The NAI (Network Advertising Initiative) | |
Website: | http://www.thenai.org |
The NAI (Network Advertising Initiative) is an industry trade group founded in 2000 that develops self-regulatory standards for online advertising.[1] Advertising networks created the organization in response to concerns from the Federal Trade Commission and consumer groups that online advertising — particularly targeted or behavioral advertising — harmed user privacy. The NAI seeks to provide self-regulatory guidelines for participating networks and opt-out technologies for consumers in order to maintain the value of online advertising while protecting consumer privacy. Membership in the NAI has fluctuated greatly over time, and both the organization and its self-regulatory system have been criticized for being ineffective in promoting privacy.
The NAI was formally announced at the Public Workshop on Online Profiling[2] held by the FTC and the Department of Commerce on November 8, 1999.[3] Its membership then consisted of 24/7 Media, AdForce, AdKnowledge, Adsmart, DoubleClick, Engage, Flycast, MatchLogic, NetGravity (a division of DoubleClick) and Real Media.
In July 2000, the NAI published a set of principles, negotiated with the FTC and endorsed by the FTC, in their report to Congress on online profiling.[4] In May 2001, the NAI released an accompanying website[5] allowing users to more quickly download opt-out cookies for all participating ad networks.[6]
In 2002, the NAI released guidelines for the use of web beacons — small images or pieces of code used to track visiting and traffic patterns, and to install cookies on visitors' machines.[7] These guidelines use a similar model of notice and choice as the NAI Principles; opt-in consent is only required when sensitive information is associated with personally identifiable information and transferred to a third party.[8]
In 2003, the NAI formed the Email Service Provider Coalition (since renamed the Email Sender and Provider Coalition).[9] The ESPC engages in lobbying, press relations and technical standards development to support "email deliverability" — ensuring that mass email delivery continues despite anti-spam legislation and technologies.[10] Today the two organizations exist entirely independent from each other.
In response to a 2007 FTC staff report (Self-Regulatory Principles for Online Behavioral Advertising[11]), the NAI published an updated set of principles in December 2008[12] after providing a draft in April for public comments.[13] [14] The new principles incorporated new restrictions on the collection and use of sensitive data and data related to children.
In 2009, the NAI launched a consumer education page, which provided a centralized location for a variety of informational articles, videos, and other creative content designed to educate users about online behavioral advertising.
In 2010, the NAI joined the Digital Advertising Alliance, a non-profit organization of leading companies and trade associations including the Association of National Advertisers (ANA), the American Association of Advertising Agencies (4As), the Direct Marketing Association (DMA), the Interactive Advertising Bureau (IAB), the American Advertising Federation (AAF) and the NAI. These associations and their members are dedicated to developing effective self-regulatory solutions to consumer choice for web viewing data.
In 2012, the NAI issued its third compliance report, which demonstrated that overall, the NAI member companies continue to meet the obligations of the NAI code.
Ad network membership in the NAI fluctuated between 12 members in 2000, two members in 2002-2003 and five members in 2007, prompting criticism that it did not consistently represent or regulate the industry.[15] As of July 2017, the NAI lists over 100 members, including Google, Microsoft and Yahoo!.[16]
In 2013, the NAI released its fourth annual compliance report.[17] The report described the NAI's planned initiatives for 2013, which included the development of a revised NAI Code of Conduct[18] governing the collection and use of data on mobile devices. Additionally, in 2013, the NAI released its first Mobile Application Code,[19] which expanded the organization’s self-regulatory program to cover data collected across mobile applications.
In 2014, NAI released its 5th Annual Compliance report, showing that NAI members overwhelmingly met their obligations under the provisions of the code and continued to uphold the NAI's rigorous standards for providing notice and choice around interest-based advertising (IBA).[20] The NAI compliance team reviewed 88 member companies. The NAI also created a prestigious one-year compliance and technology fellowship for highly qualified graduates with an interest in the intersection of technology, advertising and policy.[21]
In May 2015, the NAI released an update to the Code of Conduct and its Guidance for NAI Members: "Use of Non-Cookie Technologies for Interest-Based Advertising Consistent with the NAI principles and Code of Conduct (Beyond Cookies Guidance)".[22] In July 2015, the NAI released its Guidance for NAI Members: "Determining Whether Location is Imprecise (Imprecise Location Guidance)",[23] which provided clarity on the types of location data that may require opt-in consent. In August 2015, NAI released an update to the Mobile Application Code in order to incorporate many of the changes in the 2015 Update to the NAI Code of Conduct and apply them to the mobile advertising ecosystem.[24]
As of January 1, 2016, NAI members engaged in cross-app advertising (CAA) are required to come into compliance with the Mobile App Code. Also in April 2016, NAI welcomed its 100th member, evidence of the continued appeal of the NAI's compliance program. In September 2016, the NAI became one of the founding members of the Coalition for Better Ads, an industry coalition developing new global standards for online advertising.[25]
In 2017, the 2018 NAI Code of Conduct was released.[26] Also released in 2017 were updates to the non-cookie technology guidance, titled Guidance for NAI Members: Use of Non-Cookie Technologies for Interest-Based Advertising,[27] and a cross-device linking guidance in May 2017.[28]
In 2019, the most recent version of the NAI Code of Conduct was released.[29]
In 2022, the NAI released Precise Location Information Solution Provider Voluntary Enhanced Standards.[30]
In 2023, the NAI announced that they temporarily paused enforcement of the 2020 NAI Code of Conduct in order to draft new governing guidelines that more accurately reflect state legal requirements.
The NAI's Self-Regulatory Code of Conduct[31] imposes notice, choice, transparency, education, and data security requirements on members, along with other obligations with respect to the collection and use of data for interest-based advertising (IBA). The Code also limits the types of data that member companies can use for advertising purposes and imposes a host of substantive restrictions on member companies' collection, use, and transfer of data used for interest-based advertising.
The NAI mandates that member companies provide users a means to opt out of interest-based advertising. The NAI opt-out tool[32] is a simple web-based utility that allows users to opt out of receiving targeted ads from one, some, or all member companies.
The NAI employs a comprehensive compliance and enforcement program[33] to verify ongoing member compliance with these obligations. The NAI's self-regulatory principles for online behavioral advertising depend on a model of notice and choice.
Notice: The NAI principles require "clear, meaningful and prominent" notice on the member’s website that describes its data collection, including what behavioral or multi-site advertising the ad network engages in, what types of data they collect for what purposes and for what length of time, data transfer, and use practices for interest-based advertising and/or ad delivery and reporting. Since ads are commonly shown on websites not controlled by the ad network, members must also require that partnering websites that display their ads also provide "prominent" notice that behavioral advertising is taking place, as well as what data is being collected, for what purposes and with whom it will be shared. Typically, these notices are presented in each website's privacy policy.[26] "Robust" notice — where the notice is presented before personal information is collected — is required when personally-identifiable information ("name, address, telephone number, email address, financial account number, government-issued identifier and any other data used to identify, contact or precisely locate a person") will be merged with other non-identifiable information (like demographics or interests).
Choice: Ad networks which satisfy the NAI principles must provide consumers a choice about whether information collected about them is tracked and used to provide targeted advertising. Whether this choice is "opt-out" or "opt-in" depends on the type and usage of data. For sensitive information (including Social Security Numbers, financial account numbers, real-time location information and precise information about medical conditions), tracking is always "opt-in". Also, when previously collected personally-identifiable information is merged with non-identifiable information (and the consumer wasn't provided "robust notice" of this practice originally), then ad networks must obtain affirmative consent. In all other cases of tracking personally-identifiable and non-identifiable information, choice is provided through an "opt-out" mechanism: the opt-out cookie.
Although HTTP cookies are commonly used by advertising networks to track consumers as they access information across different web sites, the opt-out cookie is used to signal that the consumer has chosen not to have their data collected for providing targeted ads. The NAI provides a tool to download opt-out cookies for each of their member networks: member networks who detect the opt-out cookie must not collect data on that user for targeted advertising.
Additional principles prohibit collecting information of children under age 13 or using collected data for non-marketing purposes. Ad networks are required to provide subjects of data collection "reasonable" access to the personally-identifiable information they collect, make "reasonable" efforts to use reliable data, provide "reasonable" security and use "reasonable" efforts (through the NAI) to educate consumers about targeted advertising. Retention of data is limited to "legitimate business needs".
In 2013, the NAI unveiled new educational resources for consumers covering a variety of topics and concerns related to online behavioral advertising or internet-based advertising. As part of these efforts, the NAI provides current information and tools that are easy to understand and use, and the organization’s members donate billions of ad impressions to raise awareness and point consumers to these and other resources. The NAI also provides a framework to help businesses honor consumer preferences and act responsibly. Every NAI member company is required to provide choices through both the NAI and Digital Advertising Alliance[34] websites. In addition, NAI requires members to include opt-out tools and comprehensive disclosures on their own websites. Moreover, NAI companies support the Ad Choices icon, just-in-time notice embedded in or around the advertisements consumers see online.[35]
The NAI and its set of self-regulatory principles have been widely criticized by consumer advocacy organizations.
The World Privacy Forum has argued that the NAI opt-out cookie has been ineffective because consumers don't understand how cookies work, don't realize that cookies can simultaneously track them and be used to signal that they should not be tracked, don't recognize that changing membership in the NAI requires regularly updating their opt-out cookies, and regularly encounter errors on the NAI web site while trying to opt out.[15] Before 2008, the NAI principles covered tracking only via HTTP cookies despite additional technologies for uniquely identifying and tracking browsers,[15] the updated principles explicitly cover Flash cookies and similar technologies.
Since its first review in 2007, however, the World Privacy Forum’s founder has described the NAI improvements “profound,” calling its 2013 Code of Conduct “remarkable” for a number of reasons. The founder went on to say that the “NAI represents a really important step forward for what self-regulation has been.” [36]
Concerns have also been raised about the process for developing and enforcing the NAI principles. The Electronic Privacy Information Center criticized the negotiation of the original set of principles for not substantively including privacy advocates or consumer protection organizations,[37] a concern echoed by seven senators in a letter to then FTC Chairman Pitofsky.[38]
The NAI used TRUSTe for third-party enforcement of its principles starting in 2002, but over time TRUSTe provided less and less detail in their reports on consumer complaints about the NAI and stopped reporting these complaints altogether in 2006.[15] When the NAI published updated principles in 2008, it chose to review member compliance itself, which the Center for Democracy and Technology argued would reduce consumer trust in the organization.[39] The NAI responded to this criticism on its blog.[40]
The NAI initially allowed for "associate members" to join the association; these members were not required to comply with the organization's principles. However, this concept was quickly discarded, and all members of the NAI are currently required to comply with the NAI Codes of Conduct and are evaluated regularly.[41]