Back to top


Submitted by Matt Nichols on April 9, 2018

In late 2017, the NAI was given the opportunity to apply for a pilot survey program in order to run opinion polls and market research on internet users. With this chance to learn more about consumer opinions, we sent out a survey that obtained the responses of 10,000 U.S. consumers to find out more about what they think about online privacy, digital advertising, the ad-supported internet, and ad blocking. The survey was conducted January 29th to February 1st, 2018. 

NAI’s takeaways from the survey results

Our survey’s first question establishes the general level of concern respondents have about their privacy on the Internet. Whether the responses can be contributed to either recent high-profile data breaches, or to the growing national conversation surrounding privacy, “privacy” was stated to be at least “somewhat concern[ing]” for 85% of respondents.  Further, 50% of responses indicate that consumers are either “very” or “extremely” concerned about their privacy. In addition, 14% indicated that privacy was not a concern “at all”.  This indicates there continues to be a variety of attitudes about online privacy, but we must address the majority in the middle who are at least “somewhat concerned” about their privacy.  While this first question establishes that privacy is a concern for most respondents, subsequent questions and responses from the survey further clarifies this concern. 

The survey’s second question asks respondents to share what they felt was the primary reason for their privacy concern on the internet: 56% indicated that hackers were their top concern; a combined 15% said that data collection by either the U.S. or a foreign government was their top concern. As a whole, concerns about data collection by hackers or government entities attribute to 72% of responses to this question. 8% of users were most concerned about website and application publishers collecting data and 7% of users stated that data collection by advertising companies was their primary concern. 

The third question then shifts to help us better understand how consumers believe their access to online content should be financed. The results show overwhelmingly that respondents prefer their online content to be paid for by “Advertising” (67%), and interestingly this response was largely consistent across all age-groups. When this result is combined with the percentage of respondents indicating a preference for a “Donations” model (17%), the two responses account for 84% of all responses. This shows  an even clearer aversion by responders to pay directly for their online content. In fact, only 15% of responses indicated a preference for a subscription or microtransaction model. An interesting parallel to note is that 15% of respondents prefer a subscription or microtransaction model, which aligns with 15% of respondents who previously indicated their biggest privacy concern as AdTech companies and online publishers. 

Responses to the first three questions show individuals’ concern for their online privacy. But, while websites and AdTech play a role in this, albeit a minor one when compared to that of governments and hackers, question four adds further insight to this regarding choice.  When asked who should make the decision concerning opting a consumer out of targeted advertising, responders largely prefer themselves to be in control of this decision, with 79% indicating that “Individuals” should be in control. Interestingly, only 10% of respondents indicated that they prefer their browser to make such decisions on their behalf.

The survey results reveal that while some privacy concerns are associated with AdTech companies, this concern is not nearly as significant as those associated with hackers and government surveillance. But with that, the internet is largely ad-supported, and whether they are aware of this, U.S. consumers prefer their internet to continue to be ad-supported and show a clear disinterest in their content being made available only through subscriptions or microtransactions. But, when consumers are confronted with potential privacy enhancing measures, our survey shows that they want to make this choice themselves. This is a stern rebuttal to both device and browser manufacturers and governments making privacy decisions on consumers’ behalf.

Finally, while ad blocking is sometimes seen as evidence that consumers are taking privacy into their own hands, the final question of the survey shows that ad blockers are not primarily used as a privacy tool, but rather because consumers find ads annoying or because they cause websites to take too long to load and the effect that load time has on data usage.

We hope this survey, and its accompanying results, serve as a catalyst for discourse on not only our industry, but also the NAI’s role as a leading self-regulatory association. 

Full survey results can be found here.

"This research was made possible by Google Surveys, which donated use of its online survey platform. The questions and findings are solely those of the researchers and not influenced by any donation. For more information on the methodology, see the Google Surveys Whitepaper."

Submitted by NAI on February 14, 2018

A viewpoint from Ann Kennedy, Chief Product Officer of ShareThis

GDPR is Coming. Are You Ready For a New Era of Compliance?

The impending arrival of The General Data Protection Regulation (GDPR) from the European Union means that companies have to take consumer privacy more seriously than ever before.

But there's a problem. According to one recent survey of 500 cyber security professionals in the UK, Germany, France, and the US, a whopping 57 percent are concerned about compliance. That suggests many companies are still struggling to get prepared.

To retain consumers' trust at a time when privacy is top of mind and confusion surrounding the use of data in the online ecosystem is high, brands must take a tactical approach to communicating their position. They'll need to offer options that put their customers first. NAI membership and the adoption of self-regulatory principles lays the groundwork. To successfully navigate the new era of data protection, though, every company must adhere to new data collection and usage best practices.

With that in mind, here are three strategies from ShareThis for thriving in a post-GDPR world.

Embrace Transparency

When dealing with consumer privacy, transparency is critical. Organizations must describe their relationship with customer data in as much detail as possible, and in simple terms that consumers can fully grasp. The impetus for GDPR was to give consumers more control over their personal data, so you'll need to explain what you're doing to comply with data protection regulation legislation.

When updating our own privacy disclosures, conveying transparency and consumer-friendly content was paramount for ShareThis -- particularly since we were recently TAG certified against fraud. We made an effort to avoid industry and legal jargon, break down information into manageable parts, and associate each section of our disclosure with a visual icon for easy navigation.

In addition to clearly presenting your stance on privacy, joining the NAI is a great way to ensure you're doing everything you can to comply. Because self-regulatory organizations (SROs) are designed and dedicated to upholding consumer privacy and comprised of members rather than regulators, they can help websites and advertising companies prioritize transparency in the long-term. This unique positioning means SROs are well placed to draft robust and consumer-friendly regulations that keep pace with technology, without restricting innovation. By partnering with them you can put yourself ahead of the game.

Craft a Privacy Notice That Leaves No Stone Unturned

There's no doubt about it: the amount of privacy-related content that consumers are going to encounter in the coming months will be overwhelming. It's crucial, therefore, that your privacy notice clearly communicates your company's privacy policy to everyone who reads it.

What does a strong privacy notice look like? Among other things, it should provide an overview of:

  • The type and categories of data you collect, and who you collect it from
  • The purpose for your data collection practices, including how and why you use consumer data
  • Who has access to the data you collect, and the life cycle of that data (meaning how long it's available to you)
  • How and where the data is stored
  • What you're doing to safeguard customer data in order to protect against theft and fraud
  • Contact information that consumers can refer to should they have a question or complaint about your policy

Finally, be sure to put some thought into how you design your privacy notice. Don't fall victim to the "info dump." We recommend instead that companies offer simplified, topline content and hyperlink to additional information. This presents page visitors with the most important information up front and allows them to dig deeper for as much additional content as they need.

Adopt a Privacy by Design Framework

A concise privacy notice is key -- but that isn't where your commitment to GDPR should end. Moving forward, it's the companies that consider consumer privacy in all aspects of their work that will fare best.

A guiding principle for ShareThis is Privacy by Design, a method of engineering that considers privacy throughout the design process, not as an add-on. For example, implement technical measures in a way that protects privacy and maximizes data protection right from the start by considering users’ preferences. Assure that personal data is always processed in a way that respects consumers' privacy, and limit the number of departments that have access to your customers' personal data.

There are big changes coming -- but make some changes of your own, and you'll be ready for this new era of compliance. For more information on ShareThis visit our website.


The views and opinions expressed in this blog are those of the authors and do not necessarily reflect those of the Network Advertising Initiative and/or any other contributor to this site.

Submitted by Leigh Freund on December 5, 2017

NAI's travel bonanza is continuing at the start of this holiday season.  This postcard comes from London, where the city is alight with holiday decorations and abuzz with the news of a royal engagement.

I’m writing with news that is more regulatory than regal, but it is still important!  Last week, the IAB Europe published a working paper on consent under the General Data Protection Regulation (GDPR), which comes into effect on May 25, 2018, and announced a new technical standard to support the digital advertising ecosystem in meeting the GDPR’s new requirements for user consent.

The working paper and consent standard are products of the IAB Europe’s GDPR Implementation Working Group (GIG), which has been leading this initiative.  The GIG brings together leading experts from across the digital advertising industry, including the NAI and many of our members, to discuss the European Union’s new data protection law, share best practices, and agree on common interpretations and industry positioning on the most important issues for the digital advertising sector.

NAI’s technical and policy staff have been representing our member companies’ interests while actively contributing to the GIG’s progress.

The IAB Europe’s working paper on consent is the third in a series of working papers published by the GIG; all papers are available on the IAB Europe’s website.  The purpose of this paper is to explain the definition of consent under the GDPR, and the practical implications of using consent as a legal basis for processing personal data in the online advertising ecosystem. Download the working paper on consent here.

The consent standard was unveiled at last week’s EDAA 2nd Annual Summit, which brought together 200 participants including advertisers, agencies, ad tech, and media in London.  The standard is a technical mechanism designed to enable websites, advertisers, and their ad technology partners to make robust disclosures regarding data collection and use, as well as obtain, record, and update consumers’ consent for their personal data to be processed, as outlined in the GDPR. Moreover, the mechanism enables transmission of user consent choices throughout the digital advertising ecosystem, increasing accountability in the supply chain by enabling the creation of consent records and an audit trail.

Key features of the consent standard include:

  • Works on mobile devices and desktop devices alike.
  • Enables dynamic disclosure by first parties of third-party advertising partners and the purposes for which they collect and process data.
  • Allows obtaining “global” or “service-specific” affirmative consent, as well as updating consent choices and withdrawing consent.
  • Enables the transmission of user consent choices to third-party advertising partners.
  • Increases accountability in the advertising ecosystem by enabling the creation of consent records and an audit trail.
  • Expedites compliance as it can be deployed before the date of application of the GDPR.

IAB Europe is inviting broader industry engagement over the coming months with an eye toward building cross-industry consensus and fostering a commitment to the standard, the principles around its use, its implementation, and the governance underpinning the tool.

NAI will continue to actively represent its members in the GIG, and work to finalize and implement the consent standard. We also urge NAI members to become independently involved in this industry initiative. Sign up for notifications from the IAB Europe’s mailing list to remain updated on any developments.  More information is available in the full press release here.

Our "postcards from..." series will soon take a short hiatus as the NAI staff spends some time with family and friends over the holidays.  We'll be back in January and first up will be a glimpse at the digital advertising industry's best new technology from CES in Las Vegas.

Best wishes for a very happy holiday season!

Submitted by Leigh Freund on November 29, 2017

Greetings from Brussels, the land of French fries and beer, and now the epicenter of fierce efforts to achieve compliance with the historic European privacy regulation, the General Data Protection Regulation (GDPR).

I had the privilege of representing NAI members at two major privacy events in Brussels: the in-person meeting for the IAB Europe’s GDPR Implementation Working Group and the IAPP Data Protection Congress (DPC) 2017.

First on the agenda was the third in-person meeting of the IAB Europe's GDPR Implementation Working Group (GIG).  It was a great privilege to be able to participate in the GIG, which is comprised of IAB Europe member company representatives (many of whom are also NAI members).  The GIG is committed to helping the digital advertising technology industry create and implement meaningful business and technology solutions to comply with the new privacy requirements of the GDPR and, eventually, the new ePrivacy Regulation.  No small feat!

Here are some take-aways from our meeting:

  • The IAB Europe has provided timely, thoughtful, and visionary leadership in helping companies prepare for the GDPR, as well as tireless efforts to advocate for its members before European institutions. They definitely deserve a round of applause, and maybe one of those tasty Belgian beers! (Click on the link for a recap of IAB’s thought leadership materials on privacy and data protection.)
  • The GIG and its members have done an incredible amount of work in a short time with the goal of enabling digital advertising technology companies to comply with the requirements of the GDPR without infringing on either European citizens' fundamental right to privacy and data protection or advertising companies’ capability to deliver the services and products that are so essential to a free and thriving internet economy.
  • The IAB Europe, as an active leader in the broader advertising industry comprising, publishers, agencies, and marketers, has been working hard to build consensus across the entire European digital advertising industry for an industry-built and supported technology mechanism that will facilitate consumer consent when needed as a legal basis for processing data. Here are some key features of the consent solution, the details of which will be announced soon:
    • The solution will work on both mobile and desktop devices;
    • First parties will be able to dynamically disclose third party advertising partners and the purposes for which they collect and process data, and transmit user consent choices to such third party partners;
    • Consent can be obtained through the tool for either “global” or “service-specific” affirmative consent, and such consent can be updated or withdrawn;
    • Solution participants will have the ability to enable the creation of consent records and an audit trail, creating increased accountability;
    • The consent solution will be deployed before the date of application of the GDPR.
  • The official IAB Europe announcement about the consent solution was released yesterday and includes additional details.

From the GIG meeting, I headed to the IAPP Data Protection Congress 2017. Here are some of my impressions from the DPC:

  • The conference was completely sold out.  The number of attendees and the diversity of the organizations and companies present indicate the seriousness with which the industry is approaching this groundbreaking privacy regulation.
  • If real estate is all about "location, location, location,” then DPC this year was all about "GDPR, GDPR, GDPR." The vast majority of the panels and keynote presentations addressed GDPR readiness and compliance, and the implications for privacy programs - and privacy professionals - across the globe.  Even the vendors at the DPC were focused on GDPR, promoting comprehensive suites of GDPR compliance and management solutions, from internal data mapping and privacy impact assessment tools, to reporting and compliance demonstration solutions.
  • Of course, GDPR isn't the only privacy regulation that will affect digital ad tech companies.  There is great urgency in the halls of the European Parliament to draft and debate an ePrivacy Regulation to replace the current ePrivacy Directive. In a panel addressing the "perfect storm" of the GDPR and ePrivacy Regulation, several policymakers offered guidance for companies.  The EU Commission's Rosa Barcelo and Karolina Mojzesowicz along with Ralf Bendrath, policy advisor to MEP Jan Phillipp Albrecht, said that companies should be mindful of the ePrivacy Directive while waiting for the ePrivacy Regulation.  While the original May timeline for ePrivacy Regulation implementation is no longer realistic, they said, companies should continue to comply with the ePrivacy Directive which requires consent for data processing for digital advertising. In the words of Mr. Bendrath, "online tracking is already illegal [under the e-Privacy Directive].”
  • The conference ended on a controversial note.  German MEP Birgit Sippel, in what was her first public keynote address as the European Parliament's Special Rapporteur for the proposed ePrivacy Regulation, announced, "What we are aiming at is to abolish surveillance-driven advertising."  In response to industry arguments that ePrivacy Regulation restrictions will create consent fatigue and limit online content due to revenue drops, Ms. Sippel responded that businesses are innovative and should be capable of creating meaningful consent without causing consumer fatigue.

The NAI team has also recently arrived back home from a very productive and energetic Q4 NAI Board meeting in San Francisco. We enjoyed our Thanksgiving holiday at home and are soon headed back across the pond to EDAA’s 2017 Summit in London.  No rest for the weary! See you on the other side…of the next postcard.