NAI Blog

The NAI is premised on the notion that users are entitled to transparency and choice with respect to the collection and use of data for online behavioral advertising and related purposes. While we believe that more relevant ads that support free Web content and services provide myriad benefits to users, we also believe that transparency about the practices that make such benefits possible is crucial. Transparency not only helps address users’ privacy expectations by providing access to information about data collection and use practices and to easy-to-use mechanisms to express their choices, it also enhances user confidence. For this reason, transparency is at the heart of the NAI Code. Our code requires members to provide clear and detailed descriptions of their data collection and use practices on their own websites, and to ensure that users are provided notice about their data collection and use practices on the websites where they collect data.

Some NAI member companies have gone beyond NAI Code notice requirements by providing notice not only of their data collection and use practices, but also publicly disclosing all interest segments associated with users’ browsers through “interest managers” or “ad preference managers.” You can see some of these initiatives listed under “Ad Preference Managers” in the column to the right.

In our 2010 Annual Compliance Report, NAI compliance staff recommended that NAI member companies be required to publicly disclose any standard segments used for online behavioral advertising purposes that are based on health-related information. We issued this recommendation because we believe an additional layer of transparency for health-related segments would not only promote compliance with Code requirements, but also would help to normalize best practices by all participants in the online advertising marketplace. We also believed the policy would enhance users’ confidence that sensitive health-related information is not collected and used without their knowledge and consent. Finally, it would allow users to make more educated decisions about whether to opt out of the collection of data for behavioral advertising purposes by some or all NAI member companies, as the ad preference managers provided by some of our member companies have already done.

Throughout 2011, NAI staff worked with NAI member companies to implement this policy recommendation. We then began training member companies about the requirements of the new health transparency policy and best practices with respect to the collection and use of health-related information more generally. In our 2011 Annual Compliance Report, we noted that we would begin fully enforcing the health transparency policy in 2012.

It is important to remember that, in addition to our new health transparency policy, the NAI Code requires opt-in consent for the collection and use of “sensitive consumer data,” which is defined to include “precise information about past, present, or potential future health or medical conditions or treatments, including genetic, genomic, and family medical history” (in addition to certain identifiers, account numbers, and precise geographic location). If an NAI member company were to seek to market to users on the basis of sensitive health conditions such as cancer, mental health-related conditions, or sexually transmitted diseases, the company would need to clearly explain that intent and to obtain opt-in consent for such use. Our transparency policy, on the contrary, is intended to capture those interest segments for which opt-in consent is not required under the Code, but nevertheless may factor into an individual’s decision about whether to opt out of targeting by a particular member company. Thus, for example, member companies may have interest segments associated with such general health categories as headaches, allergies, or diet and fitness that would not require opt-in consent under the NAI Code, but would require disclosure under the transparency policy.

It is also important to remember that the NAI Code prohibits members from using, or allowing the use of, online behavioral advertising segments other than for marketing purposes. Thus, members are prohibited from using, or allowing the use of, health-related interest segments – or any other interest segments – for purposes such as making decisions about eligibility for health insurance, life insurance, or employment.

In summary, our transparency policy relates to the use of interest segments that do not rise to the level of “precise” information about health conditions or treatments for marketing purposes. Under the NAI Code, non-marketing uses of interest segments are already off-limits, and the use of “precise” information about health conditions or treatments for online behavioral advertising requires opt-in consent. Following commentary provided in response to our draft 2008 Code, the NAI has not developed an exhaustive list of conditions or treatments that it considers to be “precise.” Rather, in evaluating our members’ health-related segments, NAI staff looks at the nature of the condition to which the segment relates, including, among other things, the seriousness of the condition, its prevalence, whether it is something that an average user would consider to be embarrassing, whether it is treated by over-the-counter or prescription medications, and whether it can be treated by modifications in lifestyle as opposed to medical intervention.

We believe that this “extra dose” of transparency has already gone a long way to promoting existing obligations under the Code, normalizing best practices, and ensuring consumer confidence with respect to health-related targeting by NAI member companies. We hope that this increased transparency also leads to a productive dialog between industry, advocates, and regulators concerning what should and should not be considered “sensitive” consumer data requiring opt-in consent for use in online advertising.

We applaud those member companies that have already made health transparency disclosures, and look forward to working with membership in 2012 to bring all member companies into compliance with the new policy.

–Meredith Halama, Deputy General Counsel & Director, Policy and Compliance

Today, the NAI released its 2011 Annual Compliance Report, the third annual report published under the 2008 NAI Code of Conduct. The results of our 2011 annual review are encouraging. Overall, our member companies continue to meet the obligations of the NAI Code and to adopt best practices even where not required by the Code. Here, we summarize a few key findings:

Transparency: In 2011, our member companies vastly increased the transparency of online behavioral advertising (OBA). Our members, early adopters of in-ad notice, have been instrumental in rolling out the DAA’s Advertising Options Icon, an icon that is served tens of billions of times a day. Our members also ramped up efforts to educate consumers about OBA, collectively contributing 4.1 billion ad impressions to the NAI’s education campaign. Those ad impressions lead users to the NAI’s education site, which saw 2.5 million unique visits in 2011, a five-fold increase in visitors over the prior year. Members also began in 2011 to disclose the interest segments related to health that they use for OBA in accordance with the NAI’s new health transparency policy.

Choice: As a result of our members’ efforts to increase the transparency of OBA practices, traffic to the NAI website increased dramatically, with 8.5 million unique user visits in 2011. Six million unique users visited the NAI opt out site, and 840,000 opted out of one or more NAI member company on the NAI’s opt out page. These numbers suggest that users are increasingly aware of OBA practices and the choices available to them.

Looking forward: As in past years, we used the compliance process not only to assess the state of our members’ compliance and spread best practice recommendations, but also to identify areas in which we think the NAI and its members could do better. To that end, the report recommends that the NAI increase its technical monitoring, and that members be required to regularly report the domains they are using for OBA to supplement that monitoring. We think these additions to our compliance process will help ensure that user choice is reliably and fully honored at all times.

We believe that 2012 will see even more advances for the NAI and self-regulation. We expect transparency to continue to increase at an exponential rate through the continued deployment of the Advertising Options Icon, through educational banner ads, and through other innovative tools. As noted, we intend to add further accountability to our compliance program in the form of increased technical monitoring. We will review even more companies — we reviewed 23 companies as part of our first compliance review in 2009, 34 in 2010, and 60 in 2011 — and we expect to review more than 80 in 2012. By 2013, we expect to review more than 100 companies. As a result, each year, more companies not only agree to abide by the principles encompassed in the NAI Code, but also are held to those promises through our compliance process. To keep pace with this growth in membership, we plan on bringing on additional staff dedicated to compliance. We also plan to update our website to make it easier for users to find relevant information and to opt out if they wish. We think these changes will benefit our members and consumers alike.

We are proud of the work we do in our annual compliance reviews and throughout the year to help ensure the ongoing compliance of our growing membership with the NAI Code and NAI policies. Our compliance program includes not only reactive investigations into allegations or evidence of non-compliance, but also proactive, in-depth examinations of members’ business practices and policies on an annual basis. It also helps to inform the development of NAI policies by identifying new technologies, best practices, and evolving business models. We are delighted to work with member companies who, on the whole, express commitment to and a desire to learn from the compliance review process. We are excited to continue and improve our compliance program in 2012.

If you would like to learn more about our findings and our plans for the future, we encourage you to read the 2011 Annual Compliance Report and accompanying press release.

–Meredith Halama, Assistant General Counsel for Compliance

Advertising makes possible much of the content on the Internet.  Online advertising revenue allows publishers to provide consumers with nearly unlimited information, at no cost, or at far lower costs than would otherwise be possible.  Online behavioral advertising (“OBA”) works more efficiently than other forms of online advertising, thus allowing more free content to be provided by publishers and fewer ads to be seen by consumers.  However, the complex business-to-business data collection and sharing practices between Web publishers and advertising networks raise some valid questions.  The NAI was formed to address these concerns through the creation and enforcement of the NAI Code.  The NAI was also tasked with providing consumer education about online advertising and the technology behind it.  As a means of promoting trust in their online advertising practices, NAI member companies are held to a strict code of conduct, governing their ability to collect and use data for OBA purposes as well as the transparency and choice they must provide to consumers.

The NAI expanded rapidly over the last several years, and we now have over 80 member companies.  As our membership, and consumer awareness of the NAI have grown, the NAI has undertaken several initiatives to increase accountability and transparency in the industry.  As we look to 2012, the NAI intends to continue our efforts to increase transparency and accountability, and to remain fully involved in discussions focused on responsible use of data.  This includes engaging with all stakeholders in the online advertising ecosystem, including policymakers, regulators, consumer groups, and privacy advocates.  Our goal is to ensure that our member companies are at the forefront of transparency and privacy while employing sustainable business practices.  Please keep an eye out for our upcoming release of the 2011 Compliance Report, where we will announce the results of our third annual NAI member compliance review along with some initiatives planned for the coming year.

-Anthony Matyjaszewski, NAI Associate Counsel, Compliance and Technology

Action always speaks louder than words. The same is true for digital marketers and the advertising technology business in general. It has also always been true for the NAI. We have been, and continue to be, committed to best practices in online behavioral advertising.  That commitment is illustrated by our decision to hire Marc Groman as Executive Director and General Counsel.  We are confident in Marc’s ability to lead the NAI and its continued commitment to meaningful self-regulation, consumer education and development of privacy best practices in online behavioral advertising. He is a seasoned and respected privacy professional and  attorney and will be a strong resource and advocate for the NAI’s 78 member companies.

Marc comes to the NAI from the FTC where he was their Chief Privacy Officer and has over a decade of experience to tackle cutting-edge privacy issues. He has a deep understanding of today’s complex policy debates around online advertising, privacy and self-regulation, so he was a natural fit to lead the NAI.

I want to thank our current NAI Executive Director Charles Curran. Chuck has done a phenomenal job as executive director.  Through his commitment, dedication and intelligence, the NAI has become a much stronger organization.  He led the NAI through an incredible increase in membership including fifteen of the largest online advertising networks. He was the driving force behind the development of Web resources for consumers, including the NAI Opt-out Tool, that have received millions of unique visits. In addition, he has worked with cross industry groups to help drive the enhanced notice effort.  Chuck will serve an advisory role for the NAI while Marc ramps up.

It’s a great time to be in the online ad business, especially on the ad technology side.  We will continue to improve the user experience for consumers, continually monitor best practices and with Marc Groman, we will  improve our dialog with regulators and advocates.

Rob Gratchner, Microsoft
NAI Board Chairman

Today the Digital Advertising Alliance (DAA) took a significant step for online industry self regulation by announcing new principles governing the collection and use of Web usage data. The Multi-Site Data Principles go beyond behavioral advertising, and provide a broad framework for the collection and use of Web viewing data across non-affiliated Web sites gathered by a particular computer or device. The Multi-Site Data Principles provide clear benchmarks for user choice for multi-site data, as well as establishing restrictions on any use of such data for any adverse purpose in employment, credit, health care, or insurance eligibility determinations. Like the existing OBA principles, the new Multi-Site principles also provide specific protections for sensitive data.

The NAI applauds this significant expansion of industry self regulation and accountability. The new Multi-Site Principles are responsive to recent calls by policymakers for a more comprehensive framework governing online data collection, as well as to concerns about inappropriate secondary uses of such data. Given the breadth of participation in the DAA by companies across the online ecosystem, the new Principles will help establish a substantive framework for online choice and accountability that enhance consumer confidence.

Separately, the NAI continues to advance the deployment of the Advertising Choice icon. The icon is now supported by dozens of NAI Member companies and has already provided consumers with hundreds of billions of impressions delivering enhanced notice and choice for online behavioral advertising. Together with the new Principles, the progress to date on OBA choices shows what can be accomplished on behalf of consumers through cross-industry deployment of self-regulatory solutions.

While the NAI’s work on compliance remains ongoing for 2011, we wanted to provide an update on the results of the NAI review initiated following a July blog posting by a researcher at Stanford’s Center for Internet and Society (CIS).  The posting concerned the use of a history-sniffing script by Epic Marketplace, an NAI member company.

The NAI’s review has confirmed that Epic Marketplace, through a legacy advertising system acquired from Traffic Marketplace, deployed a history-sniffing script over at least a two-year period prior to last July. On browsers that allowed it, the script used browsing history to assign interest segments for advertising targeting, and also to verify the quality of data provided by third-party data providers. The review found that where users had opted out of online behavioral advertising by the company, data gathered through the history-sniffing script was not stored or used. The company did not adequately disclose its use of the script to consumers, or to the NAI in the course of its annual compliance reviews.

Epic Marketplace’s use of a history-sniffing script, and failure to fully disclose this practice to consumers and during its compliance reviews, was inconsistent with the NAI Code and NAI policy. In response to the NAI’s review, in which the company cooperated, Epic has ceased its use of the script, deleted all data obtained using the script, and acknowledged that its conduct did not meet self-regulatory standards. However, the NAI believes that beyond these remedial steps, further measures are necessary. Accordingly, the NAI is requiring that for the next three years, Epic undergo annual audits performed by an independent third party to help ensure that the technologies it uses for advertising purposes provide users an appropriate degree of transparency and control under the NAI Code; that history sniffing is not occurring and that no history sniffing data is being collected, stored, or used by Epic’s systems; and that Epic otherwise is continuing to comply with NAI requirements. NAI staff will be provided access to the results of all such audits. If any audit reveals evidence of non-compliance with these requirements and NAI Code or policy, Epic’s NAI membership may be suspended or revoked. Epic has agreed to fully cooperate with these audits, which will be separate from any audits or reviews it has previously commissioned.

We want to emphasize the seriousness with which the NAI takes allegations of violation of its standards. Although online advertising practices have a high degree of transparency, technological monitoring – whether by self-regulatory bodies or by independent researchers – provides a vital tool for verifying compliance. While the NAI is already using technical monitoring to evaluate more than 60 companies as part of this year’s annual review, we also believe that newly developed tools (similar to those employed by CIS researchers) could be used to further strengthen our review process. In the coming months, we will be exploring new options for our technical monitoring toolbox, evaluating technologies developed by independent researchers and other providers in the self-regulatory space. We believe that enhanced technical monitoring, combined with the current annual review process that focuses on our members’ existing and emerging business practices, will help ensure that users are provided transparency and choice in a manner consistent with the NAI’s principles.

-NAI Staff

Last Thursday, the Subcommittee on Commerce, Manufacturing and Trade of the House Energy & Commerce Committee held a hearing entitled “Understanding Consumer Attitudes About Privacy.”

Among other things, the hearing focused on the successful deployment of the advertising choice icon by the cross-industry self regulatory program.  Both the Digital Advertising Alliance and NAI member Microsoft testified about how industry is providing consumers with enhanced transparency and choice for online behavioral advertising.

Witness testimony is available here.

Earlier this week a Stanford graduate student posted a blog entry announcing “preliminary findings from experimental software” about how companies participating in the Network Advertising Initiative (NAI) handle opt outs to online behavioral advertising.

Unfortunately, these preliminary findings confuse the important distinction between longstanding “Do Not Target” choices offered by online advertisers, and new browser technologies that offer users the promise of not being “tracked.”

Under the NAI self-regulatory code, companies commit to providing an opt out to the use of online data for online behavioral advertising purposes. We’ve long recognized that consumers should be provided a choice about whether data about their likely interests can be used to make their ads more relevant. But the NAI code also recognizes that companies sometimes need to continue to collect data for operational reasons that are separate from ad targeting based on a user’s online behavior. For example, online advertising companies may need to gather data to prove to advertisers that an ad has been delivered and should be paid for; to limit the number of times a user sees the same ad; or to prevent fraud. Gathering this operational data may involve the use of cookies separate from those used to enable interest-based ad targeting, or to maintain a consumer’s opt out preference.

We want to be very clear that we are firmly committed to enforcing the NAI Code’s requirements that companies provide users with an opt out to behaviorally-targeted ads. As part of our annual review process, we routinely review a broad variety of inputs, including reports in the media and from advocates. The online medium is remarkably transparent, allowing for evaluation of company data collection practices and of the effectiveness of self regulation. If there are credible allegations of a violation of the NAI Code, we investigate them; and if there are violations, we report them.

However, it’s also important to draw a fair distinction between existing industry self regulatory commitments to limit ad targeting based on user interests, and the views of proponents of newly emerging “Do Not Track” technologies who argue that advertising companies should be stopped from collecting any data. We’ve been following with interest the recent introduction by browser manufacturers of “Do Not Track” features that promise in various degrees to limit browser data collection. A robust debate is going on about how these browser features might be integrated with the existing industry self-regulatory programs, but for now there is no universally agreed upon definition of what “Do Not Track” means.

Given the rapidly evolving nature of Internet technology, it’s entirely appropriate for self regulatory programs to evaluate how best to adapt these new browser technologies. But in order for consumers and companies to understand what is being offered on the “Do Not Track” playing field, the goal posts can’t be a moving target. More importantly, we should be clear about when rules changes will have profound consequences: prohibiting the gathering and use of operational data may inhibit the ability of companies to serve even non-targeted ads; impair efforts to stop fraud by bad actors; and seriously jeopardize the viability of advertising supported free content and services on the Web. There is a vital distinction between limiting the use of online data for ad targeting, and banning data collection outright. We look forward to being part of the dialogue about how best to define – and deploy – a “rulebook” for online choices that are not only consistent with consumers’ privacy expectations, but that also preserves the viability of ad-supported online services that millions of consumers enjoy every day.

-Chuck Curran, Executive Director, NAI

Adopting new best practices in a large industry like online advertising can seem a little like turning a large ship. At first, to the outside observer, it may not seem like much is happening, as the changes start slowly and the ship has its existing momentum to overcome. As the ship continues to turn, however, the new course becomes clear, and it can accelerate with ever-increasing momentum.

Today, the Digital Advertising Alliance (DAA) announced that the online advertising industry is fully turned onto the course of adoption of the “ad choices” icon, with broad participation by a hundred of the largest brand marketers, agencies and ad networks.

Not surprisingly, members of the Network Advertising Initiative (NAI) have been among the leaders in adopting, promoting, and distributing the icon to consumer advertisers. Dozens of NAI members have enabled the use of the icon on the ads they serve today, or are rolling it out with their advertising partners within the coming weeks.

Showing that the industry is moving from development to deployment, the DAA also announced that enhanced notice using the “ad choices” icon has been served with more than 2 trillion ads. The icon is visible not just on ads served by NAI companies, but also on the sites of NAI members like Microsoft and Yahoo! that are also Web publishers. If you haven’t already seen the icon, you will soon see if far more across hundreds of other sites as this rollout reaches full deployment.

For anyone who wants to see the changes taking place in the online advertising industry to provide consumers with ubiquitous access to enhanced notice and choice, you won’t have to look far for the “ad choices” icon.

-Chuck Curran, Executive Director

A study released yesterday by several privacy researchers outlines the authors’ efforts to assess the notice and compliance requirements implemented by the NAI and Digital Advertising Alliance (DAA) as part of our respective self-regulatory programs. The study makes a number of assertions at the margins to which we take exception, in particular the claim that some NAI members are not providing sufficient notice about their collection and retention practices for online behavioral advertising.

On the whole, however, we think the study shows how robust and far-reaching the industry’s self-regulatory regimes have become, and we believe the authors may have missed that forest by peering too closely at the bark of the trees.

In fact, on core issues of self-regulation like reach, effectiveness, and compliance, the study shows the remarkable progress that has been made by the online industry in expanding the number and reach of companies involved, deploying new and innovative solutions for consumer transparency and choice, and strengthening the existing self-regulatory regime.

According to the study’s own findings, the NAI’s members enumerate their OBA activities in their privacy policies and comply with those policies. As the study affirms, “All NAI members mention their behavioral advertising activities, and all provide an opt-out mechanism.” Equally important, when testing a central feature of the NAI program, its consumer opt-out platform for more than 60 companies, the study found that the “NAI mechanism was able to set all opt-out cookies successfully.” Similarly, except for one company that was temporarily unable to set an opt out in one particular browser type, the study acknowledges that the new AboutAds opt out platform “worked with the other browsers” for all participating companies. Even if there is a rare technological glitch, these tools notify users when a particular company’s opt out is not set.

Beyond that, the study claims only one instance of non-compliance (out of 66 member companies) with respect to the requirement to disclose the type of data collected, and acknowledges that all NAI member companies are in compliance with the requirement to disclose how data collected will be used. We differ with the authors in their belief that any of the reviewed companies did not adequately make such disclosures.

We have a more substantive disagreement with the authors’ claims that several NAI members are not providing sufficient notice about how long they retain data for online behavioral advertising purposes. On this point, the study is not accurate, and we have provided the authors with excerpts from the policies of every NAI member in question showing their compliance with this requirement. For example, the authors claim that Yahoo does not disclose how long data will be retained. However, Yahoo!’s publicly-posted data storage policy explicitly states that “Yahoo!’s anonymization policy applies to user log file data and includes searches, ad views, ad clicks, page views and page clicks” and that “Yahoo! stores this data in an identifiable form for up to 90 days for most log file data.” Microsoft has made a similar public commitment: “Microsoft will no longer retain web log data in a profile used for display advertising for more than 13 months, unless a consumer consents to a longer retention period.” Other NAI members provide similar disclosures. Given that the NAI’s retention disclosure requirement is a best practice that exceeds current legal requirements, it’s particularly ironic that the authors have chosen to criticize the efforts of our members to provide robust consumer disclosures.

More importantly, the study ignores the many areas where the past year has seen dramatic – and ongoing – improvements in self-regulation. For example, nearly 3 million unique visitors viewed the NAI’s main web page in 2010, an increase of nearly 150% over the prior year. Use of the NAI’s opt-out tool increased by 58%, and traffic to the educational section of the NAI quadrupled to more than 500,000 unique visitors. This year, in the past two months alone, another 500,000 unique visitors have learned about online behavioral advertising through the NAI’s educational efforts.

Put another way, this study, and the NAI’s own data, validate that consumers who want to find out about their behavioral advertising choices are finding our site, reviewing our educational materials, and using the opt out platform itself.

Equally important, the NAI itself has dramatically extended its reach over the past year, increasing its membership from 35 companies a year ago more than 60 today. Our membership now includes all fifteen of the largest ad networks in the United States, the companies who enable and deliver the overwhelming majority of network ads to users. Moreover, the new DAA program (in which the NAI participates) offers other companies within the ecosystem another means participate in broader cross-industry self regulation. The study, quixotically, cites this remarkable growth in participation as a “problem,” on the grounds that consumers have more companies from which they can opt out using the “select all” feature of industry opt out tools. We think a reasonable observer would consider the rapid growth of participation in self-regulatory regimes to be a good thing for consumers.

Nor are skyrocketing usage and broad industry-wide participation the only significant changes. In the past several months, the online industry has started to deploy enhanced notice through the most effective device possible: an icon in or near the ads being delivered.

The study attacks the current state of deployment of that icon, as if trying to predict the final score of the game during the first inning, and it’s too early to make that claim. Indeed, just a week ago Google announced the implementation of the industry icon within its ads, joining MSN and Yahoo! as the industry’s three largest ad companies now using the icon. Other NAI member companies are now also participating in the rollout, offering advertisers the capability to incorporate the icon in or around their ads. The industry deserves enough time to make the technical changes necessary to integrate the icon, and users will become increasingly familiar with it across a wide range of advertising providers over coming months.

Companies that commit to self-regulatory programs are promoting transparency not just in the technologies they use for interest-based advertising, but also about the success of their compliance efforts. Practices in the online advertising marketplace are visible to consumers, policymakers, and privacy advocates, and we believe it is appropriate for others to evaluate the efficacy of self-regulatory initiatives. We also hope that at the same time equivalent efforts will be made to encourage any remaining companies outside current self-regulatory programs to join the collaborative industry initiative. That way, we can work towards ensuring the glass is full for all consumers.

Charles Curran
Executive Director
Network Advertising Initiative