On December 4, 2017, the Network Advertising Initiative (NAI), a self-regulatory body comprised of more than 100 digital advertising companies that collect and use consumer information for online behavioral advertising (OBA),¹ issued an update to its Code of Conduct (the “Code”).  The Code imposes notice, choice, accountability, data security, and use limitation requirements on NAI member companies.

The 2018 Code update is most significant for combining the NAI’s web-focused Code with its previously-separate mobile application code of conduct (the “App Code”) and incorporating the NAI’s prior guidance on cross-device tracking. These updates reflect the NAI’s recognition of the decreasing significance of the distinction between web and mobile advertising, with today’s advertisers increasingly savvy at tracking users and advertising effectiveness across devices, browsers, and platforms. The update also revises some terminology for greater clarity. The 2018 Code update went into effect on January 1, 2018.

Background and Self-Regulatory Landscape

The NAI previously revised the Code in 2008, 2013, and 2015 to account for changes in the rapidly evolving technological and business landscapes. In 2013, the NAI published the App Code, which it updated in 2015. The App Code complemented the original Code and provided specific guidance for data handling and advertising on mobile applications.

All NAI members must comply with the Code with respect to their personalized advertising activities in the U.S. The NAI is not, however, the only OBA self-regulatory body. The Digital Advertising Alliance (DAA), established in 2009, is comprised of trade associations that represent website/application publishers, internet service providers, mobile carriers, social networks, online advertisers, and data providers, as well as many digital advertising companies that are members of the NAI. The DAA also has issued guidance governing data collection and use across websites and applications, and the DAA operates the highly visible AdChoices program.

The Code generally is consistent with DAA guidance, but it applies only to NAI members and to a specific subset of its members’ activities. Portions of the DAA guidance are not, therefore, included in the NAI Code.

The NAI Code also imposes obligations on its members that complement and enhance DAA requirements. Those NAI-specific obligations include:

• an annual compliance review;
• notice regarding personalized advertising practices;
• disclosures regarding ad delivery and reporting data collection and use practices;
• disclosures regarding health related interests used for personalized advertising;
• opt-in consent for personalized advertising relating to “sensitive” health issues;
• opt-in consent requirements for the use of “sexual orientation” in personalized advertising;
• contractual notice requirements;
• data retention limitations;
• reliable sources requirements;
• data transfer limitations; and
• access requirements.

The NAI’s compliance and enforcement program consists of an annual compliance review process (including internal reviews and interviews by NAI staff members of member personnel), ongoing technical monitoring, mechanisms for accepting and investigating complaints of non-compliance, and sanction procedures. In the event of a material violation of the Code, NAI staff may impose sanctions that may include one or more of the following: being named publicly in the NAI’s annual compliance report or otherwise, suspension or revocation of membership, or referral to the Bureau of Consumer Protection of the FTC, state attorneys general, or other regulators.²

Code Updates

The 2018 updated Code revises terminology to give certain provisions greater clarity, including:

• Personalized Advertising. The update includes an overarching term for various forms of OBA, collectively referring to “Interest-Based Advertising,” “Cross-App Advertising,” and “Retargeting” as “Personalized Advertising,” though each remains a distinct practice for purposes of the Code.
• Device Identifiable Information. The term non-personally identifiable information (Non-PII) now is referred to in the Code as device-identifiable information (DII). DII is defined as “any data that is linked to a particular browser or device if that data is not used, or intended to be used, to identify a particular individual.” Although this definition continues to recognize a distinction between Personally-Identifiable Information—a term retained in the Code—and data that is not considered to be “used or intended to be used to identify a particular individual,” the shift in terminology also implicitly recognizes the privacy interest consumers may have in device identifiers and other information tied to devices. The Code requires NAI members to allow users to opt-out of the use of DII for Personalized Advertising.
• De-Identified Data. The term de-identified data has been expanded to include “data that is not linked or intended to be linked to” an individual, browser, or device, replacing the previous “not linked or reasonably linkable” to an individual, browser, or device. This shift to a use-based concept likely will relieve some administrative and technological burdens imposed by the prior definition, affording NAI participants greater flexibility.

The updated Code also incorporates the NAI’s 2017 guidance on cross-device tracking, with specific obligations including:

• Website Privacy Policy. Members must disclose cross-device linking, if applicable, in website privacy policies.
• Opt-Out. The Code’s opt-out requirements now cover cross-device tracking. Significantly, the requirements in the Code only apply to the device or browser on which the user has elected to opt-out from cross-device tracking, and do not carry over to any other devices or browsers, even if they are known to be linked to the same user.

Implications

The 2018 version of the Code reflects the increasing scope and complexity of advertising technology tools and the fading lines previously drawn between the web and mobile spheres. NAI members should find the consolidation of the App Code and the Code, along with the clarifications in the Code, helpful in understanding and streamlining their compliance efforts. Although the substantive changes in NAI members’ obligations are relatively few, NAI members should review their practices in light of the new Code to ensure compliance. Additionally, companies that are not NAI members may find the updated Code, along with applicable principles of the DAA, a useful benchmark.

¹ The Federal Trade Commission (FTC) defines OBA as the practice of tracking a consumer’s online activities over time, including the searches the consumer has conducted, web pages visited and content viewed, to deliver advertising targeted to the consumer’s interests.

² The DAA’s self-regulatory principles are enforced by the Council of Better Business Bureaus’ Online Interest-Based Advertising Accountability Program and the Direct Marketing Association.