The Network Advertising Initiative (“NAI”), the leading self-regulatory coalition for the online advertising industry, issued a Draft Code last month detailing likely revisions to its “Code of Conduct” – the principal set of “best practices” governing Internet-Based Advertising. Ad platforms and data exchanges seeking to show compliance with best practices — particularly with respect to privacy, data governance and data usage – generally follow the NAI Code and/or seek NAI membership (which many retailers and agencies require when selecting data and ad platforms.) The NAI currently has about 100 members, including most leading online ad platforms and exchanges.
The NAI’s “Code of Conduct” (“NAI Code”) is in turn incorporated by reference into many agreements regarding cookie placement, display media delivery and other online data, ad and attribution services. But the NAI Code has not been updated since 2008 — and the ad ecosystem has undergone massive changes (and scrutiny) since then. The organization is now formalizing a significantly updated Code. Having issued a revised Draft Code in March it will formalize the new Code in the coming months. The major changes and additions to the NAI Code are discussed below:
- “Interest-Based Advertising” Would Be Added to Code: The Draft Code replaces the term “Online Behavioral Advertising” (“OBA”) with “Interest-Based Advertising.” Among other things, this would extend the Code’s reach to retargeting and remarketing — which, unlike OBA, does not generally involve targeting based on a user’s cross-site online behavior.
- Code would change definition of “PII” and Add the Term “De-identified Data”: The Draft Code re-jiggers how PII and non-PII are defined. For instance, the definition of “PII” no longer would include data used to “precisely locate” a user. (That type of geo-location data is now covered under the definition of “Sensitive Data.”) The Draft Code also adds a category called “De-identified Data” — data that is not linked and cannot “reasonably” be linked to an individual or a device, and thus does not require notice and choice to consumers.
- Guidance Regarding Non-Merger of PII and Non-PII: NAI has added guidance as to what it means to “ensure that Non-PII cannot reasonably be linked to a particular individual” (which impacts the type of user notices and contractual provisions required); namely, the Draft Code notes that such “reasonable” measures include “using only randomly generated numeric identifiers rather than names.” The Draft Code also expands what members must do when they transfer covered data: in addition to contractual restrictions on merging PII and OBA, reasonable technical measures to protect PII are required (e.g., encryption or hashing).
- Draft Code Embraces “Enhanced” In-Ad Notice, e.g., the DAA Icon: NAI members will be required to “provide, or support the provision of” notice “in and around ads” — such as that provided by the “AdChoices” icon. Noting that most NAI members already do this, the Draft Code points out that this ensures users receive notice both at the point of data collection and at the point of data usage.
- Draft Code Sets Out New Guidelines for Health Data: For the first time, the NAI has codified when Interest-Based data segments about medical conditions require a user’s “opt-in” consent. While not offering a bright-line test, the Draft Code proposes that opt-in consent occur where a condition is serious, not common, and more akin to a “precise” medical condition than, say, a condition treatable by lifestyle changes or over-the-counter medication. By way of illustration: opt-in consent would be required as to segments for cancer, mental health-related conditions and sexually transmitted diseases, but not for acne, high blood pressure, heartburn or cholesterol management.
- Sexual Orientation is “Sensitive Data”": Under the Draft Code, data segments about a user’s sexual orientation (or sexual behavior) would require a consumer’s opt-in-consent. (Thus, websites “designed for GLBT users” — including gay travel, dating or media sites — cannot even engage in retargeting without opt-in consent.)
- The Draft Code Clarifies Scope of “Opt-out”: When a consumer opts out of targeted advertising (such as through http://www.networkadvertising.org/choices, a platform or exchange may still collect and use that consumer’s data for other, non-ad related purposes such as analytics, frequency capping and verification of ad delivery. The Draft Code confirms this.
- LSOs (“Locally Stored Objects”) Would Be Formally Banned: The Draft Code “prohibit[s] member companies from using LSOs for online advertising activities” until those technologies provide greater insight and user control. (LSOs such as flash cookies have been the subject of a number of lawsuits and regulatory actions over the past 2 years.
Please contact us if you have questions about the NAI Code or about how online data can safely be used, collected or shared. A follow-up blog post will detail “Trends in Self-Regulation” for the online ad ecosystem, which provide additional analysis of some of the above guidelines and other best practices and guidelines still in formation.