Last week, Robert Gellman published his assessment of the NAI’s 2011 Annual Compliance Report. As always, the NAI welcomes an open dialogue with our members, consumers, and the advocacy community. We believe in the role of all these constituencies in self-regulation and value ideas about how to improve our program. We also take pride in the fact that these exchanges help us continuously evolve our compliance program.
With this in mind, we also believe that the healthiest, most productive discourses put forth both opinion and fact. In the case of Mr. Gellman’s piece, his tone, and assumptions are clear and he is very much entitled to his opinion. However, there are factual inaccuracies. In the spirit of maintaining a productive dialog, we have addressed the inaccuracies below.
Audits vs. Compliance Review
Throughout his piece, Mr. Gellman repeatedly refers to the NAI annual compliance review as a professed "audit," and then criticizes the NAI for not living up to formal auditing standards. The NAI, however, has never claimed to conduct annual "audits" or to have auditors on its staff. As detailed in our 2011 report (and in prior years' reports), NAI compliance staff (which is currently composed of four attorneys with 20 combined years of experience in privacy, technology, and corporate law) conducts the annual compliance reviews. We believe that our process is actually superior in many ways to “independent” audits conducted by auditing firms; indeed, many member companies have told us that they gain more understanding of online privacy and ideas for protecting users' privacy from our annual reviews than they do from full-fledged audits conducted by outside auditors who have little experience with online behavioral advertising or the technology behind it. Another benefit to having NAI staff conduct the annual reviews is that it helps to establish a virtuous cycle: each year, compliance staff identifies new technologies, best practices, and evolving business models, and then uses that knowledge to inform its review and suggest best practices to other member companies.
When Members Are Reviewed
Mr. Gellman states that members are not reviewed prior joining NAI, and that they may go 23 months without undergoing a review. Neither statement is true.
First, members are reviewed prior to joining the NAI, which our 2011 Compliance Report makes clear: "NAI staff vets companies' business practices and policies before they are admitted to be members of the NAI, but this process is separate from the annual compliance review process." While this pre-certification review is separate from the compliance review, it is a thorough and thoughtful process that requires a tremendous investment of time, effort, and resources by the NAI and applicants. Unlike almost any other industry association, companies can't just join NAI. They must first align their practices with our Code. You can read more about the process in our recent blog post.
Following this pre-certification review and admission to the NAI, companies undergo their first compliance review one year after they are admitted to the NAI. As we explained in our report, our 2011 review covered the 60 companies who were members as of January 2010. Thus, contrary to Mr. Gellman's assertions, a company that joined the NAI on January 2, 2010 would have been reviewed in the 2011 review. Mr. Gellman also accuses the NAI of not identifying whether any companies had resigned from the NAI. But Appendix A of the report (which Mr. Gellman cites) has a footnote indicating that Quantcast had withdrawn its membership in the NAI. The 2010 report contained a similar statement about former NAI member Safecount. Those two companies are the only two to have ever withdrawn from the NAI. In each case, we disclosed the withdrawal on our website, required the companies to disclose their withdrawal on their websites, and disclosed the withdrawal in the annual report issued following their withdrawal.
Mr. Gellman’s attack on the NAI is based on the faulty assumption the opt-out rate is the measure of a self-regulatory program's success. It is not. The goal of the NAI’s educational campaign is to provide users means by which they can learn about online behavioral advertising and the choices available to them. The NAI and its members have expended substantial time and resources to developing educational materials, and last year alone, NAI members donated more than 4 billion ad impressions to help users discover these materials. Those efforts helped lead nearly 8.5 million unique users to the NAI’s website in 2011, nearly three times the number of unique users who visited the site the prior year. We believe these numbers, not the total number of opt-outs, are the measure of our members’ success. In any event, Mr. Gellman’s analysis mischaracterizes industry click through rates. Unfortunatley, .05% conversion rates are not uncommon.
Mr. Gellman questions why our 2011 report states that non-PII was not shared “with the intent of” it being merged. The reason is simple: this section of the report speaks to our members’ compliance with section III.5(b) the current NAI Code, which provides that members must contractually require third parties to adhere to applicable provisions of the Code where the non-PII they are transferring is "to be merged with PII possessed by the third party." The report accordingly noted that no companies were found to be transferring non-PII with the intent of it being merged with PII. The report then goes on to report on members’ efforts to go beyond the requirements of the Code to prevent non-PII from being merged with PII held by third parties more generally. It is in the context of reporting members’ efforts to go beyond Code requirements that the report notes that companies "generally" have contractual provisions in place to prevent the merger of non-PII with PII.
In its 2011 Report, the NAI stated that it would begin requiring members to report on a regular basis the domains they use for OBA purposes. Mr. Gellman attacks this recommendation, arguing that such a document “seems to be a basic document for an audit” and questioning how the NAI ever conducted reviews without such a list. In so arguing, Mr. Gellman seems to believe that “domains” equates to “member companies.” The NAI has of course always known who its members are, and has always asked each reviewed member which domains it uses to collect data during each compliance review. The point of this change to our program is that members are now required to provide their list of domains on a regular basis, not merely annually. This reporting strengthens our technical monitoring program because it allows us to be 100% certain about what companies are responsible for setting particular cookies, and, if necessary, ask those companies about the behavior of those cookies. It also helps us to ensure that members’ opt-out mechanisms are always up-to-date. Finally, it forces an extra layer of diligence and communication between technical teams and management within our member companies to help ensure that all parts of the companies are aware of all of their data collection practices. We are proud of the steps we take to continually improve our program and that we are transparent about where we think we can do better.
Mr. Gellman reads the NAI Code as imposing obligations that are identical to COPPA. That is not correct. The current COPPA rule addresses only the collection of traditional PII and does not address the use of non-PII such as cookie identifiers. The NAI Code does address the use of Non-PII for online advertising and children, prohibiting members from creating segments directed to children regardless of whether any PII is used. Similarly, the NAI Code makes 100% clear that members may not use even non-PII data for eligibility purposes (a topic on which the FCRA is arguably unclear), and places obligations on NAI members to ensure that they do not pass non-PII to other parties for such purposes.
We are proud of the work we do to ensure our members’ compliance with the NAI Code, including our ongoing efforts to improve the program. Indeed, we recently developed, and are in the process of enhancing, a technical monitoring tool that will help us to monitor members throughout the year. This will ensure that opt-out cookies function as intended. The development of the tool was informed by an ongoing dialog with privacy advocates and researchers. It is the perfect example of how a healthy discourse leads to a better solution for all.
We look forward to continuing to grow and improve our compliance program through an open and respectful dialog among key constituencies. Our door is open and we have seats at the table for anyone who wants to participate in the development of meaningful self-regulation. Like successful privacy programs, a successful self-regulatory program requires an ongoing process of evaluation, identifying areas for improvement, addressing evolving issues, and always striving to be better.
-Meredith Halama, Deputy General Counsel and Director of Compliance