Submitted by David Wainberg on Thursday, July 19, 2012

On June 20th, I returned to the NAI as Counsel & Senior Director of Technology. (As many of you know, I previously worked for the NAI, but left last year for a job at AppNexus.) People keep asking why I came back. I was in a great position at an exciting, fast-growing company that, like many NAI members, was innovating and growing like crazy. , Why would I give that up? It was an incredibly tough decision. However, I realized I couldn't pass up this opportunity to take a leading role in charting the industry's course through the very tricky policy waters ahead. So, I didn't want to leave AppNexus - but I did want to rejoin the NAI and help shape the future of our industry. 

When I left the NAI just over a year ago, we'd come a long way and we were celebrating several successes we’d worked day and night to achieve with our members and industry partners. We had completed another successful review of members' compliance, and had used the opportunity to raise the bar on requirements and best practices. We had also navigated a number of policy challenges during a time of heightened interest in online privacy. Not surprisingly, the NAI membership was growing at a steady rate. The NAI’s small and uber- talented team, was hard at work developing the compliance program, as well as new policies and best practices. We had also recently helped the DAA to launch its new web site and opt-out page on The DAA's program was on a good trajectory. Use of the icon was growing fast.  It felt like our efforts were paying off and, from a policy perspective, the industry was moving in a very positive direction.

Things are different in 2012! Due to a variety of developments and lot of FUD (fear, uncertainty and doubt) that has been confusing those that try to follow the issues we address, scrutiny of our industry is at an all time high. This has enabled and emboldened a DNT process that potentially threatens NAI members' businesses without delivering a net privacy benefit to users. That's a huge problem, and ensuring that a browser-based choice mechanism is developed and implemented in a way that is balanced and does not intentionally or unintentionally destroy the third-party advertising ecosystem will be my primary focus for the next several months.

Beyond DNT, the plate of policy issues the NAI must tackle has also grown. The NAI continues to add more diverse business models -- SSPs, DMPs, exchanges, mobile -- with more on the way. (We are approaching 100 members!)  This is requiring us to address policy issues across a much broader range of data-driven business models than the NAI ever has in the past. And we're not just talking about the U.S.  We now have members based in Canada and Europe, with applications arriving from as far away as Asia and member companies operating across all continents. I may be biased. However, I do not think there is any other organization that is as well equipped to handle these issues.

To that point, it was more than just my interest in these issues that lured me back to the NAI. When Marc Groman, the NAI's new, and highly dynamic, Executive Director, started describing everything he's done and everything he plans to do at the NAI, I was monumentally impressed. He has added impressive new staff, greatly expanded the NAI's capabilities, and is laser focused on ensuring that our mission is clear, integrity-based, executed and well communicated. Under Marc’s leadership, the NAI has already built a technical compliance tool that scans the web to detect possible compliance issues; that's a huge step. In addition, we just launched our new web site, we are rewriting the NAI Code, and much more. Marc has a compelling vision and strategy for serving the NAI members, and the energy to pull it off.

He couldn't do it without the staff, though. Veterans and new recruits across the NAI are the best, brightest and most likeable because their passion is impossible to miss. The proof is in the product. When you look at what this team has done and will do, you'll be equally impressed.

One last bit of praise for Marc and the entire NAI team. I learned a ton from working at AppNexus. And I gained a much deeper appreciation of the concerns and challenges of third-party ad businesses -- the NAI's member companies. I can tell you that Marc and the rest of the NAI team really believe in the value of what they're doing. They care deeply about privacy. And they care deeply about the success of the NAI member companies.

So, it really is great to be back. The NAI of 2012 is better, faster and stronger than ever. I'm thankful for this opportunity, and I'm incredibly proud and excited to be a part of this organization. I hope our members all agree. And if you're not a member, I strongly encourage you to join our effort to promote industry best practices across the online advertising ecosystem. The stakes are too high for any of us to sit on the sidelines.

Submitted by Meredith Halama on Thursday, July 19, 2012

Last week, Robert Gellman published his assessment of the NAI’s 2011 Annual Compliance Report. As always, the NAI welcomes an open dialogue with our members, consumers, and the advocacy community. We believe in the role of all these constituencies in self-regulation and value ideas about how to improve our program. We also take pride in the fact that these exchanges help us continuously evolve our compliance program.

With this in mind, we also believe that the healthiest, most productive discourses put forth both opinion and fact. In the case of Mr. Gellman’s piece, his tone, and assumptions are clear and he is very much entitled to his opinion. However, there are factual inaccuracies. In the spirit of maintaining a productive dialog, we have addressed the inaccuracies below.

Audits vs. Compliance Review

Throughout his piece, Mr. Gellman repeatedly refers to the NAI annual compliance review as a professed "audit," and then criticizes the NAI for not living up to formal auditing standards. The NAI, however, has never claimed to conduct annual "audits" or to have auditors on its staff. As detailed in our 2011 report (and in prior years' reports), NAI compliance staff (which is currently composed of four attorneys with 20 combined years of experience in privacy, technology, and corporate law) conducts the annual compliance reviews. We believe that our process is actually superior in many ways to “independent” audits conducted by auditing firms; indeed, many member companies have told us that they gain more understanding of online privacy and ideas for protecting users' privacy from our annual reviews than they do from full-fledged audits conducted by outside auditors who have little experience with online behavioral advertising or the technology behind it. Another benefit to having NAI staff conduct the annual reviews is that it helps to establish a virtuous cycle: each year, compliance staff identifies new technologies, best practices, and evolving business models, and then uses that knowledge to inform its review and suggest best practices to other member companies.

When Members Are Reviewed

Mr. Gellman states that members are not reviewed prior joining NAI, and that they may go 23 months without undergoing a review. Neither statement is true.

First, members are reviewed prior to joining the NAI, which our 2011 Compliance Report makes clear: "NAI staff vets companies' business practices and policies before they are admitted to be members of the NAI, but this process is separate from the annual compliance review process." While this pre-certification review is separate from the compliance review, it is a thorough and thoughtful process that requires a tremendous investment of time, effort, and resources by the NAI and applicants. Unlike almost any other industry association, companies can't just join NAI. They must first align their practices with our Code. You can read more about the process in our recent blog post

Following this pre-certification review and admission to the NAI, companies undergo their first compliance review one year after they are admitted to the NAI. As we explained in our report, our 2011 review covered the 60 companies who were members as of January 2010. Thus, contrary to Mr. Gellman's assertions, a company that joined the NAI on January 2, 2010 would have been reviewed in the 2011 review. Mr. Gellman also accuses the NAI of not identifying whether any companies had resigned from the NAI. But Appendix A of the report (which Mr. Gellman cites) has a footnote indicating that Quantcast had withdrawn its membership in the NAI. The 2010 report contained a similar statement about former NAI member Safecount. Those two companies are the only two to have ever withdrawn from the NAI. In each case, we disclosed the withdrawal on our website, required the companies to disclose their withdrawal on their websites, and disclosed the withdrawal in the annual report issued following their withdrawal.

Opt-Out Rates

Mr. Gellman’s attack on the NAI is based on the faulty assumption the opt-out rate is the measure of a self-regulatory program's success. It is not. The goal of the NAI’s educational campaign is to provide users means by which they can learn about online behavioral advertising and the choices available to them. The NAI and its members have expended substantial time and resources to developing educational materials, and last year alone, NAI members donated more than 4 billion ad impressions to help users discover these materials. Those efforts helped lead nearly 8.5 million unique users to the NAI’s website in 2011, nearly three times the number of unique users who visited the site the prior year. We believe these numbers, not the total number of opt-outs, are the measure of our members’ success. In any event, Mr. Gellman’s analysis mischaracterizes industry click through rates. Unfortunatley, .05% conversion rates are not uncommon. 


Mr. Gellman questions why our 2011 report states that non-PII was not shared “with the intent of” it being merged. The reason is simple: this section of the report speaks to our members’ compliance with section III.5(b) the current NAI Code, which provides that members must contractually require third parties to adhere to applicable provisions of the Code where the non-PII they are transferring is "to be merged with PII possessed by the third party." The report accordingly noted that no companies were found to be transferring non-PII with the intent of it being merged with PII. The report then goes on to report on members’ efforts to go beyond the requirements of the Code to prevent non-PII from being merged with PII held by third parties more generally. It is in the context of reporting members’ efforts to go beyond Code requirements that the report notes that companies "generally" have contractual provisions in place to prevent the merger of non-PII with PII.

Domain Lists

In its 2011 Report, the NAI stated that it would begin requiring members to report on a regular basis the domains they use for OBA purposes. Mr. Gellman attacks this recommendation, arguing that such a document “seems to be a basic document for an audit” and questioning how the NAI ever conducted reviews without such a list. In so arguing, Mr. Gellman seems to believe that “domains” equates to “member companies.” The NAI has of course always known who its members are, and has always asked each reviewed member which domains it uses to collect data during each compliance review. The point of this change to our program is that members are now required to provide their list of domains on a regular basis, not merely annually. This reporting strengthens our technical monitoring program because it allows us to be 100% certain about what companies are responsible for setting particular cookies, and, if necessary, ask those companies about the behavior of those cookies. It also helps us to ensure that members’ opt-out mechanisms are always up-to-date. Finally, it forces an extra layer of diligence and communication between technical teams and management within our member companies to help ensure that all parts of the companies are aware of all of their data collection practices. We are proud of the steps we take to continually improve our program and that we are transparent about where we think we can do better.


Mr. Gellman reads the NAI Code as imposing obligations that are identical to COPPA. That is not correct. The current COPPA rule addresses only the collection of traditional PII and does not address the use of non-PII such as cookie identifiers. The NAI Code does address the use of Non-PII for online advertising and children, prohibiting members from creating segments directed to children regardless of whether any PII is used. Similarly, the NAI Code makes 100% clear that members may not use even non-PII data for eligibility purposes (a topic on which the FCRA is arguably unclear), and places obligations on NAI members to ensure that they do not pass non-PII to other parties for such purposes.


We are proud of the work we do to ensure our members’ compliance with the NAI Code, including our ongoing efforts to improve the program. Indeed, we recently developed, and are in the process of enhancing, a technical monitoring tool that will help us to monitor members throughout the year. This will ensure that opt-out cookies function as intended. The development of the tool was informed by an ongoing dialog with privacy advocates and researchers. It is the perfect example of how a healthy discourse leads to a better solution for all.

We look forward to continuing to grow and improve our compliance program through an open and respectful dialog among key constituencies. Our door is open and we have seats at the table for anyone who wants to participate in the development of meaningful self-regulation. Like successful privacy programs, a successful self-regulatory program requires an ongoing process of evaluation, identifying areas for improvement, addressing evolving issues, and always striving to be better.

-Meredith Halama, Deputy General Counsel and Director of Compliance



Submitted by Marc Groman on Friday, June 22, 2012

After six months serving as NAI Executive Director, I am proud and inspired by who we are, what we’ve accomplished and where we are headed.  I hope you find yourself similarly inspired and thank you for the collaborative work we’ve done together to achieve these goals.

First, the NAI couldn’t deliver on our mission without our committed members and team. Fortunately, member and team growth has been strong and diverse. This is allowing the NAI to expand our vision in order to address the increased need of members by company type, geography and domain. As we approach our 100th member, our roster now includes the largest ad networks, as well as DMPs, DSPs, SSPs, exchanges, analytics providers, and other business models.  We’ve also expanded our footprint to cross many borders:  Applications are being reviewed from non-U.S. based companies and networks focused on the mobile advertising ecosystem. The NAI staff roster is also stronger than ever.

Earlier this year, NAI issued our 2011 compliance report which demonstrated that overall, our member companies continue to meet the obligations of the NAI Code and to adopt best practices even where not required by the Code.  The report also revealed:

  • Member companies included in the report don’t use, or permit others to use, OBA data for purposes other than marketing.
  • Evaluated member companies do not specifically target children under 13.
  • Reporting companies did not use or seek to use sensitive consumer data as defined by the NAI Code for OBA purposes.  In fact, we learned that our members are bringing increased transparency to all health-related targeting by disclosing all interest categories related to health in accordance with the NAI’s new health transparency policy.
  • Evaluated member companies do not collect PII for OBA purposes, and they have policies and protections in place to prevent the inadvertent collection of this data.

We are proud and grateful for the innovative and effective advertising services our member companies provide to advertisers, publishers, and online consumers.  As an organization, we support the dynamic and free content and services enjoyed by consumers online every day.

A core philosophy is emerging at NAI:  We are a place to explore, discuss and champion industry best practices with respect to online privacy and data management.  We are not here just to satisfy regulators or engage in privacy window dressing. We are here because responsible data management and respect for consumer choice is the right thing to do.  Responsible and transparent business and data management practices promote consumer trust and confidence.  The NAI recognizes that the evolving business models and rapidly changing technologies of the online environment present new issues with respect to privacy.  We are not deterred by these challenges, but excited to tackle them and to demonstrate that innovation and privacy are not a zero sum game.

Like a comprehensive privacy management program, a self-regulatory code of conduct is never a finished product. To be effective and relevant, it requires an ongoing assessment.  Thus, we are in the process of updating the NAI Code. As we update our Code, we are looking to other initiatives being implemented by DAA, MMA, and other associations as well as guidance issued by the FTC and the Administration.  A fundamental principle underlying the NAI Framework being updated is that companies should implement different safeguards and obligations for different categories of data, taking into account the sensitivity of the data and the proposed use of the data.  This basic principle, which has long been recognized by the NAI, is supported by the FTC Privacy Report and The Commerce Report, which explicitly acknowledges that privacy protections should not be applied in a “one-size fits all” approach, but should be flexible, scalable, and take into account context.

NAI will be launching our new website next month.  It will reflect our belief in transparency and our commitment to consumer education.  We’re working hard to make it easier for consumers to make informed decisions about the collection and use of data for online behavioral advertising.  We believe that interest based advertising offers consumers an amazing experience but those consumers who would like to opt out of OBA should be able to exercise that choice – and easily.

We’ve also tremendously improved and expanded our first-rate compliance program. We now have more staff, enhanced compliance requirements, and extensive continuing education programs for NAI member companies.  As the NAI expands in both size and scope, the need for a robust technical compliance program is increasingly evident. To that end, we are developing a suite of technical compliance tools and procedures that more quickly and accurately identify potential compliance issues. These tools and procedures will accomplish three main objectives:

  1. Automate the discovery and documentation of known compliance concerns;
  2. Provide accurate forensic data for discovery and examination of edge-case compliance concerns; and
  3. Increase transparency with the public and consumer advocates.

Over these past six months, we’ve also been able to improve and enhance communication with our members.  In fact, we’ve already provided over 10 member calls in 2012 on NAI strategy and vision, Do Not Track, and international privacy issues.  And there’s more to come.

While this rearview mirror inspires me for our journey ahead, there are significant challenges facing the NAI and our member companies.  First and foremost are the ongoing discussions at W3C around what has been unfortunately and incorrectly labeled as “Do Not Track.”  Indeed, this week I am in Seattle for a three day face-to-face meeting of the W3C Tracking Protection Working Group.   Much of the debate around this topic focuses on Internet intermediaries or third parties that collect information – yes, NAI members.  My mission is to educate the well-intentioned stakeholders involved and address their concerns, in the hope of avoiding the potential (if unintended) negative ramifications of some of their proposals.  Although some at W3C frame this debate about OBA and third parties, the potential impact on the entire online ecosystem could be catastrophic with minimal gains for consumer privacy.  I’m also concerned about how the new laws in Europe may impact the greater ecosystem if not implemented with the type of excruciating effort it takes to ensure proposed regulations do not unreasonably restrict the consumer experience and/or fair commerce and growth.

These challenges are just that: Challenges. As an organization, we’ll conquer them and grow stronger and smarter as a result. The industry evolves every day, and as long as we continue to champion what’s best for our members, consumers, and the internet advertising industry at large, we’ll continue to grow and thrive.

I truly believe this and, in June,  find myself more energized and excited than I was in January.  Thank you again for being a core part of the NAI’s success. While we have all committed to tackle complex challenges together, the people that are the NAI team and members make it an enormously enriching and memorable experience. Here’s to the road ahead!

Submitted by Marc Groman on Saturday, June 16, 2012

We are rapidly approaching an exciting milestone in the growth and reach of NAI – our 100th member company.  This is significant because it highlights a shared commitment to responsible advertising by a variety of company types, each focused on consumer engagement, and each helping the digital economy to thrive. NAI members include not just the largest online advertising networks, but also the leading data management platforms, exchanges, and analytics companies.  Each of these member companies is committed to complying with the NAI Code of Conduct – a set of standards and principles that mandate responsible data management practices for online behavioral advertising.  These principles — based upon the Fair Information Practice Principles of notice, choice, transparency, use limitations, access, security, etc. — exceed current legal obligations in the U.S.  It may not be obvious, but every NAI member must align their business practices with the NAI Code before their membership application is approved.  What does that mean for our members?

It means that before companies can publicly represent that they are NAI members, they must complete a rigorous vetting process that often involves significant time from engineers, lawyers, and other business units within the company.  In nearly every case, we require members to make substantial changes to their privacy policies – and they do.  They clarify language, add representations about retention, and enhance the transparency of their business models.  In most cases, we also require members to fortify their consumer choice mechanisms – and they do that as well.  They invest significant time developing and testing opt-out scripts to ensure that they meet NAI requirements for duration and functionality.  In some cases, applicants may even terminate an entire line of business to become fully compliant with the NAI Code.  Some companies decide not to complete the lengthy application process or don’t even begin the process after they receive our membership application and questionnaire.  Joining the NAI is not easy for some entities, and new member companies should be applauded for their efforts to sign up for self-regulation and voluntarily adhere to standards that exceed current legal requirements.  I’m proud of our members and we should all recognize the time, effort, energy, and genuine commitment NAI members make to our program.  We could have many more members today if we made the process easier or relaxed our standards.  We won’t.

Code, NAI, OBA