Back to top

Blog

Submitted by Anthony Matyjas... on January 29, 2020

The NAI is opening what promises to be a busy year with new guidance on health-related ad targeting. The NAI has long imposed and enforced restrictions on the use of Sensitive Data for Tailored Advertising with the understanding that while targeted ads help to fund a robust and diverse Internet and provide users with relevant ads, a user’s engagement with certain limited types of content may not always be appropriate for Tailored Advertising. For example, research about potential cancer treatments while at home on a personal device may not be appropriate for Tailored Advertising. Additionally, the placement of web browsers or devices into audience segments labeled with sensitive conditions to be used for ad targeting could also negatively affect a user’s privacy, especially if such segments were to be misused or accessed without authorization. This practice is prohibited by the NAI Code of Conduct without a consumer’s Opt- In Consent.

Of course, many users are genuinely interested in products and treatments for their health or medical conditions and may also be interested in receiving Tailored Advertising for such products or treatments. Accordingly, the NAI provides those users with an opportunity to opt in to such advertising, described in a clear and conspicuous notice, through an affirmative action that manifests this intent.

The NAI’s opt-in requirements regarding the use of medical or pharmaceutical records are clear, as are restrictions against inferences that a user may have a sensitive health condition based on browsing or mobile app activity. In fact, these restrictions have created a strong incentive for ad-tech companies to avoid targeting users based on Sensitive Data. However, there is a long history, and a legitimate need for continued marketing of medical treatments or medications to consumers who may benefit from and wish to see these ads. The NAI’s new guidance establishes a clear framework to enable efficient marketing, while still prohibiting the selection of ads based on inferred interest in a sensitive health or medical condition, such as a specific inference based on a user’s prior engagement with a given website or mobile application.

Many advertisements may be targeted only based on general demographic factors such as age or gender. For example, a pharmaceutical company may advertise a treatment for a condition primarily affecting women, such as breast cancer, which would be considered as sensitive under the Code. In this case, the inference made in targeting such an advertisement would not be that the audience has the condition in question, or has expressed any interest in it, but rather, simply that the target audience is composed of women. Ad targeting based on demographic factors such as age or gender is an effective way to allow users to receive ads that are relevant to them while at the same time preserving users’ privacy.

However, the NAI is mindful of the fact that in some cases, if various demographic factors are combined and overlaid with additional information, such as an individual’s web browsing, app use, shopping history, or Precise Location Information, it can become much more specific and precise. The NAI’s new guidance is intended to close any potential loopholes that would allow member companies to make an inference that a user actually has, or is likely to have, a certain health or medical condition or treatment, under the guise of demographic targeting.

This guidance document also provides additional clarity as to what types of modeled audiences are considered non-sensitive by the NAI, regardless of the conditions they address, based on the size of the target audience, the type of targeting criteria involved, and the nomenclature used in segmenting audiences into such groups.

Effectively, this guidance document clarifies that the NAI staff will consider a health-related audience segment to be non-sensitive under the NAI Code, even if it is intended to target a potentially sensitive health condition, if the segment includes at least ten percent of the total population, is based only on demographic data, and is labelled with its actual demographic composition.

Importantly, even for the use of non-sensitive audience segments detailed in this guidance, NAI members must comply with the transparency requirements in the NAI Code and provide full public disclosure of all “standard” or “off-the-shelf” audience segments used for health-related Tailored Advertising and a representative sample of “custom” audience segments used for the same purposes.

The NAI will remain vigilant and proactive in this space, and will continue to lead digital advertising companies in its efforts to enhance consumer trust and privacy with regard to Sensitive Data while ensuring the Internet remains free and vibrant for all users.

Submitted by Anthony Matyjas... on December 19, 2019

After an eventful 2019, The NAI is preparing for a momentous twentieth anniversary year in 2020. The thoroughly revised 2020 NAI Code of Conduct will go into effect in ten days, on January 1st, 2020, placing a number of new requirements in the areas of Tailored Advertising and Ad Delivery and Reporting on NAI members. This new Code incorporates the Viewed Advertising Guidance, modernizes terminology, extends consumer opt-in requirements for the use of certain types of data (including Sensor Information and Precise Location Information) to Ad Delivery and Reporting, introduces political transparency requirements, and expands coverage to information collected offline if it is used to target digital advertising across websites, apps, or on digital television screens.

NAI staff have been working with member companies throughout the year to educate them about these new requirements, and we have been helping member companies prepare for the changes they will need to make in order to remain in compliance with the Code in 2020. This includes a number of educational webinars and one-on-one calls with each member company during the 2019 NAI compliance review.

As the deadline to the enforcement date of these new requirements approaches, and after speaking with all member companies, the NAI is allowing for additional time for members to come into compliance with two new obligations under the new Code, due the industry-wide changes which will be necessary for material compliance with those two requirements.

First, the 2020 Code requires member companies engaged in Audience-Matched Advertising to provide a PII-based opt out from these activities for users on the NAI industry page. The technical development of, and integration with, this new tool have been delayed due to the amount of resources that member companies are devoting to compliance with the California Consumer Privacy Act (CCPA) by January 1, 2020. The NAI and its members will work during the first half of 2020 to ensure that all members engaged in Audience-Matched Advertising are fully integrated with the NAI’s PII-based opt-out tool by July 1, 2020, and enforcement actions for non-compliance are set to begin after that date.

Second, the 2020 Code raises the bar on what steps are necessary for NAI members to rely on reasonable assurances from partners that consumers have expressed informed Opt-In Consent to Tailored Advertising and Ad Delivery and Reporting uses of sensitive data such as Precise Location Information. One of these requirements is for users to be presented with just-in-time notice while providing consent for digital advertising uses of their location data. Because platform controls provided by device manufacturers do not always allow for the provision of such notice, NAI members must take technical and contractual steps to ensure that this notice can be presented to users by the mobile applications that collect location data. NAI staff and members will work to operationalize these changes in the mobile digital advertising ecosystem during the first half of the year, with the goal of beginning enforcement also on July 1, 2020.

All other requirements in the 2020 NAI Code will be enforced beginning on January 1, 2020 thanks to the hard work by NAI member companies to prepare for these new obligations during the past year, even as they were also preparing for new requirements under CCPA.

Submitted by Matt Nichols on October 29, 2019

The NAI’s “Guidance for NAI Members: Viewed Content Advertising” (Guidance) announced in 2018 that the collection of Viewed Content Data (VCD) for Viewed Content Advertising (VCA) would become a covered activity under the NAI Code, enforced on January 1, 2019. The addressable or advanced television space is still a nascent and developing technology, with a transition from traditional televisions and cable boxes to Smart TVs and TV-streaming devices. As large media companies continue to launch their own streaming platforms this year, it appears that the use of Smart TV-devices, that serve as a way to stream these platforms, will continue to grow. 

As of January 1, 2019, NAI member companies collecting VCD for Personalized Advertising or Ad Delivery and Reporting purposes should have taken steps to comply with this Guidance. A major component of the NAI’s self-regulatory framework is user choice. Just as the NAI Code requires member companies to ensure that an easy-to-use choice mechanism is available for users to opt out of Personalized Advertising on their web browsers and mobile devices, the purpose of the Guidance is to ensure that a commensurate level of control is available on a television engaged in Personalized Advertising. 

However, as was the case in the early days of advertising on mobile applications, the ability to provide a consistent choice mechanism in the television space is still maturing. Some technology platforms do not provide a built-in consumer choice mechanism, while others are not completely clear as to what constitutes an opt out or how such signals are shared with applications. This is an aspect of the connected-television space that will likely continue to evolve in the coming years, just as the mobile application ecosystems did before settling on the Mobile Ad Identifiers (Apple’s IDFA and Android’s GAAID) and consumer choice settings that many users are familiar with today.

In addition to those NAI member companies that collect data from connected televisions and streaming devices, some NAI members may engage in, or facilitate, the targeting of digital advertising on these devices based on data collected in more traditional web-based or mobile app-based settings, through Cross-Device Linking. Consistent with the NAI Code’s requirements for Cross-Device Linking, those NAI members must provide relevant disclosures on their own websites and a means for users to opt-out of receiving Personalized Advertising on their connected televisions or streaming devices.

Based on its 2019 compliance reviews of member companies to date, NAI compliance staff has noted a lack of consistency in how members disclose the collection and/or use of data on connected televisions and streaming devices, and how these members notify users of the choices that are available to them with respect to Personalized Advertising on these devices. Accordingly, throughout its 2019 compliance reviews, the NAI has been working with its members to help them provide adequate disclosures and clear instructions to consumer choice mechanisms for Personalized Advertising on connected televisions and connected devices. Additionally, the NAI has recently provided an instructional page for users, informing them how to locate and activate the privacy preferences on many of the most popular devices in the television space. The NAI provided a similar service in the mobile application space, but it is likely to be even more beneficial for televisions and connected devices, where a much broader variety of platforms, each with their own settings and preferences, currently occupy the market. The NAI urges all of its members to direct users to these instructions, when relevant, or to provide similar instructions to users in their own consumer choice pages and privacy disclosures.

In order to ensure a level playing field and avoid an advantage to the NAI members who underwent the 2019 compliance process earlier in the year, the NAI will work with all willing member companies until December 31, 2019 to help them provide adequate disclosures surrounding the collection and/or use of data for Personalized Advertising on connected televisions and streaming devices. On January 1st, 2020, NAI staff will begin stricter enforcement of these requirements in earnest, and NAI members who do not provide adequate disclosures or instructions for choice mechanisms, based on NAI staff’s judgement, will be subject to the NAI’s full enforcement procedures.

All NAI members who collect or use data on connected televisions or streaming devices for Personalized Advertising and Ad Delivery and Reporting  should review their current disclosures, and instructions for consumer choice mechanisms to ensure they meet the requirements of the Guidance and the 2020 Code of Conduct ahead of January 1, 2020. Members can reach out to NAI staff with any questions about how to best comply with NAI requirements on these devices.

If you have any questions about the Guidance, or the Code generally, please reach out to NAI Compliance staff (compliance@networkadvertising.org).

Submitted by William Lee on October 23, 2019

The Network Advertising Initiative’s 2020 Code of Conduct expands the scope of activities it covers to include all uses of previously collected user-level data for Tailored Advertising across websites and applications, as well as on covered devices. One result of the 2020 NAI Code’s expanded scope is that offline data onboarded for use in tailoring digital advertising through a matchpoint derived from PII is now covered as a subset of Tailored Advertising. The 2020 NAI Code defines this practice as Audience-Matched Advertising (AMA).1

Because AMA is a form of Tailored Advertising under the 2020 NAI Code, members engaged in AMA must comply with new obligations when the 2020 NAI Code goes into effect, including new consumer choice obligations. Specifically:

“An Opt-Out Mechanism for a member’s use of PII or hashed PII shall apply to the member’s use of that PII or hashed PII for Tailored Advertising on all devices and shall be made available on both the member’s website and on the NAI website. If an NAI member uses types of PII or hashed PII that are not supported by the NAI Opt-Out Mechanism, and are not linked to the types of PII or hashed PII supported by the NAI Opt-Out Mechanism, the member shall provide an Opt-Out Mechanism for such PII or hashed PII directly on the member’s site.”2

The NAI has recently finalized the technical specification for a centralized Opt Out Mechanism for AMA based on email addresses (the “Centralized AMA Opt Out”) that will help members engaged in AMA to meet this new obligation.

This blog post aims to provide clarity regarding which NAI members will need to provide their own opt out for AMA, which members will need to integrate with the NAI’s Centralized AMA Opt Out, and what obligations fall to members who engage in AMA indirectly through third parties. The blog post will then outline a number of other policies related to AMA opt outs.

NAI Member Obligations According to Business Practice

1. NAI members directly onboarding offline data

a. If an NAI member engages in AMA directly using PII or hashed PII in their own systems as a match-point for onboarding, that member must provide an Opt-Out Mechanism linked to the PII or hashed PII they use for that purpose. This Opt-Out Mechanism must allow users to provide their PII to the member company, so that the PII can be opted out from AMA on a going-forward basis.

i. If an NAI member uses email addresses as the match point for AMA, in either plaintext or hashed format, the member must integrate with the NAI’s Centralized AMA Opt Out. The NAI member must also provide a link to the NAI’s Centralized AMA Opt Out in its privacy policy with an explanation of where the link will take a user.

ii. If an NAI member uses forms of PII or hashed PII other than an email address as a matchpoint, and those forms of PII or hashed PII are not also linked to an email address, that member must separately provide an Opt-Out Mechanism for such data-points on the member’s own website. For example, if an NAI member uses mobile phone numbers or hashed mobile phone numbers as match-points, the member must provide a way for users to enter their mobile phone number to be opted out of AMA on a going-forward basis.

2. NAI members that encounter PII, in hashed or plaintext format, in their systems but pass it on to a third-party for onboarding

a. If an NAI member encounters PII, in hashed or plaintext format, in its systems but forwards that data to a third-party for onboarding for AMA purposes, the NAI member will need to develop its own Opt-Out Mechanism for AMA, consistent with the requirements of point 1.a.

i. If an NAI member encounters email addresses, in either plaintext or hashed format, the member must integrate with the NAI’s Centralized AMA Opt Out. The NAI member must also provide a link to the NAI’s Centralized AMA Opt Out in its privacy policy with an explanation of where the link will take a user, consistent with the requirements of point 1.a.i.

ii. If an NAI member encounters forms of PII or hashed PII in its systems,  other than an email address as a matchpoint, and those forms of PII or hashed PII are not also linked to an email address, that member must separately provide an Opt-Out Mechanism for such data-points on the member’s own website, consistent with the requirements of point 1.a.ii.

3. NAI members that utilize third parties for onboarding offline data

a. If an NAI member at no point encounters hashed or plaintext PII in its systems but engages a third party to onboard offline data on its behalf, for AMA purposes, the NAI member must contractually require the third party to offer an Opt-Out Mechanism linked to hashed or plaintext PII, consistent with the requirements of point 1.a. aside from the requirement for the integration with the NAI’s Centralized AMA Opt Out, which is available only to NAI member companies. Additionally, the NAI member should provide a link in its privacy policy to the third party’s AMA Opt-Out Mechanism.

4. NAI members that license onboarded AMA data from third-party data providers

a. If an NAI member licenses data from a third-party data provider that includes a consumer’s onboarded AMA data, the NAI member must contractually require the third-party data provider to offer an Opt-Out Mechanism linked to hashed or plaintext PII, consistent with the with the NAI member’s obligations under the “Responsible Sources” requirement of the Code3 and the requirements of point 1.a. aside from the requirement for the integration with the NAI’s Centralized AMA Opt Out, which is available only to NAI member companies.

5. NAI members that operate a service platform that makes onboarded data from third-party data providers available to the member’s clients

a. If an NAI member operates a service platform that makes onboarded data from third-party data providers available to the member’s clients for AMA purposes, the NAI member must contractually require the third-party data provider to offer an Opt-Out Mechanism linked to hashed or plaintext PII consistent with the requirements of point 1.a. aside from the requirement for the integration with the NAI’s Centralized AMA Opt Out, which is available only to NAI member companies.

6. NAI members that provide functionality that allows its clients to match its online identifiers with PII or hashed PII in its’ clients’ possession for AMA

a. If an NAI member provides functionality that allows its clients to match its online identifiers with PII or hashed PII in its clients’ possession for AMA, the NAI member must contractually require the partner to represent that the user has permitted Audience-Matched Advertising by providing Opt-In Consent directly to that client.

Other Audience-Matched Advertising Opt Out Related Policies

Service Provider Exemption

According to the Commentary to the 2020 NAI Code of Conduct, “an NAI member acting purely as a service provider to an advertiser client, who does not retain any individual rights to the data processed on behalf of the client, may continue to engage in Audience-Matched Advertising on behalf of that client, even in the presence of an opt out linked to a user’s PII, if the client contractually represents that the user has permitted Audience-Matched Advertising by providing Opt-In Consent directly to that client.”

This exemption reflects the NAI’s belief that when a user has provided an advertiser with Opt-In Consent for that advertiser’s use of their PII for AMA, that consent extends to the advertiser’s agents, including NAI members acting purely as service providers to the advertiser. A user seeking to revoke consent for an advertiser’s use of their PII for AMA in that scenario should direct their request to the advertiser, not the advertiser’s service provider.

If an NAI member retains any rights to the onboarded data, or the PII or hashed PII used as a matchpoint and provided by the client and used to onboard the data, the member may not claim the service-provider exemption. For example, if an NAI member onboards data on behalf of a client, and subsequently uses the match to bolster or authenticate its own Cross-Device Linking mechanism, that member is not acting as only a service provider on behalf of the client.

Conversely, NAI members who do not directly engage in AMA, but permit advertiser clients to onboard their own data by attaching PII, such as an internal customer number, to online identifiers provided by the member company, are involved in AMA purely as a service provider if the member company does not receive any information regarding the link between an online identifier and PII, or is not permitted to use such information for the member’s own purposes. In such cases, the member must ensure that the advertiser client has obtained the user’s Opt-In Consent directly, for such uses of the data by the client.

If you believe that your company may qualify for this exemption please reach out to the NAI compliance team (compliance@networkadvertising.org) to confirm.

Use of Data Received to Effectuate an Audience-Matched Advertising Opt Out

Regardless of whether NAI members receive hashed or plaintext PII from an AMA Opt-Out Mechanism, NAI members may only use that hashed or plaintext PII to maintain a user’s opt-out preference.

Opt-Out Duration

The duration of an opt out from AMA is indefinite. However, members may ask users to opt back in twelve months after the opt out was expressed. As noted above, NAI members may not use PII or hashed PII for any purpose except to maintain a user’s opt-out preference, and so may not contact the user via email in asking them to reconsider their choice, but they may present a message to the user during regular app or web use, for example if the user is encountered at a typical match event at least twelve months after having opted out.

In cases where local regulations or legislation require NAI members to delete data (even if that data is being retained exclusively for maintaining a consumer’s AMA opt-out preference) after a given time, NAI members must comply with such regulation or legislation.

Timescale for Processing AMA Opt Outs

NAI members should effectuate AMA Opt Outs in their systems within 10 days of receipt of an AMA opt-out request.


1 “Audience-Matched Advertising is the practice of using data linked, or previously linked, to Personally-Identified Information (PII) for the purpose of tailoring advertising on one or more unaffiliated web domains or applications, or on devices, based on preferences or interests known or inferred from such data.” - 2020 NAI Code of Conduct, Section I.B.

2 2020 NAI Code of Conduct, § II.C.3.

3 2020 NAI Code of Conduct § III.F.2.