Back to top

Blog

Submitted by Rod Ghaemmaghami on March 5, 2020

In the last six months, the NAI has released new Health Targeting Guidance and new Guidance on Opt-in Consent. These activities reflect the flexibility of the NAI’s self-regulatory program to adapt quickly to meet the evolution of technology and business practices, as well as consumer expectations, and to reflect the goals of policymakers and other stakeholders. 

Today, the NAI released an updated version of our “Guidance for NAI Members: Determining Whether Location is Imprecise” (Imprecise Guidance). The new document can be found here

Originally published in 2015, the Imprecise Guidance achieves multiple purposes for members: (1) Provides meaningful parameters on how member companies could render Precise Location Information (PLI) imprecise; (2) Establishes a multi-factor analysis to determine whether data would be considered by the NAI to be precise or imprecise, if it did not fall within the listed categories of imprecise data; and (3) Explains the requirements regarding when a member company would have to obtain Opt-In Consent. 

The original document was drafted at a time when Opt-In Consent through platform settings was not yet universally available. As such, the NAI emphasized methods through which member companies could leverage location-based data while preserving consumer privacy through data minimization. As the mobile ecosystem evolved and platform controls for location data gained widespread acceptance, the NAI was able to shift our policy to require Opt-In Consent (or reasonable assurances for NAI members who do not interact directly with users) for all digital advertising uses of PLI, including Tailored Advertising and Ad Delivery and Reporting. 

The 2020 update to the NAI Code of Conduct (Code) and the publishing of the “Guidance for NAI Member: Opt-In Consent” required an update of the existing Imprecise Guidance to mirror the changes made in those documents. 

The updated Imprecise Guidance should still be referenced for the following purposes: 

  • Guidance on methods that may be used to render PLI imprecise based on categories enumerated in the document (such as using latitude and longitude coordinates with two or fewer decimal places, using a circular shape with a radius of 500 meters, and upleveling using descriptors of general places). 

  • Guidance on how to apply a multi-factor analysis to determine whether data could be considered precise if it does not fall within the previously mentioned enumerated categories. 

New content has been added to the document. The updated Imprecise Guidance now does the following: 

  • It emphasizes the concept that a “use” is broader than previously defined. If a member collects or receives PLI, and that data is to be used for Tailored Advertising or Ad Delivery and Reporting (ADR) by them or by a downstream partner, that member is required to obtain Opt-In Consent (even if the member renders it imprecise before sharing it). The act of collecting, receiving, or having the precise data is now considered a “use.”

  • It reiterates that Opt-In Consent is required for use of PLI for ADR.

  • It clarifies that Opt-In Consent is not needed by downstream partners if the data they are receiving is imprecise. 

The document has also been reorganized to clarify the NAI’s requirements and recommendations. NAI members should expect to comply with the Opt-In Consent guidance by July 1st, when enforcement of that part of the Code will begin. 

Importantly, the NAI continues to urge member companies to engage in data minimization practices to further protect consumers’ data. To that end, data which has been rendered imprecise poses fewer security risks, and good data stewardship by NAI members helps foster trust among consumers, regulators, and legislators who can rest assured that NAI member companies will only store and use raw PLI so long as necessary for their business purposes.

Submitted by Anthony Matyjas... on January 29, 2020

The NAI is opening what promises to be a busy year with new guidance on health-related ad targeting. The NAI has long imposed and enforced restrictions on the use of Sensitive Data for Tailored Advertising with the understanding that while targeted ads help to fund a robust and diverse Internet and provide users with relevant ads, a user’s engagement with certain limited types of content may not always be appropriate for Tailored Advertising. For example, research about potential cancer treatments while at home on a personal device may not be appropriate for Tailored Advertising. Additionally, the placement of web browsers or devices into audience segments labeled with sensitive conditions to be used for ad targeting could also negatively affect a user’s privacy, especially if such segments were to be misused or accessed without authorization. This practice is prohibited by the NAI Code of Conduct without a consumer’s Opt- In Consent.

Of course, many users are genuinely interested in products and treatments for their health or medical conditions and may also be interested in receiving Tailored Advertising for such products or treatments. Accordingly, the NAI provides those users with an opportunity to opt in to such advertising, described in a clear and conspicuous notice, through an affirmative action that manifests this intent.

The NAI’s opt-in requirements regarding the use of medical or pharmaceutical records are clear, as are restrictions against inferences that a user may have a sensitive health condition based on browsing or mobile app activity. In fact, these restrictions have created a strong incentive for ad-tech companies to avoid targeting users based on Sensitive Data. However, there is a long history, and a legitimate need for continued marketing of medical treatments or medications to consumers who may benefit from and wish to see these ads. The NAI’s new guidance establishes a clear framework to enable efficient marketing, while still prohibiting the selection of ads based on inferred interest in a sensitive health or medical condition, such as a specific inference based on a user’s prior engagement with a given website or mobile application.

Many advertisements may be targeted only based on general demographic factors such as age or gender. For example, a pharmaceutical company may advertise a treatment for a condition primarily affecting women, such as breast cancer, which would be considered as sensitive under the Code. In this case, the inference made in targeting such an advertisement would not be that the audience has the condition in question, or has expressed any interest in it, but rather, simply that the target audience is composed of women. Ad targeting based on demographic factors such as age or gender is an effective way to allow users to receive ads that are relevant to them while at the same time preserving users’ privacy.

However, the NAI is mindful of the fact that in some cases, if various demographic factors are combined and overlaid with additional information, such as an individual’s web browsing, app use, shopping history, or Precise Location Information, it can become much more specific and precise. The NAI’s new guidance is intended to close any potential loopholes that would allow member companies to make an inference that a user actually has, or is likely to have, a certain health or medical condition or treatment, under the guise of demographic targeting.

This guidance document also provides additional clarity as to what types of modeled audiences are considered non-sensitive by the NAI, regardless of the conditions they address, based on the size of the target audience, the type of targeting criteria involved, and the nomenclature used in segmenting audiences into such groups.

Effectively, this guidance document clarifies that the NAI staff will consider a health-related audience segment to be non-sensitive under the NAI Code, even if it is intended to target a potentially sensitive health condition, if the segment includes at least ten percent of the total population, is based only on demographic data, and is labelled with its actual demographic composition.

Importantly, even for the use of non-sensitive audience segments detailed in this guidance, NAI members must comply with the transparency requirements in the NAI Code and provide full public disclosure of all “standard” or “off-the-shelf” audience segments used for health-related Tailored Advertising and a representative sample of “custom” audience segments used for the same purposes.

The NAI will remain vigilant and proactive in this space, and will continue to lead digital advertising companies in its efforts to enhance consumer trust and privacy with regard to Sensitive Data while ensuring the Internet remains free and vibrant for all users.

Submitted by Anthony Matyjas... on December 19, 2019

After an eventful 2019, The NAI is preparing for a momentous twentieth anniversary year in 2020. The thoroughly revised 2020 NAI Code of Conduct will go into effect in ten days, on January 1st, 2020, placing a number of new requirements in the areas of Tailored Advertising and Ad Delivery and Reporting on NAI members. This new Code incorporates the Viewed Advertising Guidance, modernizes terminology, extends consumer opt-in requirements for the use of certain types of data (including Sensor Information and Precise Location Information) to Ad Delivery and Reporting, introduces political transparency requirements, and expands coverage to information collected offline if it is used to target digital advertising across websites, apps, or on digital television screens.

NAI staff have been working with member companies throughout the year to educate them about these new requirements, and we have been helping member companies prepare for the changes they will need to make in order to remain in compliance with the Code in 2020. This includes a number of educational webinars and one-on-one calls with each member company during the 2019 NAI compliance review.

As the deadline to the enforcement date of these new requirements approaches, and after speaking with all member companies, the NAI is allowing for additional time for members to come into compliance with two new obligations under the new Code, due the industry-wide changes which will be necessary for material compliance with those two requirements.

First, the 2020 Code requires member companies engaged in Audience-Matched Advertising to provide a PII-based opt out from these activities for users on the NAI industry page. The technical development of, and integration with, this new tool have been delayed due to the amount of resources that member companies are devoting to compliance with the California Consumer Privacy Act (CCPA) by January 1, 2020. The NAI and its members will work during the first half of 2020 to ensure that all members engaged in Audience-Matched Advertising are fully integrated with the NAI’s PII-based opt-out tool by July 1, 2020, and enforcement actions for non-compliance are set to begin after that date.

Second, the 2020 Code raises the bar on what steps are necessary for NAI members to rely on reasonable assurances from partners that consumers have expressed informed Opt-In Consent to Tailored Advertising and Ad Delivery and Reporting uses of sensitive data such as Precise Location Information. One of these requirements is for users to be presented with just-in-time notice while providing consent for digital advertising uses of their location data. Because platform controls provided by device manufacturers do not always allow for the provision of such notice, NAI members must take technical and contractual steps to ensure that this notice can be presented to users by the mobile applications that collect location data. NAI staff and members will work to operationalize these changes in the mobile digital advertising ecosystem during the first half of the year, with the goal of beginning enforcement also on July 1, 2020.

All other requirements in the 2020 NAI Code will be enforced beginning on January 1, 2020 thanks to the hard work by NAI member companies to prepare for these new obligations during the past year, even as they were also preparing for new requirements under CCPA.

Submitted by Matt Nichols on October 29, 2019

The NAI’s “Guidance for NAI Members: Viewed Content Advertising” (Guidance) announced in 2018 that the collection of Viewed Content Data (VCD) for Viewed Content Advertising (VCA) would become a covered activity under the NAI Code, enforced on January 1, 2019. The addressable or advanced television space is still a nascent and developing technology, with a transition from traditional televisions and cable boxes to Smart TVs and TV-streaming devices. As large media companies continue to launch their own streaming platforms this year, it appears that the use of Smart TV-devices, that serve as a way to stream these platforms, will continue to grow. 

As of January 1, 2019, NAI member companies collecting VCD for Personalized Advertising or Ad Delivery and Reporting purposes should have taken steps to comply with this Guidance. A major component of the NAI’s self-regulatory framework is user choice. Just as the NAI Code requires member companies to ensure that an easy-to-use choice mechanism is available for users to opt out of Personalized Advertising on their web browsers and mobile devices, the purpose of the Guidance is to ensure that a commensurate level of control is available on a television engaged in Personalized Advertising. 

However, as was the case in the early days of advertising on mobile applications, the ability to provide a consistent choice mechanism in the television space is still maturing. Some technology platforms do not provide a built-in consumer choice mechanism, while others are not completely clear as to what constitutes an opt out or how such signals are shared with applications. This is an aspect of the connected-television space that will likely continue to evolve in the coming years, just as the mobile application ecosystems did before settling on the Mobile Ad Identifiers (Apple’s IDFA and Android’s GAAID) and consumer choice settings that many users are familiar with today.

In addition to those NAI member companies that collect data from connected televisions and streaming devices, some NAI members may engage in, or facilitate, the targeting of digital advertising on these devices based on data collected in more traditional web-based or mobile app-based settings, through Cross-Device Linking. Consistent with the NAI Code’s requirements for Cross-Device Linking, those NAI members must provide relevant disclosures on their own websites and a means for users to opt-out of receiving Personalized Advertising on their connected televisions or streaming devices.

Based on its 2019 compliance reviews of member companies to date, NAI compliance staff has noted a lack of consistency in how members disclose the collection and/or use of data on connected televisions and streaming devices, and how these members notify users of the choices that are available to them with respect to Personalized Advertising on these devices. Accordingly, throughout its 2019 compliance reviews, the NAI has been working with its members to help them provide adequate disclosures and clear instructions to consumer choice mechanisms for Personalized Advertising on connected televisions and connected devices. Additionally, the NAI has recently provided an instructional page for users, informing them how to locate and activate the privacy preferences on many of the most popular devices in the television space. The NAI provided a similar service in the mobile application space, but it is likely to be even more beneficial for televisions and connected devices, where a much broader variety of platforms, each with their own settings and preferences, currently occupy the market. The NAI urges all of its members to direct users to these instructions, when relevant, or to provide similar instructions to users in their own consumer choice pages and privacy disclosures.

In order to ensure a level playing field and avoid an advantage to the NAI members who underwent the 2019 compliance process earlier in the year, the NAI will work with all willing member companies until December 31, 2019 to help them provide adequate disclosures surrounding the collection and/or use of data for Personalized Advertising on connected televisions and streaming devices. On January 1st, 2020, NAI staff will begin stricter enforcement of these requirements in earnest, and NAI members who do not provide adequate disclosures or instructions for choice mechanisms, based on NAI staff’s judgement, will be subject to the NAI’s full enforcement procedures.

All NAI members who collect or use data on connected televisions or streaming devices for Personalized Advertising and Ad Delivery and Reporting  should review their current disclosures, and instructions for consumer choice mechanisms to ensure they meet the requirements of the Guidance and the 2020 Code of Conduct ahead of January 1, 2020. Members can reach out to NAI staff with any questions about how to best comply with NAI requirements on these devices.

If you have any questions about the Guidance, or the Code generally, please reach out to NAI Compliance staff (compliance@networkadvertising.org).