Back to top

Blog

Submitted by Anthony Matyjas... on August 25, 2020

The NAI has been pleased with the positive response to its Guidance for NAI Members: Health Audience Segments (Guidance), and we continue to receive questions from member companies about the applicability of this document to various digital advertising products and scenarios.

One of the questions the NAI has fielded on several occasions relates to how the Guidance applies to non-member companies, typically in the form of advertisers. Together with the 2020 Code of Conduct (Code), the Guidance document establishes steps NAI members may take when creating audience segments for medications and treatments for various health conditions. 

The central premise of the Guidance is tied to the creation of audiences that rely only on demographic information, such as age or gender, and that are large enough to encompass at least ten percent of the total population, thus helping to preserve consumer privacy, and reducing the likelihood of singling out specific users who may actually suffer from a given condition.

However, the Code and Guidance apply only to NAI member companies, and NAI members often make audience segments available to advertisers who then choose to display advertising campaigns to the consumers in those audience segments. Can NAI members permit advertisers or other non-members to modify audiences created based on the Guidance with non-demographic data and/or by refining the audience size so that it becomes smaller than the ten percent threshold discussed in the Guidance? The answer is “no,” unless the non-member has received Opt-In Consent from consumers.

The NAI recognizes that it may not always be possible for member companies to police the uses of data that has been licensed to third-parties, and the NAI does not typically hold members accountable for what others may do with data that has been licensed to them. Nonetheless, the NAI expects member companies to place contractual and (when possible) technical restrictions on the use of data by clients and partners, to help ensure that such uses are consistent with the NAI Code and Guidance documents. These practices help spread the NAI’s high standards for consumer privacy beyond NAI membership, to the broader digital advertising ecosystem, including publishers, advertisers, and others.

Submitted by Tony Ficarrotta on July 1, 2020

Today is the first day that the California Attorney General (AG) is authorized to bring enforcement actions under the California Consumer Privacy Act (CCPA). It marks the start of what is likely to be an evolving process of privacy enforcement in California as the AG and the courts interpret the law for the first time, and while the status of the law itself remains in flux over the next few years.

How did we get here?

  • In 2018, Californians for Consumer Privacy were set to have their original version of the CCPA appear on the November 2018 ballot, but after negotiations with the California legislature, a compromise version of the CCPA was quickly passed into law.
  • In 2019, the AG solicited initial input on CCPA regulations, both in writing and through hearings around California, and published the first of four versions of the regulations. At the same time, the legislature passed amendments to the CCPA, and Californians for Consumer Privacy introduced a new ballot initiative, the California Privacy Rights and Enforcement Act of 2020 (CPREA).
  • So far this year, the CCPA went into effect on January 1st, and the AG has produced three different versions of the regulations – two modified drafts and final proposed regulations. Californians for Consumer Privacy succeeded in qualifying their new initiative for the November 2020 ballot, now updated and re-named the California Privacy Rights Act of 2020 (CPRA).

Where does that flurry of activity leave us today?

  • The CCPA itself has technically been in effect since January 1, 2020. Private litigants have been taking advantage of the CCPA’s limited private right of action for alleged data breaches since then, but those lawsuits have not affected ad-tech companies to date because the kinds of pseudonymous information ad-techs generally use are not subject to the private right of action.
  • Not until today, however, is the AG authorized by the CCPA to start bringing enforcement actions. That means, for example, that the AG may now bring a civil enforcement action for a business’s alleged failure to respect a California consumer’s request to opt out of the sales of personal information, or a service provider’s alleged failure to adhere to the strictures of their contracts. Such enforcement actions could result in fines of $2,500 for each violation or $7,500 for each intentional violation. AG Becerra has indicated that his office may bring enforcement actions for violations alleged to have occurred since the CCPA’s January 1 effective date.
  • After a business has been notified of alleged violation(s), that business has up to 30 days from the time of notice to cure the violation before being subject to an enforcement action and/or fines.
  • Although the AG proposed final regulations on June 1, those regulations are not yet directly enforceable because they have not yet been approved by the California Office of Administrative Law (OAL). For example, it’s possible that controversial language governing conflicts between local and global “do not sell” signals that appear in section 999.315(d)(2) of the final proposed regulations, but not the CCPA, may not be enforceable until the OAL approves the regulations.

What are the next steps in this evolving process?

  • As of June 1, the OAL had 30 working days, plus an additional 60 calendar days under Executive Order N-40-20 related to the COVID-19 pandemic, to review, approve, and file the AG’s final proposed CCPA regulations to make them effective. By my count, that means the OAL could make the regulations effective and enforceable any time between today and September 12, 2020. Or, the OAL could reject the proposed regulations for non-compliance with California’s Administrative Procedure’s Act.
  • California voters appear likely to approve the new CPRA ballot initiative this November. The CPRA, if approved, will significantly overhaul the CCPA and shift enforcement and rulemaking from the AG to a new California Privacy Protection Agency. The CPRA would take effect on January 1, 2023.

It has been difficult to track, much less plan compliance with CCPA developments over the last 18 months in the midst of legislative amendments, evolving proposed regulations, and Californians for Consumer Privacy’s second foray into direct democracy to alter the longer-term outlook. Regardless, businesses should expect to see the AG bringing enforcement actions under the statute in the near future, while remaining flexible in planning for new requirements under the final proposed regulations later this year, and under the CPRA in 2023.

Submitted by Rod Ghaemmaghami on June 23, 2020

The NAI is proud to publish a new set of best practices, “Using Information Collected for Tailored Advertising or Ad Delivery and Reporting for Non-Marketing Purposes.” While the NAI Code addresses members’ activities regarding the collection of consumer data as it relates to Tailored Advertising or Ad Delivery and Reporting (ADR), this document provides members and industry with a set of privacy-protective best practices for the non-marketing uses of this information. This applies to any data that was collected for Tailored Advertising or ADR and then subsequently used for purposes outside of Tailored Advertising or ADR. These best practices are particularly pertinent to sensitive information, such as Precise Location Information, where consumers would benefit from more detailed just-in-time notice about the uses of this information beyond advertising and marketing. The NAI’s recent guidance on “Opt-In Consent” details how members should provide detailed just-in-time notice when using opted-in data for Tailored Advertising or ADR. These best practices expand on those use cases and discuss uses not covered by the NAI Code. Members and others across industry should consider these best practices when developing policies about the sharing and use of data for various purposes outside of the NAI Code of Conduct.

As the COVID-19 pandemic has revealed, information collected as a result of Tailored Advertising or ADR, particularly location data, can be a valuable resource for public good. Many of our members have collaborated with government agencies and research institutions during this time, sharing aggregate and de-identified data. The NAI supports their efforts and we hope that this document can serve to guide any company that shares information for non-marketing purposes. Members should refer to these Best Practices to determine whether further disclosure of any information would be beneficial to the user, in what form the data can be shared to minimize any privacy risk, and what restrictions could be placed to protect the data. 

Best Practice 1: NAI Members should apply a materiality test to determine whether non-marketing uses of information collected for Tailored Advertising or ADR should be explicitly disclosed. For certain categories of data that the NAI considers “Sensitive Information,” which includes Precise Location Information, the NAI requires Opt-In Consent and detailed notice of the proposed uses and sharing of the data. If a member intends to use location information collected for Tailored Advertising or ADR for non-marketing purposes, the NAI recommends applying a materiality test to determine whether that non-marketing purpose should also be disclosed in the just-in-time notices that are already required for Tailored Advertising or ADR purposes. The NAI follows the FTC’s guidance on what constitutes a “material” consideration: The basic question is whether the act or practice is likely to affect the consumer's conduct or decision with regard to a product or service. The Best Practices provides hypothetical scenarios in which a company may determine that the sharing of data for law enforcement purposes, for example, is material and therefore discloses that in a just-in-time notice. 

Best Practice 2: NAI members should use aggregate group data and/or de-identified user-level data whenever possible for non-marketing use cases. In general, the use of aggregate and/or De-Identified Information mitigates privacy risks to individuals because such information does not pertain to an individual user or device. NAI members who share information that requires Opt-In Consent for non-marketing uses should render it de-identified or aggregate it whenever possible, consistent with the purpose for sharing it.

Best Practice 3: NAI members should extend privacy protective NAI Code requirements to the use of information collected for Tailored Advertising or ADR for non-marketing purposes. While the NAI Code applies specifically to data collected for advertising and ADR, the NAI recommends applying the NAI Code requirements of data minimization, use limitations, transfer restrictions, and reasonable security to the sharing of data for non-marketing uses. 

To help companies apply the Code, the Best Practices include hypothetical scenarios that provide additional context for non-marketing uses. The NAI recommends that members consider all three best practices in any non-marketing use case–applying the materiality test, sharing data in the most privacy protective manner, and placing restrictions and protections on the further use of the data. 

As NAI members continue to innovate and find new uses of information collected as a result of Tailored Advertising or ADR, they should continue to look to the NAI Code as a guide for their activities that do not fall squarely under the scope of the Code. The NAI staff hopes these best practice recommendations will assist NAI members in continuing to develop innovative uses of data and technology in a way that preserves user trust and privacy. 

Submitted by Anthony Matyjas... on June 18, 2020

The Network Advertising Initiative (NAI) compliance team has had a productive spring, publishing the 2019 Annual Report, commencing the 2020 compliance review process, as well as working with members and the broader digital advertising industry to prepare for the enforcement of a number of new requirements, including just-in-time notice tied to the collection of Precise Location Information. 

The NAI recently released its 2019 Annual Report, the final review of members’ adherence to the 2018 NAI Code of Conduct, as well as a look back at recent publications and other NAI initiatives from the past year. The report demonstrates that member companies continued to improve their privacy disclosures and maintained the functionality of their consumer choice mechanisms. 

The report is based on findings from the 2019 compliance period in which 93 returning member companies, all leading third-party digital advertising companies, were reviewed during the year by NAI staff for compliance with the Code. Companies new to the NAI underwent an equally stringent review as part of their membership application process in 2019.

Overall, NAI members demonstrated that they treat consumer privacy as a priority, and collectively devoted thousands of hours to improving disclosures, maintaining consumer choice mechanisms, and meeting with NAI staff to further the industry’s collective understanding of best practices and requirements while ensuring that privacy is treated with equal importance by upstream and downstream partners. As in prior years, NAI staff found a variety of minor violations of the Code as a result of the organization’s robust year-round monitoring program. These included several links that did not appear to function correctly, and disclosures that could have benefitted from additional information regarding data collection and use in specific circumstances. NAI staff worked with members to resolve such issues as quickly as possible, minimizing the potential impact on consumers, and preventing problems from growing into more material violations.

The biggest challenge in 2019 was the industry’s collective compliance with NAI requirements for notice and choice tied to the collection and use of data on connected televisions. This was the first year that NAI members were required to comply with these obligations, and the fact that tailored advertising on connected televisions is still in its nascency has led to confusion about how and when requirements may apply, which was compounded by the lack of an established framework for consumer choice. These problems are similar to what the industry experienced as mobile technologies gained widespread adoption, and those issues were resolved over time thanks to the efforts of the digital advertising industry. NAI staff published a compliance warning to members in October, and devoted considerable time in 2019 to member education with regard to notice and choice tied to connected televisions and expects to see dramatically improved compliance in 2020.

The report also provided an update on the NAI’s achievements over the course of the prior year, such as the publication of the NAI’s 2020 Code of Conduct, several new guidance documents, and much more robust public policy outreach and policymaker education tied to state and federal legislation.

Before the ink dries on the 2019 Annual Report, the NAI has already commenced its 2020 compliance review process. NAI staff is nearly finished reviewing the first group of members, those who joined the NAI last year, and will shortly be moving on to returning member companies. This year, in addition to a heavy focus on connected television requirements, as mentioned above, the NAI is conducting its first annual review based on the 2020 Code of Conduct, which greatly expands the scope of the NAI’s self-regulatory program and introduces a number of new requirements with regard to offline data, Sensitive Information, Precise Location Information, political advertising, and many other topics.

At the outset of the year, when the broader 2020 Code went into effect, the NAI was forced to delay enforcement of two new requirements: just-in-time notice for the collection of Precise Location Information, and a global cross-device Opt-Out Mechanism for Audience Matched Advertising. At the time, the NAI intended to begin enforcement of these provisions on July 1, as part of this year’s compliance review. Both of these requirements involve extensive changes to and development of the digital advertising infrastructure, so additional time was necessary to bring them to fruition. While the NAI and its members have devoted extensive time and effort to developing the requisite background technologies necessary for compliance with these requirements, this year’s public health crisis and resulting limitations on resources have made it impossible to meet the planned timeline, and the NAI now plans to begin enforcement of these two provisions on January 1, 2021.

In the meantime, NAI staff is continuing its education and compliance efforts, helping member companies to provide better disclosures and more thorough consumer choice mechanisms, while continuing to advocate for federal privacy legislation and developing new guidance and best practices in novel issues for digital advertising.