Back to top


Submitted by Leigh Freund on October 13, 2017

你好 Hello from Hong Kong!

The second installment of our “Postcards from…” series comes from the other side of the world at the Shangri-La Kowloon in Hong Kong where I was privileged to represent NAI member companies during the 39th Annual International Conference of Data Protection and Privacy Commissioners on September 25-29, 2017.  The event was hosted by the Honorable Stephen Wong, Hong Kong’s Privacy Commissioner for Personal Data.

The conference theme, "Connecting West with East in Protecting and Respecting Data Privacy,” was echoed throughout the event and my time in Hong Kong.  Southeast Asia is a place steeped in tradition.  Conference participants enjoyed regular welcome teas and showed respect by presenting business cards to our colleagues with two hands.  Nightly light displays showcased Hong Kong's amazingly colorful skyscrapers along Victoria Harbour.

Hong Kong was an apropos venue for the conference.  Commissioner Wong noted that its "one country, two systems" principle makes it uniquely qualified to bridge Eastern and Western data cultures; perhaps that’s one of the reasons Hong Kong boasts one of the largest concentration of data centers in Asia.  The conference was a great opportunity to talk with privacy commissioners and their staff from all over the world. Together, we considered the great opportunities, and great challenges, posed by our increasingly global, data-driven society.

Here are a few highlights from our discussions:

  • Data drives the day: In his opening remarks, Commissioner Wong noted that the age-old saying of industrialization - "He who controls petroleum, controls the world” - has changed.  In today's technologically advanced world, the saying should be, "He who controls data, controls the world." Wong stressed that laws and policies need to balance two necessities: the free flow of data for commerce and the protection of data for privacy.  He explained that a successful data economy depends on transparency and control, and noted that ethical and responsible data use is paramount.
  • Beating breaches: In today’s online marketplace, data breaches happen globally and frequently. Hong Kong, Japan, Korea, and the Philippines have all experienced individual consumer data breaches at a similar scale to the many well-known U.S. data breaches. Security is an increasingly important aspect of consumer privacy. In fact, the Honorable Raymund Liboro, Privacy Commissioner and Chairman of the National Privacy Commission for the Philippines, had a remarkably straightforward recommendation - "If you can't protect it, don't collect it."
  • Self-regulation for success: Participants in a panel hosted and moderated by Bojana Bellamy, President of the Center for Information Policy Leadership, argued that corporate responsibility and best practices are essential to a successful data-driven economy. They explained that the law simply isn't sufficient to protect data, and that accountability and enforcement must embrace a value system that is designed to produce good outcomes. While deterrent sanctions may have a limited effect on future behavior, they advocated a system of motivated voluntary compliance, such as self-regulation, for constructive engagement and effectiveness.
  • Responsible robots: Artificial intelligence and machine learning pose special challenges for data use and ethics. One conference panelist described these technologies as creating a "dilemma" at the intersection of ethics, privacy, artificial intelligence, machine learning, and public policy and regulation. Some conference participants argued for a new approach to data in an AI world, for example, privacy protection, accountability, individual empowerment, and a weighing of societal benefits by a "data steward.”  But others urged caution in such an approach and suggested that existing cultural values, privacy by design frameworks, and risk factors can span cultural differences and build effective ethics structures.  This conversation was a great segue to next year’s 40th ICDPPC themed, Ethics and Dignity.  The 2018 conference will be held jointly in Brussels and Sofia, Bulgaria.

Our next postcard will be mailed from the land of waffles, chocolate, and beer…Brussels!  Our new Vice President for Public Policy, Will Carty, and I will attend the IAPP Data Protection Congress and some key GDPR readiness meetings with our colleagues from the IAB Europe.  Stay tuned!

Submitted by William Lee on September 26, 2017

On the 28th of September at 10am ET, IAB Europe will hold the first in a series of webinars on the General Data Protection Regulation (GDPR), the new EU data protection law which will come into force on the 25 May, 2018. Since the beginning of the year, IAB Europe has been working with members in their GDPR Implementation Working Group (GIG) on figuring out how the GDPR will apply to our industry, and on drafting industry-specific guidance. The NAI has been an active participant in the IAB's GIG.

The first output of the GDPR Implementation Working Group was a paper named the GDPR Compliance Primer - a document which explains the first steps which companies have to undertake to achieve compliance. The work was lead internally by Michele Appello from Improve Digital, who will also be presenting this first webinar on the topic alongside her colleague Vaughan Mackolisky. Registration for the webinar is possible here:

The purpose of this webinar series is to externalize the work of the GDPR Implementation Working Group. The webinars are therefore not meant to be too legal and technical. In particular, this first one is meant to be an introduction to the GDPR - so no prior knowledge is required! The webinars will follow a monthly schedule, and the intention is to carry them through into 2018.

Please feel free to contact Chris Hartsuiker of IAB Europe or NAI staff if you have any further questions about the webinar series, or the GDPR Implementation Working Group.

Submitted by Leigh Freund on September 21, 2017

Some 150 years ago, post offices around the world received the first picture postcards.  Designed to be mailed without envelopes and kept as souvenirs, the photos themselves brought news.  They were decorated with the images of the day – the newly constructed Eiffel Tower perhaps or the happenings at the Chicago World’s Fair. 

These days, when I travel, I still like the tradition of picking up a few postcards from the hotel gift shop; to me, they represent a snapshot in time of places seen, people met, and things accomplished.

NAI is launching a new blog series this week with the same idea.  Titled “Postcards from…,” the series is intended to give our readers real-time, up-to-date information on NAI’s activities, across the country and around the world, on behalf of our members.  We hope these posts will be fun, informative, and inspiring.

First up – Postcards from… Maine.

The NAI staff and Board of Directors recently returned from a two-day trip to Portland, Maine, where we conducted our second annual Strategic Board Meeting and Retreat (photos below). We accomplished a lot in two short days thanks to our amazing, talented, smart, energetic, and fun Board.  I was really impressed with the level of thought, preparation, and commitment all of the Board members put into the meeting. Particular thanks go out to the new Board members, who jumped right in and participated as the experienced privacy pros they are!

In addition to our slate of outstanding Board members, we were also thrilled to welcome some esteemed guests for a true consumer privacy master class.  Trevor Hughes (CEO, IAPP), Omer Tene (VP, IAPP), and Jules Polonetsky (CEO, FPF) attended part of our meeting and shared their thoughts on the state of consumer privacy in the world today.  They offered an amazing history lesson on our industry.  And we were fortunate to get guidance on NAI's future from those who were so integral to NAI's past.

Here are some takeaways from our discussions:

  • NAI should maintain its focus on building an unimpeachable infrastructure and record of integrity.
  • NAI should continue efforts to educate regulators, both in the US and throughout the world, on the industry and the work we're doing.  The NAI staff, Board members, and member companies should lead this effort as the smartest people in the world on these issues.
  • NAI should foster open communications with platform providers.  We are right now trying to find coordination and collaboration on consumer privacy and technology solutions with the platforms that provide the infrastructure of our ecosystem.
  • NAI should retain its commitment to transparency.  The issues facing our industry are not new, even if technology is.  Organizations like NAI are more important than ever, and transparency among companies and with outside media is a core benefit of NAI.
  • NAI should allow for evolution in the classifications of PII and non-PII.  We should focus privacy efforts on the transparency of data use, and allow additional uses for de-identified or pseudonomized data, rather than trying to retain potentially dated definitions that no longer realistically protect privacy in today's marketplace.

It is clear that we have a lot to do! As is the norm for us, we have put forth an aggressive list of goals and targets for NAI over the next year or two. The NAI staff and I stand ready to put in work to achieve our goals, and we will be counting on NAI Board and our members for support and guidance along the way.

In short, regardless of the current regulatory environment in the U.S., we have no intention of taking our foot off of the gas in our quest to provide strong guidance and principled stances on consumer privacy measures.  The NAI staff agrees strongly with this position, and we really appreciated the remarks of the Board and our esteemed guests in support of that stance.

Please look for additional communications as we work to execute on the vision laid out for NAI so ably by the Board; we will be posting updates and important information in these blog posts, in our bi-weekly newsletter, and in upcoming webinars.

Next up…Hong Kong!  I am heading to Hong Kong next week where I will have the privilege of being NAI's representative to the 39th Annual International Conference of Data Protection and Privacy Commissioners. This year's meeting will focus on "Connecting West with East in Protecting and Respecting Data Privacy."  I have sharpened pencils in my bag and will pick up some postcards.  Stay tuned.

Submitted by Leigh Freund on September 18, 2017

“Robust self-regulation” – What does it mean?  

The answers can be found in NAI’s annual Compliance Report, the yearly review of our members’ adherence to the NAI Code of Conduct and Mobile Application Code (Codes).

The NAI Compliance Report is the culmination each year of our most important program, the compliance process. The NAI sets high standards for self-regulation, but these standards would be meaningless without the NAI’s insistence on accountability. That’s where the NAI compliance program comes into play.  The compliance program starts even before a company officially joins the NAI.  To even be accepted as an NAI member, companies must subject themselves to a stringent review of their privacy practices as part of their membership application process so that we can be certain of their commitment to transparency and accountability.  And that’s just the beginning. Once approved for membership, each NAI member company must go through a similar review every year by NAI staff to ensure compliance with our Codes.  It is a time consuming and expensive undertaking for the companies, and it shows their commitment to consumer privacy and industry best practices.  That’s robust self-regulation.

I also am sometimes asked:  “How can it be robust-self-regulation without imposing high penalties for violations?”

Our member companies are leaders in the ad-tech industry and make extraordinary efforts to ensure compliance with the Codes. However, even the most well intentioned companies do make mistakes. Each year our staff finds that some member companies have various non-material violations of the Code such as malfunctioning privacy links and privacy disclosures that may not have provided adequate information regarding new products, such as data collection and use in mobile applications. As a result of the NAI’s automated monitoring of links and disclosures, these problems are addressed preemptively as soon as they are spotted and communicated to members. The NAI's rigorous compliance approach encourages collaborative dialogue between NAI staff and its members that creates a comprehensive, disciplined partnership that enhances the overall health of the digital advertising ecosystem and benefits consumers. The NAI’s compliance staff worked with each member company throughout the year to monitor and ensure compliance. This enabled the NAI and its members to spot potential problems and to resolve issues promptly, before they turn into larger complications affecting greater numbers of consumers.

In contrast, material violations are willful and/or very serious violations of our Codes, such as failure to provide consumer choice for an extended period of time, deliberately misleading statements in disclosures, failure to implement NAI guidance document requirements, or refusal to cooperate with NAI staff. Effectively, the availability of sanctions ensures that members cooperate with NAI staff and make any requested changes expeditiously. The NAI did not find any material violations of the Code during the latest (2016) compliance review period.  

I encourage you to read our latest compliance report, the NAI 2016 Annual Compliance Report. The report provides a summary of the NAI staffs’ findings from our compliance monitoring processes of our 108 member companies during the 2016 period (January 1, 2016, to December 31, 2016).

Another great aspect of self-regulation is that it can quickly adapt to the ever-changing technologies in the ad-tech industry. In 2016, the NAI began regulating Cross-App Advertising (CAA) through enforcement of its Mobile Application Code (App Code). The 2016 Compliance Report shows that the NAI found that all member companies provided an Opt-Out mechanism for CAA. However, some of these mechanisms needed more comprehensive opt-out instructions.  The NAI worked closely with member companies to help them draft improvements where needed. Ultimately, the NAI’s compliance reviews indicate that all 108 members met their obligations under the provisions of the Codes. 

What’s in store for the future? The NAI always leverages the findings of the annual Compliance Report to further strengthen our self-regulatory program.  This year, the NAI began enforcing two new guidance documents, addressing the use of Non-Cookie Technologies in web browsers, and Cross-Device Linking for IBA and CAA purposes. The 2017 compliance reviews include these guidance documents, and companies will be held accountable for meeting these requirements. The NAI is conducting advance work with its members and industry stakeholders to examine terminology, including the continuing relevance of maintaining a distinction between Non-Personal Identifiable Information (non-PII) and Personal Identifiable Information (PII). As data collection and use for targeted advertising on connected TVs becomes more prevalent, the NAI is also actively working to draft Guidance addressing this new ecosystem. The NAI is also continuing to develop, expand, and improve its suite of technical monitoring tools in both web and mobile application environments.

The NAI compliance program is self-regulation at its best: robust, continuous monitoring and enforcement throughout the year and adaptable to changing technologies.