NAI Combines Web, Mobile, and Cross-Device Tracking Rules for 2018


The Network Advertising Initiative (NAI) released its 2018 Code of Conduct yesterday, consolidating the rules for online and mobile behavioral advertising (interest-based advertising). NAI, a non-profit organization in Washington, DC, is the leading self-regulatory association for digital advertising, with over 100 members and a formalized internal review mechanism.

The 2018 NAI Code of Conduct combines the earlier requirements in the web-focused 2015 Code of Conduct and the 2015 Mobile Application Code into one document for both web and mobile — an overall positive change that recognizes the fact that digital advertising in web and mobile are no longer separate or distinct spheres. Instead, most advertisers today combine their digital advertising efforts across web and mobile, with increasing efforts towards measuring advertising effectiveness for a single user across devices, browsers, and platforms through cross-device tracking.

Key takeaways for understanding the 2018 Code of Conduct (read the full Code and Commentary here):

  • Updates to Key Terminology. The biggest change to the NAI Code is that NAI has updated key terminology to account for the combination of web and mobile and for a shifting legal landscape. The term “Personalized Advertising” now functions as an umbrella term for all online behavioral advertising (interest-based advertising) (OBA/IBA), including re-targeting and cross-app advertising. All of the requirements that previously applied to OBA/IBA and cross-app advertising continue to apply to Personalized Advertising.
  • Device-Identifiable Information.” NAI has also replaced the term “non-Personally Identifiable Information” (non-PII) with a new term, “Device-Identifiable Information” (DII) with all of the previous rules continuing to apply. Among other requirements, the Code requires that companies using DII for Personalized Advertising provide users with an easy-to-use mechanism for opting out of advertising-related data collection and use. For privacy advocates, the shift in terminology is a welcome step forward, acknowledging that information tied to devices, e.g. user IDs in cookies or mobile advertising identifiers (IDFA), while less directly identifiable than names and email addresses, still implicate individual privacy and merit robust privacy controls.
  • “De-Identified Data.” In parallel to the updated terminology above (“non-PII” to “DII”), the 2018 Code also contains an updated definition of de-identified data. Data considered “de-identified” falls outside of the requirements of most privacy laws and regulations, including the NAI Code, because it is usually considered to have fewer privacy implications (or none at all) if properly de-identified through rigorous technical steps. Most definitions mirror the Federal Trade Commission’s “reasonable linkability” analysis set forth in the Commission’s 2012 Privacy Report. The 2018 NAI Code has updated its definition, now considering de-identified data to include “data that is not linked or intended to be linked to an individual, browser, or device,” replacing the previous “not linked or reasonably linkable.” The change, which likely reflects practical challenges for companies that are increasingly holding segmented data-sets not related to personalized advertising, shifts the NAI’s analysis from the nature of the data to its uses. As debates over de-identification continue (see, e.g., arguments from Princeton researchers Arvind Narayanan and Edward Felten, and/or for more information, FPF’s “Shades of Gray: Seeing the Full Spectrum of Practical Data De-identification”), it will be interesting to see whether and how a use-based analysis of de-identified data affects the industry for digital advertising.
  • Imported Requirements for Cross-Device. In Section II of the 2018 NAI Code of Conduct, the requirements for transparency and notice have been helpfully re-organized, and now incorporate NAI’s 2017 guidance on cross-device tracking. Specifically, the Code includes updates for:
    • Website Notice. The 2018 Code clarifies that publishers are required to publish “An explanation of the purposes for which data is collected by, or will be transferred to, third parties, including Cross-Device Linking if applicable…” – Section II.B. This is a positive change, particularly in light of findings published last year by the Federal Trade Commission’s Office of Technology Research and Investigation (OTech) on data collected online for purposes of cross-device tracking. According to OTech, out of 100 popular websites tested, “only three sites provided specific information to users about enabling third-party cross device tracking.” NAI’s requirements may help with improving these kinds of consumer-facing disclosures.
    • User Controls. The 2018 NAI Code maintains the same substantive requirements, including that users must be able to opt out of the use of their device-identifiable information (DII) for Personalized Advertising. The Opt Out also covers Cross-Device Tracking to a limited extent (Section II.C) — Specifically:  “While a browser or device is opted out of Personalized Advertising by a member, that member shall: (a) Cease the collection of data for Personalized Advertising on the browser or device on which the user has expressed such choice, for use on that or any other browser or device associated through Cross-Device Linking… [and] (b) Cease Personalized Advertising on the browser or device on which the user has expressed such choice, with any data collected from a browser or device associated through Cross-Device Linking.” In other words, opting out of Personalized Advertising on a given browser or device only functions as an “Opt Out” for that particular browser or device — it does not carry the user’s preference across other devices/browsers, even if they are known to be linked to the same user. In part, this is likely because much of cross-device tracking is probabilistic (and thus more challenging to effectuate privacy choices, such as an Opt Out, across multiple devices). For more, check out the FTC’s 2017 Staff Report on Cross-Device Tracking.
  • Affirmative Opt In for Sensitive Data, and Precise Location Data. Finally, the 2018 Code keeps its strong requirements for its members to obtain an affirmative “Opt In” for any collection and use of Sensitive Data (defined broadly, and including, e.g. any inferences of a sensitive health condition, regardless of source) and Precise Location Data (defined in accompanying 2015 guidance on determining whether location is precise).

As the tools available in Ad Tech become more expansive, so do the corresponding privacy implications for individuals. In 2017, we have seen controversies over political advertising leading to the introduction of the Honest Ads Act, and influential academic research demonstrating how individuals might use the tools provided by Demand Side Platforms (DSPs) to surveil known targets by targeting advertisements to specific mobile identifiers and tracking when and how the ads are viewed (a process being called “ADINT”). In addition, a growing trend in Ad Tech involves the creation of detailed audience profiles from a variety of “offline” sources — such as loyalty programs and offline shopping habits — in ways that fall outside of the strictures of self-regulatory codes, but nonetheless may be unexpected or surprising to many consumers.

For these reasons, consumer education is more important than ever, and self-regulatory mechanisms such as the NAI Code of Conduct can go farther, even as they represent important baseline privacy protections. While we believe that more can be done to address consumer privacy in Ad Tech, we nonetheless applaud these efforts at building greater industry consensus and collaborating towards responsible data practices.