Starting Points for Sensitive Data: NAI Requirements and Best Practices for Health-Related Targeting
As detailed in previous blog posts on this topic, the Network Advertising Initiative (NAI) believes that the collection and use of “Sensitive Data” - particularly health or medical information - raise unique privacy concerns that merit special attention by our members. While targeted health or medical marketing information can offer important benefits to the recipient, we believe that the collection of Sensitive Data for Interest-Based Advertising should require a consumer’s Opt-In Consent.
Thus, the 2015 Update to the NAI Code of Conduct (Code) requires NAI member companies to obtain Opt-In Consent when collecting Sensitive Data across web domains and using it for Interest-Based Advertising (IBA) or Retargeting. The 2015 Update to the NAI Mobile Application Code (App Code) applies the same restrictions to Sensitive Data when used for Cross-App Advertising (CAA) and Retargeting, and NAI began enforcing that requirement on January 1, 2016.
It is important to note, however, that the Code and App Code specifically apply only to the use of data collected on unaffiliated web domains or mobile applications for IBA. As a result, some data sources, such as data collected offline and integrated for targeted advertising across websites or apps, are not covered by the Code or App Code. Those practices thus fall outside of our current enforcement efforts unless an NAI member has voluntarily committed to adhere to our Opt-In requirement for Sensitive Data regardless of the data source.
We recognize that some medical conditions are likely to be particularly sensitive or private in nature to many consumers. Targeting ads to specific users based on inferences about such conditions can make users uncomfortable or alert their friends, family, or coworkers about conditions the user may prefer to keep private. Additionally, some consumers may not fully understand the current scope and limits of the Sensitive Data principle in the NAI Code and App Code, based on the source of the data.
Accordingly, NAI encourages all NAI member companies to apply the NAI Code and App Code’s Sensitive Data principles to all user-level targeted advertising across unaffiliated web domains or mobile applications, even if the source of that data is not currently covered by the NAI Code and App Code. As NAI stated previously, our members have been leaders in responding to evolving privacy concerns – like concerns about how health data is used in marketing - by supporting revisions of the NAI Code and adoption of a new App Code. We expect that future updates to the NAI Code and App Code will establish a Code requirement to help ensure that only users who express Opt-In Consent receive targeted ads regarding sensitive medical and health condition, regardless of the data source. In the meantime, a vast majority of our member companies already embrace this best practice, and we applaud their efforts.