Back to top

Blog

Submitted by Matt Nichols on October 29, 2019

The NAI’s “Guidance for NAI Members: Viewed Content Advertising” (Guidance) announced in 2018 that the collection of Viewed Content Data (VCD) for Viewed Content Advertising (VCA) would become a covered activity under the NAI Code, enforced on January 1, 2019. The addressable or advanced television space is still a nascent and developing technology, with a transition from traditional televisions and cable boxes to Smart TVs and TV-streaming devices. As large media companies continue to launch their own streaming platforms this year, it appears that the use of Smart TV-devices, that serve as a way to stream these platforms, will continue to grow. 

As of January 1, 2019, NAI member companies collecting VCD for Personalized Advertising or Ad Delivery and Reporting purposes should have taken steps to comply with this Guidance. A major component of the NAI’s self-regulatory framework is user choice. Just as the NAI Code requires member companies to ensure that an easy-to-use choice mechanism is available for users to opt out of Personalized Advertising on their web browsers and mobile devices, the purpose of the Guidance is to ensure that a commensurate level of control is available on a television engaged in Personalized Advertising. 

However, as was the case in the early days of advertising on mobile applications, the ability to provide a consistent choice mechanism in the television space is still maturing. Some technology platforms do not provide a built-in consumer choice mechanism, while others are not completely clear as to what constitutes an opt out or how such signals are shared with applications. This is an aspect of the connected-television space that will likely continue to evolve in the coming years, just as the mobile application ecosystems did before settling on the Mobile Ad Identifiers (Apple’s IDFA and Android’s GAAID) and consumer choice settings that many users are familiar with today.

In addition to those NAI member companies that collect data from connected televisions and streaming devices, some NAI members may engage in, or facilitate, the targeting of digital advertising on these devices based on data collected in more traditional web-based or mobile app-based settings, through Cross-Device Linking. Consistent with the NAI Code’s requirements for Cross-Device Linking, those NAI members must provide relevant disclosures on their own websites and a means for users to opt-out of receiving Personalized Advertising on their connected televisions or streaming devices.

Based on its 2019 compliance reviews of member companies to date, NAI compliance staff has noted a lack of consistency in how members disclose the collection and/or use of data on connected televisions and streaming devices, and how these members notify users of the choices that are available to them with respect to Personalized Advertising on these devices. Accordingly, throughout its 2019 compliance reviews, the NAI has been working with its members to help them provide adequate disclosures and clear instructions to consumer choice mechanisms for Personalized Advertising on connected televisions and connected devices. Additionally, the NAI has recently provided an instructional page for users, informing them how to locate and activate the privacy preferences on many of the most popular devices in the television space. The NAI provided a similar service in the mobile application space, but it is likely to be even more beneficial for televisions and connected devices, where a much broader variety of platforms, each with their own settings and preferences, currently occupy the market. The NAI urges all of its members to direct users to these instructions, when relevant, or to provide similar instructions to users in their own consumer choice pages and privacy disclosures.

In order to ensure a level playing field and avoid an advantage to the NAI members who underwent the 2019 compliance process earlier in the year, the NAI will work with all willing member companies until December 31, 2019 to help them provide adequate disclosures surrounding the collection and/or use of data for Personalized Advertising on connected televisions and streaming devices. On January 1st, 2020, NAI staff will begin stricter enforcement of these requirements in earnest, and NAI members who do not provide adequate disclosures or instructions for choice mechanisms, based on NAI staff’s judgement, will be subject to the NAI’s full enforcement procedures.

All NAI members who collect or use data on connected televisions or streaming devices for Personalized Advertising and Ad Delivery and Reporting  should review their current disclosures, and instructions for consumer choice mechanisms to ensure they meet the requirements of the Guidance and the 2020 Code of Conduct ahead of January 1, 2020. Members can reach out to NAI staff with any questions about how to best comply with NAI requirements on these devices.

If you have any questions about the Guidance, or the Code generally, please reach out to NAI Compliance staff (compliance@networkadvertising.org).

Submitted by William Lee on October 23, 2019

The Network Advertising Initiative’s 2020 Code of Conduct expands the scope of activities it covers to include all uses of previously collected user-level data for Tailored Advertising across websites and applications, as well as on covered devices. One result of the 2020 NAI Code’s expanded scope is that offline data onboarded for use in tailoring digital advertising through a matchpoint derived from PII is now covered as a subset of Tailored Advertising. The 2020 NAI Code defines this practice as Audience-Matched Advertising (AMA).1

Because AMA is a form of Tailored Advertising under the 2020 NAI Code, members engaged in AMA must comply with new obligations when the 2020 NAI Code goes into effect, including new consumer choice obligations. Specifically:

“An Opt-Out Mechanism for a member’s use of PII or hashed PII shall apply to the member’s use of that PII or hashed PII for Tailored Advertising on all devices and shall be made available on both the member’s website and on the NAI website. If an NAI member uses types of PII or hashed PII that are not supported by the NAI Opt-Out Mechanism, and are not linked to the types of PII or hashed PII supported by the NAI Opt-Out Mechanism, the member shall provide an Opt-Out Mechanism for such PII or hashed PII directly on the member’s site.”2

The NAI has recently finalized the technical specification for a centralized Opt Out Mechanism for AMA based on email addresses (the “Centralized AMA Opt Out”) that will help members engaged in AMA to meet this new obligation.

This blog post aims to provide clarity regarding which NAI members will need to provide their own opt out for AMA, which members will need to integrate with the NAI’s Centralized AMA Opt Out, and what obligations fall to members who engage in AMA indirectly through third parties. The blog post will then outline a number of other policies related to AMA opt outs.

NAI Member Obligations According to Business Practice

1. NAI members directly onboarding offline data

a. If an NAI member engages in AMA directly using PII or hashed PII in their own systems as a match-point for onboarding, that member must provide an Opt-Out Mechanism linked to the PII or hashed PII they use for that purpose. This Opt-Out Mechanism must allow users to provide their PII to the member company, so that the PII can be opted out from AMA on a going-forward basis.

i. If an NAI member uses email addresses as the match point for AMA, in either plaintext or hashed format, the member must integrate with the NAI’s Centralized AMA Opt Out. The NAI member must also provide a link to the NAI’s Centralized AMA Opt Out in its privacy policy with an explanation of where the link will take a user.

ii. If an NAI member uses forms of PII or hashed PII other than an email address as a matchpoint, and those forms of PII or hashed PII are not also linked to an email address, that member must separately provide an Opt-Out Mechanism for such data-points on the member’s own website. For example, if an NAI member uses mobile phone numbers or hashed mobile phone numbers as match-points, the member must provide a way for users to enter their mobile phone number to be opted out of AMA on a going-forward basis.

2. NAI members that encounter PII, in hashed or plaintext format, in their systems but pass it on to a third-party for onboarding

a. If an NAI member encounters PII, in hashed or plaintext format, in its systems but forwards that data to a third-party for onboarding for AMA purposes, the NAI member will need to develop its own Opt-Out Mechanism for AMA, consistent with the requirements of point 1.a.

i. If an NAI member encounters email addresses, in either plaintext or hashed format, the member must integrate with the NAI’s Centralized AMA Opt Out. The NAI member must also provide a link to the NAI’s Centralized AMA Opt Out in its privacy policy with an explanation of where the link will take a user, consistent with the requirements of point 1.a.i.

ii. If an NAI member encounters forms of PII or hashed PII in its systems,  other than an email address as a matchpoint, and those forms of PII or hashed PII are not also linked to an email address, that member must separately provide an Opt-Out Mechanism for such data-points on the member’s own website, consistent with the requirements of point 1.a.ii.

3. NAI members that utilize third parties for onboarding offline data

a. If an NAI member at no point encounters hashed or plaintext PII in its systems but engages a third party to onboard offline data on its behalf, for AMA purposes, the NAI member must contractually require the third party to offer an Opt-Out Mechanism linked to hashed or plaintext PII, consistent with the requirements of point 1.a. aside from the requirement for the integration with the NAI’s Centralized AMA Opt Out, which is available only to NAI member companies. Additionally, the NAI member should provide a link in its privacy policy to the third party’s AMA Opt-Out Mechanism.

4. NAI members that license onboarded AMA data from third-party data providers

a. If an NAI member licenses data from a third-party data provider that includes a consumer’s onboarded AMA data, the NAI member must contractually require the third-party data provider to offer an Opt-Out Mechanism linked to hashed or plaintext PII, consistent with the with the NAI member’s obligations under the “Responsible Sources” requirement of the Code3 and the requirements of point 1.a. aside from the requirement for the integration with the NAI’s Centralized AMA Opt Out, which is available only to NAI member companies.

5. NAI members that operate a service platform that makes onboarded data from third-party data providers available to the member’s clients

a. If an NAI member operates a service platform that makes onboarded data from third-party data providers available to the member’s clients for AMA purposes, the NAI member must contractually require the third-party data provider to offer an Opt-Out Mechanism linked to hashed or plaintext PII consistent with the requirements of point 1.a. aside from the requirement for the integration with the NAI’s Centralized AMA Opt Out, which is available only to NAI member companies.

6. NAI members that provide functionality that allows its clients to match its online identifiers with PII or hashed PII in its’ clients’ possession for AMA

a. If an NAI member provides functionality that allows its clients to match its online identifiers with PII or hashed PII in its clients’ possession for AMA, the NAI member must contractually require the partner to represent that the user has permitted Audience-Matched Advertising by providing Opt-In Consent directly to that client.

Other Audience-Matched Advertising Opt Out Related Policies

Service Provider Exemption

According to the Commentary to the 2020 NAI Code of Conduct, “an NAI member acting purely as a service provider to an advertiser client, who does not retain any individual rights to the data processed on behalf of the client, may continue to engage in Audience-Matched Advertising on behalf of that client, even in the presence of an opt out linked to a user’s PII, if the client contractually represents that the user has permitted Audience-Matched Advertising by providing Opt-In Consent directly to that client.”

This exemption reflects the NAI’s belief that when a user has provided an advertiser with Opt-In Consent for that advertiser’s use of their PII for AMA, that consent extends to the advertiser’s agents, including NAI members acting purely as service providers to the advertiser. A user seeking to revoke consent for an advertiser’s use of their PII for AMA in that scenario should direct their request to the advertiser, not the advertiser’s service provider.

If an NAI member retains any rights to the onboarded data, or the PII or hashed PII used as a matchpoint and provided by the client and used to onboard the data, the member may not claim the service-provider exemption. For example, if an NAI member onboards data on behalf of a client, and subsequently uses the match to bolster or authenticate its own Cross-Device Linking mechanism, that member is not acting as only a service provider on behalf of the client.

Conversely, NAI members who do not directly engage in AMA, but permit advertiser clients to onboard their own data by attaching PII, such as an internal customer number, to online identifiers provided by the member company, are involved in AMA purely as a service provider if the member company does not receive any information regarding the link between an online identifier and PII, or is not permitted to use such information for the member’s own purposes. In such cases, the member must ensure that the advertiser client has obtained the user’s Opt-In Consent directly, for such uses of the data by the client.

If you believe that your company may qualify for this exemption please reach out to the NAI compliance team (compliance@networkadvertising.org) to confirm.

Use of Data Received to Effectuate an Audience-Matched Advertising Opt Out

Regardless of whether NAI members receive hashed or plaintext PII from an AMA Opt-Out Mechanism, NAI members may only use that hashed or plaintext PII to maintain a user’s opt-out preference.

Opt-Out Duration

The duration of an opt out from AMA is indefinite. However, members may ask users to opt back in twelve months after the opt out was expressed. As noted above, NAI members may not use PII or hashed PII for any purpose except to maintain a user’s opt-out preference, and so may not contact the user via email in asking them to reconsider their choice, but they may present a message to the user during regular app or web use, for example if the user is encountered at a typical match event at least twelve months after having opted out.

In cases where local regulations or legislation require NAI members to delete data (even if that data is being retained exclusively for maintaining a consumer’s AMA opt-out preference) after a given time, NAI members must comply with such regulation or legislation.

Timescale for Processing AMA Opt Outs

NAI members should effectuate AMA Opt Outs in their systems within 10 days of receipt of an AMA opt-out request.


1 “Audience-Matched Advertising is the practice of using data linked, or previously linked, to Personally-Identified Information (PII) for the purpose of tailoring advertising on one or more unaffiliated web domains or applications, or on devices, based on preferences or interests known or inferred from such data.” - 2020 NAI Code of Conduct, Section I.B.

2 2020 NAI Code of Conduct, § II.C.3.

3 2020 NAI Code of Conduct § III.F.2.

 

Submitted by Leanny Prieto on October 22, 2019

The NAI recently conducted a survey among 10,000 consumers to find out more about what they think about digital advertising, online content, and privacy. 

The survey results feature three key findings:

  1. Consumers have significant online privacy concerns that are primarily driven by bad actors, such as hackers. 
  2. Consumers strongly favor ad-supported media and online services over those that require payment.
  3. American consumers are overwhelmingly looking to Congress and the Federal Government to address privacy concerns.

Consumers have significant online privacy concerns that are primarily driven by bad actors, such as hackers. 

The vast majority of survey respondents indicated having at least some concern about their privacy online. More than half, 56.2%, cited hackers as the main source of concern. Other top sources of privacy concerns varied, with significantly smaller percentages citing a range of different concerns, including 12% citing data collection by websites or apps, 11% for ad tech companies, 10% citing the U.S. Government, and 8% citing foreign governments. Overall, hackers and government surveillance outweighed concerns about industry data collection by almost 3:1.

Consumers strongly favor ad-supported media and online services over those that require payment.

The study revealed that consumers place a high value on their online content and services. However, respondents to this survey are disinclined to pay more for their online content than they are already paying. The survey revealed that nearly 60% of respondents prefer their online content to be paid for by advertising, while another question sought feedback from consumers on how much they currently pay for online content and how much they would be willing to pay. Nearly 90% said they are unwilling to pay a significant amount of money to continue receiving apps and online content that they currently receive for free. The survey provided a strong affirmation that the ad-supported content model is ideal for most consumers.

American consumers are overwhelmingly looking to Congress and the Federal Government to address privacy concerns.

With respect to providing privacy protections for consumers, respondents to this survey indicated they want the Federal Government and Congress to address privacy concerns. A substantial majority, 67% of respondents, believe that the federal government should be responsible for enacting laws to protect the data privacy of American citizens. Clearly, U.S. consumers believe that data protection should be offered to consumers regardless of where they live. These results align with NAI’s public policy efforts to advance a national privacy framework that establishes a uniform standard for consumer privacy in the U.S.

The full analysis paper can be found here.

Submitted by Anthony Matyjas... on August 30, 2019

The Network Advertising Initiative (NAI) today released its 2018 Annual Compliance Report, a review of members’ adherence to the 2018 NAI Code of Conduct (Code). The report shows that, while NAI staff found that some member companies had various non-material violations of the Code, these members actively worked with NAI staff during the course of the year to ensure that these issues were resolved quickly. Ultimately, the NAI’s compliance reviews of new and member companies indicate that all 103 companies met their obligations under the provisions of the Code in 2018.

The report is based on findings from the 2018 compliance period in which 92 returning member companies, all leading third-party digital advertising companies, were reviewed during the year by NAI staff for compliance with the Code. The remaining member companies underwent an equally stringent review as part of their membership application process in 2018.

NAI staff found a variety of non-material violations of the Code as a result of the organization’s robust year-round monitoring program. These violations included several privacy links that did not appear to function correctly, and privacy disclosures that did not appear to provide adequate information regarding data collection and use in specific circumstances.

NAI staff, as well as attorneys and engineers from member companies, devoted hundreds of hours to reviews, monitoring, and interviews. NAI’s compliance staff worked with each member company throughout the year to monitor and ensure compliance. Such active monitoring enables the NAI and its member to preemptively spot potential problems and to resolve issues promptly, before they turn into larger complications affecting greater numbers of consumers.

The compliance process is the most important program undertaken by the NAI, as the NAI’s high standards for self-regulation would be meaningless without an insistence on accountability. The NAI’s compliance program is a time- consuming and expensive undertaking for its member companies, and it shows their commitment to consumer privacy and industry best practices.

The NAI retains the option to sanction members if Code violations are found to be material. However, the companies that join the NAI take their obligations to comply with the Code very seriously. As a result, ongoing dialogue and communication with members leads to issues being resolved quickly to the benefit of the consumer, which increases the overall health of the ecosystem.

The report also provided an update on the NAI’s achievements over the course of the year:

  • Enforce the 2018 Code of Conduct. The NAI expanded began enforcing its 2018 Code of Conduct, which synthesized the previous Code of Conduct for web-based data collection and use, and the Mobile Application Code.
  • Publish guidance for data collection and use on connected televisions. NAI staff and its Board of Directors continued work on connected TV policy and published the Guidance for NAI Members: Viewed-Content Advertising.
  • Continue development of a thoroughly revised Code of Conduct. NAI staff and its Board continued work on a thoroughly revised Code, to encompass new business models and marketing strategies, including the use of “offline” data for digital advertising, the use of device sensor data, transparency around political advertising, and dramatically expanded privacy protections for the collection and use of Precise Location Data, leading to the 2019 publication of the 2020 NAI Code of Conduct.
  • Expand the NAI’s public policy efforts to address new and proposed legislation and regulation on a state, federal, and international level. The NAI greatly expanded its public policy efforts by hiring additional staff, including a new Vice President for Public Policy. This allowed the NAI to engage with legislators, regulators, and policymakers on a far more frequent basis, and included testimony at congressional hearings, development of new educational materials, and providing multiple briefings for policymakers and thought leaders.

The NAI leverages the findings of the Annual Compliance Report to further strengthen its self- regulatory program. In 2019, the NAI is conducting advance work with its members and industry stakeholders to prepare for enforcement of the 2020 Code of Conduct. The NAI is also further developing and expanding its public policy efforts to inform legislators and thought leaders about the latest developments in digital advertising and the most pressing privacy concerns in this area.

At a time when the nature of digital advertising is being questioned and reconsidered in Europe, in several US states, and on a federal level, it is even more important for self-regulatory efforts in the US to clearly demonstrate that thoughtful and flexible self-regulatory approach can provide robust consumer privacy protection while also allowing digital advertising technology, and the Internet economy more broadly, to flourish. Perhaps most importantly, the NAI’s approach aims to preserve free and equal consumer access to a bounty of diverse content online.

To download the 2018 Annual Compliance Report, visit: www.networkadvertising.org.