On December 16, 2008, one year after Federal Trade Commission (FTC) staff released proposed principles to guide self-regulation of online behavioral advertising, the Network Advertising Initiative (NAI) released new binding principles governing its members’ collection, use, and sharing of information used in behavioral advertising (the Code of Conduct). NAI is a self-regulatory cooperative of online marketing and analytics companies that aims to promote responsible business practices with respect to data management and its use in advertising. NAI’s principles are aimed at adapting to new online advertising models and, in particular, the increase in targeted or customized advertising.
The revised Code of Conduct governs Online Behavioral Advertising (OBA), newly defined in the revised code as including “any process whereby data are collected across multiple web domains owned or operated by multiple entities to categorize likely consumer interest segments for use in advertising online.” OBA is distinct from “Ad Delivery and Reporting,” defined as “the logging of page views or the collection of other information about a browser for the purpose of delivering ads or providing advertisingrelated services,” including the provision of specific advertisements based on the type of browser or time of day, statistical reporting, and tracking the number of ads served to a particular Web site.
The revised code also added a new category, “Multi-Site Advertising,” which means “Ad Delivery and Reporting across multiple web domains owned or operated by different entities.” This additional term was included in recognition that there is “cross-domain Ad Delivery and Reporting that does not necessarily involve use of passive tracking tools” (e.g., cookies and pixels) and that certain provisions of the code should extend to such activity. The code contemplates this category as accommodating emerging business models.
Notably, the new code does not address the issue of behavioral targeting by ISPs, but NAI stated in its commentary that the “spirit of the consumer protection goals” of the code might “inform future self-regulation” of ISP behavioral targeting.
Similar to the 2000 Code of Conduct, the revised code includes requirements relating to consumer notice of privacy practices, consumer choice about the use of their personally identifiable information (PII) and non-PII. Interestingly, PII is defined in the code as including “data . . . intended to be used to identify, contact or precisely locate a person.” The NAI commentary to the code states that this standard is designed in part to acknowledge that information that is not traditional PII may be PII based on its intended use and thus protections should be afforded to such information.
The notice and choice requirements that apply to OBA, Ad Delivery and Reporting, and Multi-Site Advertising depend on the type of data (non-PII, PII, sensitive information, etc.) used for those activities. Notably the code now includes a requirement that NAI members that serve ads based on “sensitive consumer information” (defined as including social security numbers, financial account numbers, real-time geographic location, and health or medical information) obtain users’ opt-in consent prior to using such sensitive information, regardless of whether that sensitive information contains traditionally defined PII. The code states that the provisions relating to sensitive consumer information, and particularly health information, will be further developed in implementation guidelines.
Similar to the previous standards, the revised code addresses access and security of data. The code also now states that member companies that engage in behavioral advertising of children known to be under age 13 (even if PII is not used in the targeting) must obtain opt-in verifiable parental consent. Finally, the new standards place increased emphasis on requirements relating to transparency and add a data retention principle that states that members may retain data collected for OBA, Multi-Site Advertising, and/or Ad Delivery and Reporting “only as long as necessary to fulfill a legitimate business need, or as required by law.”
Already, some consumer groups have criticized the revised code, which was subject to public comment earlier this year, as not going far enough to protect consumers. It remains to be seen if the revised code will satisfy regulators and policymakers as being sufficiently robust, particularly in light of the new administration. The FTC may still release its revised behavioral advertising principles, and are currently engaging in a series of non-public investigations relating to behavioral advertising. Regardless of the new NAI Code of Conduct, the issue of behavioral advertising will be hotly contested throughout 2009 in legislatures and civil enforcement agencies such as the FTC.