Back to top

Blog

Submitted by Anthony Matyjas... on December 19, 2019

After an eventful 2019, The NAI is preparing for a momentous twentieth anniversary year in 2020. The thoroughly revised 2020 NAI Code of Conduct will go into effect in ten days, on January 1st, 2020, placing a number of new requirements in the areas of Tailored Advertising and Ad Delivery and Reporting on NAI members. This new Code incorporates the Viewed Advertising Guidance, modernizes terminology, extends consumer opt-in requirements for the use of certain types of data (including Sensor Information and Precise Location Information) to Ad Delivery and Reporting, introduces political transparency requirements, and expands coverage to information collected offline if it is used to target digital advertising across websites, apps, or on digital television screens.

NAI staff have been working with member companies throughout the year to educate them about these new requirements, and we have been helping member companies prepare for the changes they will need to make in order to remain in compliance with the Code in 2020. This includes a number of educational webinars and one-on-one calls with each member company during the 2019 NAI compliance review.

As the deadline to the enforcement date of these new requirements approaches, and after speaking with all member companies, the NAI is allowing for additional time for members to come into compliance with two new obligations under the new Code, due the industry-wide changes which will be necessary for material compliance with those two requirements.

First, the 2020 Code requires member companies engaged in Audience-Matched Advertising to provide a PII-based opt out from these activities for users on the NAI industry page. The technical development of, and integration with, this new tool have been delayed due to the amount of resources that member companies are devoting to compliance with the California Consumer Privacy Act (CCPA) by January 1, 2020. The NAI and its members will work during the first half of 2020 to ensure that all members engaged in Audience-Matched Advertising are fully integrated with the NAI’s PII-based opt-out tool by July 1, 2020, and enforcement actions for non-compliance are set to begin after that date.

Second, the 2020 Code raises the bar on what steps are necessary for NAI members to rely on reasonable assurances from partners that consumers have expressed informed Opt-In Consent to Tailored Advertising and Ad Delivery and Reporting uses of sensitive data such as Precise Location Information. One of these requirements is for users to be presented with just-in-time notice while providing consent for digital advertising uses of their location data. Because platform controls provided by device manufacturers do not always allow for the provision of such notice, NAI members must take technical and contractual steps to ensure that this notice can be presented to users by the mobile applications that collect location data. NAI staff and members will work to operationalize these changes in the mobile digital advertising ecosystem during the first half of the year, with the goal of beginning enforcement also on July 1, 2020.

All other requirements in the 2020 NAI Code will be enforced beginning on January 1, 2020 thanks to the hard work by NAI member companies to prepare for these new obligations during the past year, even as they were also preparing for new requirements under CCPA.

Submitted by Matt Nichols on October 29, 2019

The NAI’s “Guidance for NAI Members: Viewed Content Advertising” (Guidance) announced in 2018 that the collection of Viewed Content Data (VCD) for Viewed Content Advertising (VCA) would become a covered activity under the NAI Code, enforced on January 1, 2019. The addressable or advanced television space is still a nascent and developing technology, with a transition from traditional televisions and cable boxes to Smart TVs and TV-streaming devices. As large media companies continue to launch their own streaming platforms this year, it appears that the use of Smart TV-devices, that serve as a way to stream these platforms, will continue to grow. 

As of January 1, 2019, NAI member companies collecting VCD for Personalized Advertising or Ad Delivery and Reporting purposes should have taken steps to comply with this Guidance. A major component of the NAI’s self-regulatory framework is user choice. Just as the NAI Code requires member companies to ensure that an easy-to-use choice mechanism is available for users to opt out of Personalized Advertising on their web browsers and mobile devices, the purpose of the Guidance is to ensure that a commensurate level of control is available on a television engaged in Personalized Advertising. 

However, as was the case in the early days of advertising on mobile applications, the ability to provide a consistent choice mechanism in the television space is still maturing. Some technology platforms do not provide a built-in consumer choice mechanism, while others are not completely clear as to what constitutes an opt out or how such signals are shared with applications. This is an aspect of the connected-television space that will likely continue to evolve in the coming years, just as the mobile application ecosystems did before settling on the Mobile Ad Identifiers (Apple’s IDFA and Android’s GAAID) and consumer choice settings that many users are familiar with today.

In addition to those NAI member companies that collect data from connected televisions and streaming devices, some NAI members may engage in, or facilitate, the targeting of digital advertising on these devices based on data collected in more traditional web-based or mobile app-based settings, through Cross-Device Linking. Consistent with the NAI Code’s requirements for Cross-Device Linking, those NAI members must provide relevant disclosures on their own websites and a means for users to opt-out of receiving Personalized Advertising on their connected televisions or streaming devices.

Based on its 2019 compliance reviews of member companies to date, NAI compliance staff has noted a lack of consistency in how members disclose the collection and/or use of data on connected televisions and streaming devices, and how these members notify users of the choices that are available to them with respect to Personalized Advertising on these devices. Accordingly, throughout its 2019 compliance reviews, the NAI has been working with its members to help them provide adequate disclosures and clear instructions to consumer choice mechanisms for Personalized Advertising on connected televisions and connected devices. Additionally, the NAI has recently provided an instructional page for users, informing them how to locate and activate the privacy preferences on many of the most popular devices in the television space. The NAI provided a similar service in the mobile application space, but it is likely to be even more beneficial for televisions and connected devices, where a much broader variety of platforms, each with their own settings and preferences, currently occupy the market. The NAI urges all of its members to direct users to these instructions, when relevant, or to provide similar instructions to users in their own consumer choice pages and privacy disclosures.

In order to ensure a level playing field and avoid an advantage to the NAI members who underwent the 2019 compliance process earlier in the year, the NAI will work with all willing member companies until December 31, 2019 to help them provide adequate disclosures surrounding the collection and/or use of data for Personalized Advertising on connected televisions and streaming devices. On January 1st, 2020, NAI staff will begin stricter enforcement of these requirements in earnest, and NAI members who do not provide adequate disclosures or instructions for choice mechanisms, based on NAI staff’s judgement, will be subject to the NAI’s full enforcement procedures.

All NAI members who collect or use data on connected televisions or streaming devices for Personalized Advertising and Ad Delivery and Reporting  should review their current disclosures, and instructions for consumer choice mechanisms to ensure they meet the requirements of the Guidance and the 2020 Code of Conduct ahead of January 1, 2020. Members can reach out to NAI staff with any questions about how to best comply with NAI requirements on these devices.

If you have any questions about the Guidance, or the Code generally, please reach out to NAI Compliance staff (compliance@networkadvertising.org).

Submitted by William Lee on October 23, 2019

The Network Advertising Initiative’s 2020 Code of Conduct expands the scope of activities it covers to include all uses of previously collected user-level data for Tailored Advertising across websites and applications, as well as on covered devices. One result of the 2020 NAI Code’s expanded scope is that offline data onboarded for use in tailoring digital advertising through a matchpoint derived from PII is now covered as a subset of Tailored Advertising. The 2020 NAI Code defines this practice as Audience-Matched Advertising (AMA).1

Because AMA is a form of Tailored Advertising under the 2020 NAI Code, members engaged in AMA must comply with new obligations when the 2020 NAI Code goes into effect, including new consumer choice obligations. Specifically:

“An Opt-Out Mechanism for a member’s use of PII or hashed PII shall apply to the member’s use of that PII or hashed PII for Tailored Advertising on all devices and shall be made available on both the member’s website and on the NAI website. If an NAI member uses types of PII or hashed PII that are not supported by the NAI Opt-Out Mechanism, and are not linked to the types of PII or hashed PII supported by the NAI Opt-Out Mechanism, the member shall provide an Opt-Out Mechanism for such PII or hashed PII directly on the member’s site.”2

The NAI has recently finalized the technical specification for a centralized Opt Out Mechanism for AMA based on email addresses (the “Centralized AMA Opt Out”) that will help members engaged in AMA to meet this new obligation.

This blog post aims to provide clarity regarding which NAI members will need to provide their own opt out for AMA, which members will need to integrate with the NAI’s Centralized AMA Opt Out, and what obligations fall to members who engage in AMA indirectly through third parties. The blog post will then outline a number of other policies related to AMA opt outs.

NAI Member Obligations According to Business Practice

1. NAI members directly onboarding offline data

a. If an NAI member engages in AMA directly using PII or hashed PII in their own systems as a match-point for onboarding, that member must provide an Opt-Out Mechanism linked to the PII or hashed PII they use for that purpose. This Opt-Out Mechanism must allow users to provide their PII to the member company, so that the PII can be opted out from AMA on a going-forward basis.

i. If an NAI member uses email addresses as the match point for AMA, in either plaintext or hashed format, the member must integrate with the NAI’s Centralized AMA Opt Out. The NAI member must also provide a link to the NAI’s Centralized AMA Opt Out in its privacy policy with an explanation of where the link will take a user.

ii. If an NAI member uses forms of PII or hashed PII other than an email address as a matchpoint, and those forms of PII or hashed PII are not also linked to an email address, that member must separately provide an Opt-Out Mechanism for such data-points on the member’s own website. For example, if an NAI member uses mobile phone numbers or hashed mobile phone numbers as match-points, the member must provide a way for users to enter their mobile phone number to be opted out of AMA on a going-forward basis.

2. NAI members that encounter PII, in hashed or plaintext format, in their systems but pass it on to a third-party for onboarding

a. If an NAI member encounters PII, in hashed or plaintext format, in its systems but forwards that data to a third-party for onboarding for AMA purposes, the NAI member will need to develop its own Opt-Out Mechanism for AMA, consistent with the requirements of point 1.a.

i. If an NAI member encounters email addresses, in either plaintext or hashed format, the member must integrate with the NAI’s Centralized AMA Opt Out. The NAI member must also provide a link to the NAI’s Centralized AMA Opt Out in its privacy policy with an explanation of where the link will take a user, consistent with the requirements of point 1.a.i.

ii. If an NAI member encounters forms of PII or hashed PII in its systems,  other than an email address as a matchpoint, and those forms of PII or hashed PII are not also linked to an email address, that member must separately provide an Opt-Out Mechanism for such data-points on the member’s own website, consistent with the requirements of point 1.a.ii.

3. NAI members that utilize third parties for onboarding offline data

a. If an NAI member at no point encounters hashed or plaintext PII in its systems but engages a third party to onboard offline data on its behalf, for AMA purposes, the NAI member must contractually require the third party to offer an Opt-Out Mechanism linked to hashed or plaintext PII, consistent with the requirements of point 1.a. aside from the requirement for the integration with the NAI’s Centralized AMA Opt Out, which is available only to NAI member companies. Additionally, the NAI member should provide a link in its privacy policy to the third party’s AMA Opt-Out Mechanism.

4. NAI members that license onboarded AMA data from third-party data providers

a. If an NAI member licenses data from a third-party data provider that includes a consumer’s onboarded AMA data, the NAI member must contractually require the third-party data provider to offer an Opt-Out Mechanism linked to hashed or plaintext PII, consistent with the with the NAI member’s obligations under the “Responsible Sources” requirement of the Code3 and the requirements of point 1.a. aside from the requirement for the integration with the NAI’s Centralized AMA Opt Out, which is available only to NAI member companies.

5. NAI members that operate a service platform that makes onboarded data from third-party data providers available to the member’s clients

a. If an NAI member operates a service platform that makes onboarded data from third-party data providers available to the member’s clients for AMA purposes, the NAI member must contractually require the third-party data provider to offer an Opt-Out Mechanism linked to hashed or plaintext PII consistent with the requirements of point 1.a. aside from the requirement for the integration with the NAI’s Centralized AMA Opt Out, which is available only to NAI member companies.

6. NAI members that provide functionality that allows its clients to match its online identifiers with PII or hashed PII in its’ clients’ possession for AMA

a. If an NAI member provides functionality that allows its clients to match its online identifiers with PII or hashed PII in its clients’ possession for AMA, the NAI member must contractually require the partner to represent that the user has permitted Audience-Matched Advertising by providing Opt-In Consent directly to that client.

Other Audience-Matched Advertising Opt Out Related Policies

Service Provider Exemption

According to the Commentary to the 2020 NAI Code of Conduct, “an NAI member acting purely as a service provider to an advertiser client, who does not retain any individual rights to the data processed on behalf of the client, may continue to engage in Audience-Matched Advertising on behalf of that client, even in the presence of an opt out linked to a user’s PII, if the client contractually represents that the user has permitted Audience-Matched Advertising by providing Opt-In Consent directly to that client.”

This exemption reflects the NAI’s belief that when a user has provided an advertiser with Opt-In Consent for that advertiser’s use of their PII for AMA, that consent extends to the advertiser’s agents, including NAI members acting purely as service providers to the advertiser. A user seeking to revoke consent for an advertiser’s use of their PII for AMA in that scenario should direct their request to the advertiser, not the advertiser’s service provider.

If an NAI member retains any rights to the onboarded data, or the PII or hashed PII used as a matchpoint and provided by the client and used to onboard the data, the member may not claim the service-provider exemption. For example, if an NAI member onboards data on behalf of a client, and subsequently uses the match to bolster or authenticate its own Cross-Device Linking mechanism, that member is not acting as only a service provider on behalf of the client.

Conversely, NAI members who do not directly engage in AMA, but permit advertiser clients to onboard their own data by attaching PII, such as an internal customer number, to online identifiers provided by the member company, are involved in AMA purely as a service provider if the member company does not receive any information regarding the link between an online identifier and PII, or is not permitted to use such information for the member’s own purposes. In such cases, the member must ensure that the advertiser client has obtained the user’s Opt-In Consent directly, for such uses of the data by the client.

If you believe that your company may qualify for this exemption please reach out to the NAI compliance team (compliance@networkadvertising.org) to confirm.

Use of Data Received to Effectuate an Audience-Matched Advertising Opt Out

Regardless of whether NAI members receive hashed or plaintext PII from an AMA Opt-Out Mechanism, NAI members may only use that hashed or plaintext PII to maintain a user’s opt-out preference.

Opt-Out Duration

The duration of an opt out from AMA is indefinite. However, members may ask users to opt back in twelve months after the opt out was expressed. As noted above, NAI members may not use PII or hashed PII for any purpose except to maintain a user’s opt-out preference, and so may not contact the user via email in asking them to reconsider their choice, but they may present a message to the user during regular app or web use, for example if the user is encountered at a typical match event at least twelve months after having opted out.

In cases where local regulations or legislation require NAI members to delete data (even if that data is being retained exclusively for maintaining a consumer’s AMA opt-out preference) after a given time, NAI members must comply with such regulation or legislation.

Timescale for Processing AMA Opt Outs

NAI members should effectuate AMA Opt Outs in their systems within 10 days of receipt of an AMA opt-out request.


1 “Audience-Matched Advertising is the practice of using data linked, or previously linked, to Personally-Identified Information (PII) for the purpose of tailoring advertising on one or more unaffiliated web domains or applications, or on devices, based on preferences or interests known or inferred from such data.” - 2020 NAI Code of Conduct, Section I.B.

2 2020 NAI Code of Conduct, § II.C.3.

3 2020 NAI Code of Conduct § III.F.2.

 

Submitted by Leanny Prieto on October 22, 2019

The NAI recently conducted a survey among 10,000 consumers to find out more about what they think about digital advertising, online content, and privacy. 

The survey results feature three key findings:

  1. Consumers have significant online privacy concerns that are primarily driven by bad actors, such as hackers. 
  2. Consumers strongly favor ad-supported media and online services over those that require payment.
  3. American consumers are overwhelmingly looking to Congress and the Federal Government to address privacy concerns.

Consumers have significant online privacy concerns that are primarily driven by bad actors, such as hackers. 

The vast majority of survey respondents indicated having at least some concern about their privacy online. More than half, 56.2%, cited hackers as the main source of concern. Other top sources of privacy concerns varied, with significantly smaller percentages citing a range of different concerns, including 12% citing data collection by websites or apps, 11% for ad tech companies, 10% citing the U.S. Government, and 8% citing foreign governments. Overall, hackers and government surveillance outweighed concerns about industry data collection by almost 3:1.

Consumers strongly favor ad-supported media and online services over those that require payment.

The study revealed that consumers place a high value on their online content and services. However, respondents to this survey are disinclined to pay more for their online content than they are already paying. The survey revealed that nearly 60% of respondents prefer their online content to be paid for by advertising, while another question sought feedback from consumers on how much they currently pay for online content and how much they would be willing to pay. Nearly 90% said they are unwilling to pay a significant amount of money to continue receiving apps and online content that they currently receive for free. The survey provided a strong affirmation that the ad-supported content model is ideal for most consumers.

American consumers are overwhelmingly looking to Congress and the Federal Government to address privacy concerns.

With respect to providing privacy protections for consumers, respondents to this survey indicated they want the Federal Government and Congress to address privacy concerns. A substantial majority, 67% of respondents, believe that the federal government should be responsible for enacting laws to protect the data privacy of American citizens. Clearly, U.S. consumers believe that data protection should be offered to consumers regardless of where they live. These results align with NAI’s public policy efforts to advance a national privacy framework that establishes a uniform standard for consumer privacy in the U.S.

The full analysis paper can be found here.