NAI’s 2020 Code of Conduct Expands Self-Regulation for Ad Tech Providers

By Christy Harris, Stacey Gray, and Meredith Richards

As debates over the shape of federal privacy legislation in the United States continue, online advertising remains a key focus of scrutiny in the US Congress, with its recent hearing on digital advertising and data privacy. Amidst these debates, the Networking Advertising Initiative (NAI), the leading self-regulatory body for online advertising technology (ad tech) providers, announced a major update to its Code of Conduct on May 14, 2019. The revised 2020 Code of Conduct officially expands the scope of the NAI Code to a broader range of products and technologies in the online advertising industry and strengthens existing requirements, which is a crucial step given the recent attention to privacy in ad tech. The NAI is a non-profit, self-regulatory association responsible for creating and enforcing third-party advertising standards for data collection and uses for online and mobile advertising.

According to the NAI, the 2020 Code of Conduct is the largest overhaul of its self-regulatory requirements since the Code was originally released in 2000. The 2020 Code now includes digital advertising practices such as the use of offline data for tailored advertising, and incorporates sensor technology and real-time uses of location data. The Code update also aims to “future-proof” Tailored Advertising by covering any use of previously collected user data to target advertising across websites and apps.

Key takeaways from the 2020 Code of Conduct:

• Inclusion of “Audience-Matched Advertising” and TV Data. One of the largest updates to the NAI Code is that NAI has expanded the scope of its coverage to include “Audience-Matched Advertising” and “Viewed Content Advertising,” which, along with more traditional online and mobile advertising and cross-device linking, are collectively termed “Tailored Advertising.” Audience-Matched Advertising refers to “using data linked, or previously linked, to personally-identified information for the purpose of tailoring advertising . . .” In essence, this refers to supplementing a target audience using data or inferences that were originally tied to identified individuals (via a name or email address, for example), often from offline sources, such as loyalty programs, retailers, or public records.

Viewed Content Advertising refers to data collected from viewed video content, for example from Smart TVs. This inclusion reflects a broader debate over regulating data privacy issues involving Smart TVs, which are increasingly collecting data on consumer activity and viewing preferences for digital marketing purposes. For more, see FPF’s 2018 description of Smart TV data collection practices, Seeing the Big Picture on Smart TVs and Smart Home Tech).

• Sensitive Health Data. The NAI has long required opt-in consent for the use of data about sensitive health conditions, which includes a fact-specific determination of the seriousness or sensitivity of the condition. Under the NAI’s commentary, sensitive conditions include, for example: drug addiction; sexually transmitted diseases; mental health conditions; pregnancy termination (but not pregnancy); cancers; and — new to the 2020 Code — “all conditions predominantly affecting or associated with children that are not treated by over-the-counter medications.” It does not include less serious health conditions, such as allergies or cold and flu, or wellness interests, such as vitamins and supplements. Other updates include: (1) an exemption for sensitive interest segments for fundraising and non-profit uses (such as, reaching people likely to donate to specific health causes, as long as they are not inferred to have the condition); (2) an exemption for targeting to medical professionals; and (3) an explicit requirement of opt-in consent to target users at sensitive locations, such as abortion clinics or LGBT clubs, using precise location data.
• “Sensor Information.” The NAI has added this term and a requirement for opt-in consent to access “information from a camera, microphone, or any sensor on a user’s device that may collect biometric data.” In commentary, NAI notes that NAI members seeking opt-in consent should ensure “just-in-time notice, such as through an interstitial page, prior to the use of platform-provided consent mechanisms.” Sensor information does not include information such as barometric pressure or accelerometer data that is used to determine the status of the device, and here we note a possible future privacy concern: the collection of multiple points of non-sensitive sensor data for “behavioral biometrics,” or a means of identifying a user or device based on holistic information about how users physically interact with the device.
• Precise Location Information. The 2020 Code extends an opt-in consent requirement for real-time uses of precise location data. Previously, consent was required before precise location data could be collected or shared for tailored advertising; however. real-time uses (such as targeting an advertisement to a geo-fenced zone), were considered “contextual” and not covered by the Code. The Code now includes such real-time uses in its overarching requirement of opt-in consent for precise location data. At the same time, the requirements have been relaxed slightly to permit NAI members to rely on reasonable assurances that a partner application or website has obtained consent on behalf of the member.
• Transparency for Political Targeting. The 2020 Code now requires NAI members that use interest segments based on political categories (e.g. “Republican” or “Pro-Choice”) to disclose these political segments on their websites. While this update is timely in light of federal efforts to address accountability in political advertising, such as the 2017 Honest Ads Act, it is limited insofar as it does not address a wide variety of political advertising practices, such as proxy segments (targeting political content to “gun owners,” or “vegetarians”), custom segments (combinations of attributes), or generic segments that may nonetheless be used for express political advocacy. The NAI Code update is intended to complement the Digital Advertising Alliance’s (DAA) recently released guidelines for a “Political Ad” icon which is intended to provide users with information about political advertisers directly from the ads.
• Expanded Prohibitions on Secondary Uses of Data. NAI members have long been prohibited from using advertising data for employment, credit, health care, and insurance eligibility. Under the 2020 Code, members are also explicitly prohibited from using such data for tenancy eligibility and education admissions. The 2020 Code further clarifies that such data should not be used for any non-marketing purposes, even if not specifically enumerated.
• Age Restrictions for Tailored Advertising. The minimum age restriction for which NAI members may specifically target advertising without obtaining parental consent was raised from 13 to 16. This change is occuring in the midst of discussions in DC about creating additional privacy protections for children and teenagers. For example, Senator Markey recently introduced legislation to update the Children’s Online Privacy Protection Act (COPPA) by prohibiting internet companies from collecting personal and location information from anyone 13- to 15-years old without the user’s consent.
• Use of Personally-Identified Information (PII). NAI uses the term “personally-identified” to refer specifically to data linked to a person’s identity (usually their name, email address, or phone number), such as data appended from offline sources. The 2020 Code clarifies that members who use PII or hashed PII for Tailored Advertising must now provide a PII-based opt-out mechanism on both the member’s website and on the NAI website, that is applicable to the NAI member’s use of that PII on all browsers, applications, and devices. Members retaining PII for behavioral advertising must also provide users with reasonable access, and an option for the user to request that the member permanently delete the user’s PII information. These changes parallel similar requirements for access, deletion, and opt-out, that will go into effect with the passage of the California Consumer Privacy Act (CCPA) in 2020. Although possible amendments to the CCPA are still pending, the law is anticipated to have a broad effect on the ad tech industry.

The revised NAI Code of Conduct will come into effect in January of 2020. With advertising technologies continuing to advance, federal regulators as well as state and local legislators are paying greater attention than ever before to digital advertising practices. In these debates, self-regulatory efforts play a unique role, and organizations such as the NAI have the ability, not only to go beyond existing laws in addressing consumer privacy concerns, but also to help shape evolving legislative efforts. We are glad to see that the NAI is taking major steps in the right direction in order to continue to be on the front lines of protecting consumer privacy and promoting responsible business practices.