The Network Advertising Initiative (“NAI”) released its 2018 NAI Code of Conduct (the “Code”). The Code basically merges the 2015 Update to the NAI Code of Conduct with the 2015 Update to the NAI Mobile Application Code, which previously existed as two separate documents, and also includes references to NAI Guidance documents published over the past 3 years, including Cross-Device Linking.

The NAI Code is one of the leading industry self-regulatory codes of conduct governing online behavioral advertising and is comprised of Adtech companies that agree to adhere to the initiative’s code of conduct, which outlines a series of self-regulatory principles related to privacy, data governance, data collection and notice and choice. Some of the notable elements in the Code are: 

  • The Code imposes notice, choice, accountability, data security and use limitation requirements on NAI member companies. 
  • The Code clarifies some existing terminology, such as:
    • Personally-Identifiable Information (“PII”) - refers to the data that is used, or intended to be used, to directly or indirectly identify a particular individual;
    • Device-Identifiable Information (“DII”) - non-personally identifiable information, that is linked or intended to be linked, to a browser or device or group of devices, but is not used or intended to be used to identify a particular individual;
    • De-Identified Data - refers to data that is not linked to either an individual, browser or device;
    • Sensitive Data - includes specific types of PII that are sensitive in nature, as well as DII related to sensitive medical conditions and sexual orientation.
  • The Code collectively refers to "Interest-Based Advertising," "Cross-App Advertising," and "Retargeting" as "Personalized Advertising," though it considers each a distinct practice.
  • Transfer Data Restrictions -
    • Unaffiliated parties to which members of NAI provide PII for Personalized Advertising or ad delivery and reporting purposes should adhere to the Code’s provisions concerning PII; 
    • All parties to which members of NAI provide DII should be required contractually to not attempt to merge DII with PII to re-identify the individual for Personalized Advertising purposes without obtaining the individual’s opt-in consent.
  • Data Retention - the Code requires member companies to keep DII or PII used for Personalized Advertising or ad delivery and reporting purposes only, as long as it is necessary to serve their business needs.