Back to top


Submitted by Anthony Matyjas... on August 30, 2019

The Network Advertising Initiative (NAI) today released its 2018 Annual Compliance Report, a review of members’ adherence to the 2018 NAI Code of Conduct (Code). The report shows that, while NAI staff found that some member companies had various non-material violations of the Code, these members actively worked with NAI staff during the course of the year to ensure that these issues were resolved quickly. Ultimately, the NAI’s compliance reviews of new and member companies indicate that all 103 companies met their obligations under the provisions of the Code in 2018.

The report is based on findings from the 2018 compliance period in which 92 returning member companies, all leading third-party digital advertising companies, were reviewed during the year by NAI staff for compliance with the Code. The remaining member companies underwent an equally stringent review as part of their membership application process in 2018.

NAI staff found a variety of non-material violations of the Code as a result of the organization’s robust year-round monitoring program. These violations included several privacy links that did not appear to function correctly, and privacy disclosures that did not appear to provide adequate information regarding data collection and use in specific circumstances.

NAI staff, as well as attorneys and engineers from member companies, devoted hundreds of hours to reviews, monitoring, and interviews. NAI’s compliance staff worked with each member company throughout the year to monitor and ensure compliance. Such active monitoring enables the NAI and its member to preemptively spot potential problems and to resolve issues promptly, before they turn into larger complications affecting greater numbers of consumers.

The compliance process is the most important program undertaken by the NAI, as the NAI’s high standards for self-regulation would be meaningless without an insistence on accountability. The NAI’s compliance program is a time- consuming and expensive undertaking for its member companies, and it shows their commitment to consumer privacy and industry best practices.

The NAI retains the option to sanction members if Code violations are found to be material. However, the companies that join the NAI take their obligations to comply with the Code very seriously. As a result, ongoing dialogue and communication with members leads to issues being resolved quickly to the benefit of the consumer, which increases the overall health of the ecosystem.

The report also provided an update on the NAI’s achievements over the course of the year:

  • Enforce the 2018 Code of Conduct. The NAI expanded began enforcing its 2018 Code of Conduct, which synthesized the previous Code of Conduct for web-based data collection and use, and the Mobile Application Code.
  • Publish guidance for data collection and use on connected televisions. NAI staff and its Board of Directors continued work on connected TV policy and published the Guidance for NAI Members: Viewed-Content Advertising.
  • Continue development of a thoroughly revised Code of Conduct. NAI staff and its Board continued work on a thoroughly revised Code, to encompass new business models and marketing strategies, including the use of “offline” data for digital advertising, the use of device sensor data, transparency around political advertising, and dramatically expanded privacy protections for the collection and use of Precise Location Data, leading to the 2019 publication of the 2020 NAI Code of Conduct.
  • Expand the NAI’s public policy efforts to address new and proposed legislation and regulation on a state, federal, and international level. The NAI greatly expanded its public policy efforts by hiring additional staff, including a new Vice President for Public Policy. This allowed the NAI to engage with legislators, regulators, and policymakers on a far more frequent basis, and included testimony at congressional hearings, development of new educational materials, and providing multiple briefings for policymakers and thought leaders.

The NAI leverages the findings of the Annual Compliance Report to further strengthen its self- regulatory program. In 2019, the NAI is conducting advance work with its members and industry stakeholders to prepare for enforcement of the 2020 Code of Conduct. The NAI is also further developing and expanding its public policy efforts to inform legislators and thought leaders about the latest developments in digital advertising and the most pressing privacy concerns in this area.

At a time when the nature of digital advertising is being questioned and reconsidered in Europe, in several US states, and on a federal level, it is even more important for self-regulatory efforts in the US to clearly demonstrate that thoughtful and flexible self-regulatory approach can provide robust consumer privacy protection while also allowing digital advertising technology, and the Internet economy more broadly, to flourish. Perhaps most importantly, the NAI’s approach aims to preserve free and equal consumer access to a bounty of diverse content online.

To download the 2018 Annual Compliance Report, visit:

Submitted by David LeDuc on July 10, 2019

The recent updated report by the UK’s Information Commissioner’s Office (ICO) on advertising technology and real-time bidding (RTB) has gained a lot of attention, for good reason. It deserves a thorough read and careful consideration by all ad tech companies that process personal data of EEA (European Economic Area) residents.

Overall, the ICO’s measured and iterative approach is welcome, as is the open door to industry to continue the dialogue about compliance. These underscore the fact that General Data Protection Regulation (GDPR) guidance and compliance are still evolving. The report comes at a time when practices have already been evolving over the first 12 months since GDPR came into enforcement, and it should be expected to continue evolving—not just due to the ICO report—for at least the next 12 months. 

It is also refreshing to have a regulator issue a detailed and thoughtful perspective that does not represent a strict regulatory conclusion, but rather a midway assessment based on research and discussions thus far. While the tone and stated concerns are at times startling, the report and overall process reflect recognition that this is a “dynamic debate” and that the ICO “look[s] forward to continuing our engagement in this area.” Indeed, this is a call to action for industry to continue making changes to better support compliance with GDPR and UK’s Privacy and Electronic Communications Regulations (PECR), and to actively engage with the ICO and other regulators throughout that process. 

The ICO, on July 3rd, also published additional guidance on cookies, elaborating on how consent should be approached under the GDPR and PECR. This guidance largely mirrored the conclusions in the recent ICO report but also provided some additional key detail and clarifications highlighted below, including the widely mis-reported declaration that legitimate interest as a legal basis is “dead” under GDPR. 

The NAI is eager to assist member companies in continuing to develop compliance measures, and in engaging the ICO and other Data Protection Authorities, and we will look for opportunities to represent our membership in this debate as it evolves.


Transparency, Consent, Legitimate Interest and the Supply Chain

Beginning with an assessment of the lawful bases for processing personal data and the PECR, the report identifies “…a lack of clarity from a significant number of controllers regarding the appropriate lawful basis for processing, as well as the particular requirements of each basis.”

While the conclusion of the report can be summarized as arguing that industry has more work to do in order to meet many of PECR and GDPR requirements, including transparency, lawful basis (consent and legitimate interest), and accountability, we think there are important details and nuances worth noting.

On transparency, a high-level conclusion from the ICO is that, “in RTB the privacy information provided often lacks clarity and does not give individuals an appropriate picture of what happens to their data.” This is not the first criticism of industry transparency, and it identifies an area where industry has made great strides, but the complexity of RTB poses continued regulatory challenges. Collectively we need to continue working to strike a balance that achieves the “clear and comprehensive information” called for by the regulation, but that also is not overwhelming to consumers.  

The ICO also raises several concerns about processing on the basis of consent, which are also not entirely surprising in most cases.  With respect to the processing of special category data—referring to what is also known as sensitive personal data—the report finds that, “market participants must therefore modify existing consent mechanisms to collect explicit consent, or they should not process this data at all.” While the industry has collectively spent significant resources to develop mechanisms to obtain consent, such as the IAB Europe’s Transparency & Consent Framework (TCF), the TCF is not designed to collect explicit consent nor to establish one’s legal basis for processing special category data.

Additionally, with respect to the requirement for obtaining consent to comply with PECR – the report highlights the rules on the use of cookies and similar technologies in Regulation 6 of PECR, noting that they take precedence over the GDPR, where applicable, highlighting that its guidance “…states that if organisations are required to obtain consent for marketing in accordance with PECR, then in practice consent is the appropriate lawful basis under the GDPR.” One thing the report did not take into account is parties downstream in a bid request that may not be using cookie and similar technologies.The new cookie guidance could serve as an official clarification that PECR always requires consent for the setting of non-essential cookies (such as those used for the purposes of analytics, marketing and advertising). The ICO, however, acknowledges differing opinions on some points, particularly regarding the use of partial cookie walls. 

On legitimate interest, while most initial reactions characterized the report as a complete rejection of legitimate interest (it came across that way to many at first blush), the report is more nuanced. Specifically, the report asserts that legitimate interest cannot be used as a lawful basis for the “main” processing of bid requests (relying on older guidance focused on interest-based advertising). And the ICO does explicitly state that legitimate interest is not a lawful basis that may be used to comply with PECR, which is not a surprise and in-line with guidance from other regulators. However, the report leaves the door open to the notion that legitimate interest could be “applicable elsewhere in the RTB ecosystem,” provided that “organisations take on the extra responsibility for ensuring that the interests, rights and freedoms of individuals are fully considered and protected.” 

The ICO guidance on cookies clarifies that subsequent processing of cookie data may or may not require consent, depending on the “nature, scope, context and purpose(s) of the processing operations themselves,” though certain cases are “highly likely to require consent as its lawful basis.” The guidance notes that use of any other lawful basis to process data after cookie consent has been gained may confuse users, but it also recognizes that it “may be possible,” depending on careful consideration of the specific circumstances. The ICO is careful to not rule out specific circumstances in which legitimate interest or another basis might be used following initial consent for setting cookies. 

Finally, the ICO report expressed concerns regarding security in the data supply chain. Highlighting concerns about “data leakage,” the report states, “there are no guarantees or technical controls about the processing of personal data by other parties, eg retention, security etc.” Though, the TCF v2 specifically provides publishers with the ability to not only approve certain vendors but also to only surface the vendors it has approved—and vendors may only process personal data as communicated by the appropriate signal. 


Compliance Frameworks

The report reflects the ICO’s detailed assessment of the most widely adopted data protection compliance frameworks such as the IAB Europe Transparency and Consent Framework (TCF) and Google’s Authorized Buyers Program, as well as industry technical standards such as the OpenRTB protocol. The TCF remains the only industry-wide standard to address the ICO’s concerns about the ecosystem’s ability to meet the transparency, lawful basis and accountability requirements in the GDPR.  It enables publishers to provide transparency into the vendors they’ve approved to process the data of users visiting their digital properties and pass user choice about vendors and their processing purposes across the third-party ecosystem in a unified manner. Without an industry standard, there is no way for publishers and third parties to “speak the same language” about vendors, whether they’ve been disclosed to users and an individual user’s choice about those vendors. Therefore, it’s not surprising that in assessing the “various ongoing initiatives to change the way the RTB ecosystem operates,” the TCF is not only a central focus, but also specifically identified as one of the examples that “[in] due course . . . may address some or all of the issues that concern us.”  

Both the TCF and implementations of the tool are still evolving and maturing, at least partially based on direction received from the ICO and other regulators. The ability of the 3rd party ecosystem to function effectively and provide competition and choice in the market relies on its success. Therefore, the report shouldn’t change the widely-held conclusion that the digital advertising ecosystem would be well served by market participants continuing to implement and support the TCF Version 2.0. In fact, the flexibility of the TCF is a critical element, allowing different entities to offer differing implementations, but also providing opportunity for the ICO and other regulators to assess differing implementations. 


Conclusions and Next Steps

The ICO has clearly stated its intention to take an iterative approach to guidance, and that the conclusions in this report are not yet final. While the report encourages industry to rely on existing guidance for now, the ICO has left open the possibility of issuance of additional guidance if necessary.

The NAI is pleased that the ICO has committed to review its position again towards the end of the year in order to determine whether it still maintains the same concerns, and “whether further action is required.” Our industry therefore has 6 months to provide feedback into the ongoing RTB assessment process, including steps to be taken to address specific concerns, or discussions about differing perspectives about any current conclusions.  During this time, we welcome the opportunity to engage with the ICO, and we encourage ad tech companies to broadly do the same.  

Submitted by Rod Ghaemmaghami on June 21, 2019

By: Rod Ghaemmaghami and Matthew Nichols

IAB Europe held their annual Interact conference in Warsaw, Poland on June 4th-5th, 2019. The conference focused on digital advertising and marketing, with speakers and attendees from companies and organizations across the EU and U.S.

The NAI had a strong presence this year. NAI President and CEO, Leigh Freund, led a panel on the challenges of global interoperability for the Ad Tech industry. She was joined by NAI Board Chairman Doug Miller (Verizon Media), NAI Board Member Julia Shullman (AppNexus, a Xander Company), and Stevan Randjelovic (GroupM EMEA) to share key takeaways on how to approach new regulatory obligations (including GDPR and CCPA). NAI Board Member Alice Lincoln (MediaMath) participated on a panel discussing the impact of the GDPR one year after its enforcement date and on the ongoing development of the industry-led IAB Europe’s Transparency and Consent Framework (TCF).

Two main topics relevant to Ad Tech that were discussed throughout the two-day conference were: The future of Ad Tech and programmatic advertising; and the lessons learned from GDPR and strategies for complying with future regulations.


The Future of Ad Tech and Programmatic Advertising

In many of the presentations, speakers noted that building consumer trust and empowering the consumer are critical to the future of Ad Tech. One of the presentations compared the programmatic lifecycle to that of economic cycles, and explained that programmatic advertising has reached the peak of its current wave. The concerns that were previously associated with programmatic – that it would cause the end of agencies, that data-driven ads wouldn’t last, and that GDPR would ultimately disrupt and end data-driven advertising – have been disproven. Fears are now shifting to how automation may take over everything and how bigger players in the ecosystem will take all the growth. Other speakers, however, argued that the bigger players have been responsible for new growth and that these fears are unjustified.

Based on the presentations, speakers pointed to three main trends they had seen so far in 2019. First, there may be a shift away from advertising as we know it now. With the potential interest by some to move towards a universal ID, some speakers highlighted increasing  browser led restrictions on third-party cookies. Second, speakers discussed how monetization has changed with the move towards header bidding, which creates a competitive environment. Third, there has been more emphasis on brands wanting to have direct integrations with their consumers.

Speakers discussed the future of technology, more generally, and suggested that the biggest tech trends will be: digital assistants; more touch, less typing; a machine-to-machine marketing world; Native; Video; OTT; and Audio.


GDPR and Strategies for Future Regulation

After noting the trends and changes in the technology and business models of Ad Tech companies, speakers discussed the impact of regulation on the Ad Tech industry and how to prepare for new regulations in the future. One speaker framed the impact of GDPR by explaining how online ads make up 45% of advertising in European markets versus 34% of advertising in the U.S. Despite GDPR, this speaker’s research demonstrated continued growth of digital ads in Europe.

Many speakers agreed that the biggest trend in 2018 was collaboration by industry. A lot of this collaboration has been (and still is) in relation to developing the TCF. Version 2.0 of the TCF has been an incredible relationship builder within the industry, allowing the industry members to speak with each other and build consensus on important issues.  

Some additional changes to the TCF’s most recent version include changes based on regulator feedback concerning the user experience, the updating and creation of new purposes of processing, and the creation of stacks as a way of bundling and presenting purposes for ease of use by users. These changes add greater clarity around legitimate interest, give users clear control when vendors rely on legitimate interest, and allow publishers to work with vendors for specific purposes. It creates opportunity for sell-side publishers to be more transparent, and allows for more opportunity for publishers and advertisers to communicate.

The TCF is an example of a self-regulatory solution to the requirements of GDPR and CCPA. Going forward, to ensure industry alignment and build the best solutions to regulations for consumers, companies should: join industry efforts, ensure familiarity with their business model and how their technology interacts with partners, and work on internal data inventory and mapping.