s compliance program and self-regulatory process.  NAI leverages the findings of the report to further strengthen its self-regulatory program.

2. What information is included in the NAI Compliance Report?

The report provides a summary of the NAI staffs’ findings from our compliance monitoring processes of our 108 member companies during the 2016 period (January 1, 2016, to December 31, 2016). This includes investigations and, when applicable, enforcements conducted during that time period.

3. The Compliance Report does not cite any members for noncompliance.  Is that because the NAI staff did not find any violations of the Codes?

No.  The report shows that NAI staff found that some member companies had various non-material violations of the Codes as a result of the organization’s robust monitoring program.  These violations included malfunctioning privacy links and privacy disclosures that may not have provided adequate information regarding data collection and use in mobile applications.  However, members actively worked with NAI staff during the course of the year to ensure that these issues were resolved quickly.  NAI did not find any material violations of the Code during the 2016 compliance review period. Material violations are willful and/or very serious violations of our Codes, such as failure to provide consumer choice for an extended period of time, deliberately misleading statements in disclosures, failure to implement NAI guidance document requirements, or refusal to cooperate with NAI staff.

4. If no sanctions are listed in the Report, why do you claim that NAI has a robust compliance program?

NAI's rigorous compliance approach encourages collaborative dialogue between NAI staff and its members that creates a comprehensive, disciplined partnership that enhances the overall health of the digital advertising ecosystem and benefits consumers. NAI is a membership organization, and therefore its impact, and the benefit to consumers, increase as more companies join and sign up for self-regulation. Issues are resolved promptly, before they turn into larger problems affecting greater numbers of consumers.  That is self-regulation at its best. 

5. What is new in the 2016 report?

NAI began regulating Cross-App Advertising (CAA) through enforcement of its Mobile Application Code (App Code) in 2016. The Compliance Report shows that NAI found that all member companies provided an Opt-Out mechanism for CAA.  However, some of these mechanisms needed improvements and/or more comprehensive opt-out instructions.  In turn, NAI worked closely with member companies to draft improvements where needed.  In cases where members did not initially provide all necessary disclosures in the App Code in a clear manner to consumers, NAI took additional steps to educate members regarding required and suggested disclosures pertaining to advertising identifiers on mobile devices, the choice mechanisms available on mobile platforms and location data, resulting in considerable improvement in mobile-specific disclosures throughout the year.

6. What is on the horizon for NAI in 2017?

NAI intends to leverage the findings of the Annual Compliance Report to further strengthen our self-regulatory program.  In 2017, the NAI began enforcing two new guidance documents, addressing the use of Non-Cookie Technologies in web browsers, and Cross-Device Linking for IBA and CAA purposes. The 2017 compliance reviews include these guidance documents, and companies will be held accountable for meeting these requirements. From a policy perspective, NAI is conducting advance work with its members and industry stakeholders to examine terminology, including the continuing relevance of the Non-Personal Identifiable Information (non-PII) and Personal Identifiable Information (PII) distinction.  As data collection and use for targeted advertising on connected TVs becomes more prevalent, NAI is also actively working to draft Guidance addressing this new ecosystem.  NAI is also continuing to develop, expand, and improve its suite of technical monitoring tools in both web and mobile application environments.

 See the full press release here.

 

 

Submitted by Leigh Freund on July 20, 2017

Today’s blog post is dedicated to an update on privacy regulations that the European Union is planning to implement in less than a year that will have a significant impact on our members and the entire adtech industry.  The EU “General Protection Data Requirements” (GDPR) takes effect on May 25, 2018. Hailed as the most significant change in data protection law in over 20 years, the GDPR will impose many new obligations on controllers and processors of "personal data," an expanded definition that encompasses many of the data types typically collected and used by digital advertising technology companies.

GDPR will require companies to provide consumers with clear, unambiguous consent choices, data portability, a right to access data, and consent revocation, among other obligations.  The cost of non-compliance is significant.  GDPR includes an increased extra-territorial applicability and a significant increase in the penalties for non-compliance.  Fines for non-compliance are up to four percent of annual global turnover or 20 million Euros, whichever is greater. An overview of the GDPR’s key changes can be found here.

Many of our members have asked what NAI can do to help companies prepare for the obligations they will face under the GDPR.  NAI's current Codes of Conduct and guidance documents are applicable to the United States.  However, NAI's technical expertise and knowledge of our industry and its various business models make us uniquely qualified to be of assistance as we attempt to craft solutions that protect consumers' privacy, but also allow for companies to continue to innovate and conduct business in Europe.

I have been travelling to Europe on a regular basis this year to meet with industry colleagues and EU regulators.  I am delighted to report that NAI has been invited by the IAB Europe to be an active participant in its GDPR Implementation Working Group (GIG).  The GIG, made up of IAB Europe members dedicated to meaningful privacy and business solutions for GDPR implementation, has been working hard to develop position papers and helpful guidance documents on numerous points of GDPR compliance. We meet frequently, both in person and in virtual meetings, to determine the best path for both privacy protection and business continuity.

IAB Europe's GIG has produced a GDPR Compliance Primer, designed to share with executives and business owners within member companies in order to expand companies' understanding of the complex obligations required of data controllers and processors of European consumer data. The full paper can be found here.

As the GIG continues its work, NAI will share its output with member companies. We also want your input on key aspects of compliance.

If you have any questions or wish to discuss any issue of GDPR compliance with NAI staff, please don't hesitate to contact us. If you are interested in participating more actively in the IAB Europe and its GIG, information on membership can be found on the IAB Europe's website