Header graphic for print
Privacy & Security Matters Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

The NAI Issues Privacy Guidelines For Interest-Based Advertising, Ad Delivery and Reporting

Posted in Data Compliance & Security, Online Advertising

The Network Advertising Initiative (NAI) has issued guidance for its members on the use of non-cookie technologies for Interest-Based Advertising (IBA) and Ad Delivery and Reporting (ADR) (Guidance). The NAI is a self-regulatory organization for third-party digital advertising companies. Consistent with the NAI Code of Conduct (NAI Code) which was designed based on the Fair Information Practice Principles, the Guidance explains how the NAI Code applies to members’ use of non-cookies technologies for IBA and ADR, sets best practices for members and offers insight into the NAI’s staff review of members using non-cookie technologies for IBA as a part of the NAI annual compliance reviews.

We all know what cookies are by now.  So what is IBA and “non-cookie” technology?

Also commonly referred to as online behavioral advertising, IBA is online advertising tailored to consumers interests by companies promoting their products or services, accomplished by collecting consumer data across multiple web domains owned or operated by different entities,  amassing consumer profiles, and then customizing ads based on the consumers’ interests and web usage patterns using cookie-based and non-cookie based technology. The NAI Code requires notice and choice with respect to IBA and imposes certain restrictions on members’ collection, use and transfer of data used for IBA. For more information about IBA, please click here. The NAI defines non-cookie technology as “mechanisms, other than cookies, used to identify your browser, which can include technologies such as browser cache, locally stored objects (LSO’s), or statistical identifiers… used for many purposes including, but not limited to, ensuring your online banking is secure, preventing online advertising fraud, or to engage in Interest-Based Advertising or Ad Delivery and Reporting”. For more information about non-cookie technology, please see the NAI FAQ’s on Non-Cookie Technologies.

What are the NAI-recommended best practices for members’ use of non-cookie technology for IBA and ADR?

The Guidance sets forth baseline best practices for:

  1. Notifying consumers of a member’s use of non-cookie technology and providing transparency:
  • Members using non-cookie technology for IBA and/or ADR must include certain information in their privacy policies regarding their use of the technology and consumer choice with regard to such use, such as (1) a general description of the technology and a disclosure of use of such technology for IBA and/or ADR, (2) a description of and easy access to a user-friendly opt-out mechanism that will allow consumers to halt online behavioral advertising for a particular browser or device as well as behavioral advertising based on the use of non-cookie technology; (3) a description of an easy access to a consumer transparency tool; and (4) any required updates to representations made in the privacy policy that browser cookie controls in isolation prevent online behavioral advertising where such representation s would otherwise be erroneous.
  • Members using non-cookie technology for IBA must require websites collecting data for IBA through the non-cookie technology to clearly and conspicuously post a notice containing a disclosure that non-cookie technology may be used by third-parties on the site. Members are further required to make a reasonable effort to ensure that such notice is posted on their partners’ websites and that related language that is currently used by their partners is updated accordingly. Addendum A to the Guidance provides several examples of partner website notices.
  • Members using non-cookies technologies for IBA that cannot be viewed or modified using native browser controls are required to implement a consumer-facing transparency tool which, at a minimum, displays: (1) on both the member’s website and the NAI’s opt-out page whether data is collected for IBA on a specific browser using non-cookie technology, and the opt-out status for such browser, and (2) on the NAI’s opt-out page only, a disclosure or an icon to inform consumers that the member is using non-cookie technology for IBA and to link back to the member’s website for information about the member’s use of such technology.

2. User control:

  • Members engaging in IBA are required to provide an opt-out mechanism available both on the member’s website and through the NAI’s opt-out page that ensures that data collected using the non-cookie technology is not used for IBA after a consumer has opted out of such use of their data. The opt-out must cover the browser on which the choice is expressed. After a consumer exercised the opt-out choice and while the consumer is opted out, a member may continue to collect data using non-cookie technology only for non-IBA purposes and any such data may not be used for IBA at any time, regardless of future opt-out status and technology used.
  • Under the Guidance, NAI members will be required to offer a centralized consumer opt out of non-cookie technologies through the NAI’s new opt-out tool once it is published to the NAI opt-out page. According to the NAI, this new tool will inform consumers when NAI members use non-cookie technologies for IBA as well as offer a redesigned opt-out experience.

3. User limitations:

  • Members making a material change to their IBA data collection and use policies and practices are required to obtain opt-in consent before applying such change to data collected prior to the change; until opt-in consent is obtained or in its absence, any data collected prior to the change will continue to be governed by the data collection and use policies in effect when the information was collected.

4. Accountability:

  • Members using non-cookie technology for IBA that do not allow the NAI to conduct reasonable technical oversight will be required to develop a process with the NAI staff whereby the NAI compliance team will be able to conduct reasonable, external oversight and monitoring (e.g., access to a member’s API).
  • A member’s opt-out inspection service must provide the NAI: (1) a methodology to determine if changes to an ad interest profile have been made post the applicable consumer’s opt-out where such changes would be updated through the use of the non-cookie technology, and (2) some other methodology that provides adequate information to permit the NAI compliance staff to assess and ensure the member’s compliance with the NAI Code and the Guidance. Members are required to attest that their business practices are compliant with each aspect of the NAI Code.

The Guidance makes it very clear that “before a member may use non-cookie technology for IBA, the member must ensure that the requirements set forth in the Guidance have been adequately satisfied.” Although the Guidance is effective as of its publication on May 18, NAI members will have a grace period to implement policies and procedures to comply with the Guidance.  Members that want to use non-cookie technologies for IBA and ADR during this time may do so but only in accordance with the requirements set forth in the Guidance.  However, since the  current NAI opt-out tool does not indicate when members use non-cookie technologies for IBA, the requirement to use the NAI’s opt-out tool will become effective after the NAI completes testing and integrating the new tool into its central industry opt-out page.