Code of Conduct
The NAI Code of Conduct is a set of self-regulatory principles that require NAI member companies to provide notice and choice with respect to Interest-Based Advertising (IBA), Cross-App Advertising (CAA), and Retargeting (collectively, Tailored Advertising) as well as Ad Delivery and Reporting (ADR) activities. The Code, initially published in 2000 to cover web-based data collection and use, was significantly revised in 2008, 2013, and 2015, and before a major revision for 2020. The Mobile Application Code, addressing data collection and use in the mobile application space, was first published in 2013, and was updated in 2015 before being integrated into the 2018 Code.
The 2020 Code is a major update to the 2018 Code, which merged the 2015 update to the NAI Code of Conduct, 2015 Update to the Mobile Application Code and includes references to all NAI Guidance documents current at the time of publication, including Cross Device Guidance. The 2020 Code expands its scope to cover the use of user-level offline data for certain targeted advertising uses, it expands Opt-In Consent requirements for new uses of data such as Precise Location Information, it incorporates the Guidance for NAI Members: Viewed Content Advertising, and it introduces several new definitions and terminology updates. NAI staff began enforcing the 2020 Code on January 1, 2020.
The Code addresses the types of data that member companies can use for advertising purposes and imposes a host of substantive restrictions on member companies’ collection, use, and transfer of data used for Tailored Advertising.
In the web space, these activities were traditionally conducted using HTTP cookies. However, as new technologies emerge additional guidance was needed to help clarify how the requirements of the Code apply to these new technologies. In May 2015, the NAI released its Guidance for NAI Members: Use of Non-Cookie Technologies for Interest-Based Advertising Consistent with the NAI principles and Code of Conduct (Beyond Cookies Guidance). Please see our Non-Cookie Technologies FAQ for more information.
The NAI Code mandates that member companies provide users a means to opt out of Tailored Advertising. For web-based Tailored Advertising, the NAI provides an opt-out tool — a simple web-based utility that allows users to opt out of receiving targeted ads from member companies. Integration with this tool requires member companies to provide consumers a means to opt out of Interest-Based Advertising via HTTP cookies. The NAI also requires its members to provide users with a means to opt out of Tailored Advertising in the mobile application space, and offers information about the choices available to users on mobile devices.
To help ensure that members abide by the NAI Code, the NAI has a robust compliance program, including sanctions mechanisms. Find out more about our compliance program here. Or, you can also file a complaint about a member.
The Network Advertising Initiative’s Code of Conduct is a set of self-regulatory principles that help guide NAI members’ approach to privacy and data governance in connection with the collection and use of data for Interest-Based Advertising (IBA). NAI members include ad networks, exchanges, platforms, creative optimization firms, yield optimization firms, sharing utilities and other technology providers.
NAI member companies generally collect data for Interest-Based Advertising that is not customarily regarded to be personally identifiable information (PII) and is not defined as such in the NAI Code. Nevertheless, the Code requires NAI members to provide notice and choice with respect to the data collected and utilized to offer Interest-Based Advertising. The Code also limits the types of data that member companies can use for Interest Based Advertising purposes, and imposes a host of substantive restrictions on member companies’ collection, use, and transfer of data used for Interest-Based Advertising.
The 2020 Code of Conduct is effective as of January 1, 2020.
The Update to the 2015 Code of Conduct was effective from June 1, 2015 to December 31, 2017, and the 2018 Code was effective from January 1, 2018 to December 31, 2019. The 2015 Update to the NAI Mobile Application Code was effective from January 1, 2016 to December 31, 2017. For more information, please see the history of the NAI Code revisions.
In 2015, the NAI began enforcement of the 2015 Update to the Code of Conduct, which addressed member company practices on mobile device web browsers. The NAI began enforcement of the 2015 Update to the Mobile Application Code, which addresses the collection and use of data on mobile applications for Tailored Advertising purposes in 2016.
In 2017, the NAI combined the 2015 Update to the Code of Conduct with the 2015 Update to the Mobile Application Code, merging those two documents into the 2018 Code of Conduct. It went into enforcement on January 1, 2018.
In a major Code revision for 2020, the NAI streamlined these prior Code updates for the 2020 Code of Conduct. The Code expanded the definition of Tailored Advertising to include Audience-Matched Advertising, it incorporated the Guidance for NAI Members: Viewed Content Advertising, and it now requires Opt-In Consent for additional uses of Sensitive Information and Precise Location Information among others. The 2020 Code went into enforcement on January 1, 2020.
The commentary to the NAI Code of Conduct was added for two principal reasons: 1) to provide additional information to explain the intent of the Code, and 2) to offer non-binding, illustrative guidance on ways to comply with the NAI Code. Information in the commentary is not intended to be either exhaustive or exclusive. In fact, this is made clear in the Code Commentary section, which states:
The purpose of the commentary is not to add substantive obligations on member companies or to alter the principles set forth in the Code itself. Instead, the commentary’s purpose is to explain the intent behind certain provisions of the Code. The commentary is also intended to provide examples of possible measures member companies may take to meet the substantive obligations of the Code.
We recognize that members hear conflicting views from regulators and privacy advocates on what to include in privacy policies. On the one hand, a common criticism we hear from regulators and advocates is that privacy policies are too long and detailed, too “legalistic,” and that consumers don’t read them. On the other hand, regulators, advocates and class action lawyers have filed complaints, enforcement actions or lawsuits charging that privacy policies lack adequate detail. This creates an obvious Catch-22 for industry. As data collection becomes more complex, finding a way to balance the pressure for more and more detailed disclosures with countervailing pressures for simplified privacy statements is an increasing challenge.
The NAI position is that notices should generally describe a member company’s data collection, use, disclosure and practices. NAI Code sets forth what descriptions and notice the NAI expects in a member’s privacy policy or privacy disclosure including, for instance, a description of Interest-Based Advertising activities undertaken by the member company and the types of data collected or used for Interest-Based Advertising. There is no “one size fits all” answer or template that NAI uses when evaluating a member’s privacy policy, since members engage in different practices and activities.
The Commentary also suggests that members should describe their data collection and use practices in as clear and concise a manner as possible, and to disclose technologies used for Interest-Based Advertising and Ad Delivery and Reporting. However, NAI recognizes that it is important to strike the balance between conciseness and thoroughness.
Therefore, during the Code compliance review process, NAI staff will carefully review the member’s privacy policy, in conjunction with responses to the annual compliance review questionnaire, and will provide input from the NAI perspective about the level of detail that NAI staff believes is necessary to meet the notice requirements of the NAI Code. Again, the NAI cannot offer legal advice and compliance with the NAI Code does not necessarily assure compliance with all applicable regulations. Nor does compliance with the NAI Code indicate how other stakeholders might interpret the level of required disclosure in a member’s privacy policy in any given instance.
Technological changes involving digital activities are occurring at a dizzying rate. One of the strengths of self-regulation is that our system is nimble and flexible, and allows us to respond more quickly than regulation or legislation to those changes through our code update process. This involves a constant evaluation of changes, consideration by our Board and members of how our principles should be applied to new technologies, new uses and new situations, and also allows us to tap into our members’ expertise in developing possible updates. Our ability to consider member input that reflects application of general principles, as well as practical operational considerations, is what allows our Code to enjoy such strong support from members. Where there are evolving developments, we need time to gain some practical experience to be sure that we making the right sort of recommendations when we update the Code.
The NAI’s Self-Regulatory Code of Conduct was last updated in 2019, in the form of the 2020 Code of Conduct.
For this revision, NAI staff worked with board members, and member companies, along with feedback from industry experts to update the Code in order to remain current with the constantly changing advertising ecosystem. This revision incorporates Guidance for NAI Members: Viewed Content Advertising which expands the NAI’s scope to Tailored Advertising on televisions. It also revises some terminology to reflect changes in technology, adds definitions, expands its scope to incorporate the use of user-level offline data for targeted advertising across websites and applications, and it expands Opt-In Consent requirements across various uses.
Prior to this latest significant revision for the 2020 Code, the Code was revised in 2008, and 2013 after its initial adoption in 2000. The Code is regularly reviewed in an effort to anticipate and respond to practical questions, technical and business process changes in our industry, and new issues raised by policymakers and advocates. These reviews resulted in non-material updates to the Code in 2015 and 2017.
The 2018 Code update combined the Code of Conduct for web-based data collection and use with separate Code of Conduct for mobile app-based data collection and use. This update also incorporated references to separate NAI Guidance documents, including Cross-Device Linking as well as revised some terminology to reflect changes in technology. This revision did not introduce any material changes or create any new obligations for NAI members. The Code was also updated in 2015 to clarify that the practice of Retargeting currently carries the same obligations and requirements under the Code as Interest-Based Advertising (IBA). In addition, the 2015 update explained that members’ “Interest-Based Advertising” activities based on sensitive health conditions or treatments require “Opt-In Consent.” Although these interpretations were previously discussed in the commentary to the 2013 Code of Conduct, they were moved directly into the text of the Code in the 2015 update for additional clarity and emphasis that NAI staff views them as Code requirements.
A prior material revision to the Code, completed in 2013, was the result of the convening of a Code Revision Working Group in February 2012. The Working Group was composed of dozens of NAI member companies who held numerous meetings over several months. The Working Group, the NAI Board of Directors and NAI staff members evaluated and discussed the current advertising ecosystem and various, proposed updates to the Code. From that work, the NAI developed an updated draft Code of Conduct that was put out for public comment in March 2013. Both prior to publishing the draft and during the comment period, NAI staff solicited and received feedback and comments from the NAI’s diverse membership. The 2013 NAI Code was formally approved by the NAI Board of Directors and announced at the NAI Summit in May 2013.
The NAI Code is a self-regulatory code. Only the NAI staff is authorized to interpret the requirements of the NAI Code and to enforce the NAI Code. Where NAI staff determines that there is an instance of non-compliance with the Code by a member, and a member refuses to implement the recommended steps to bring its practices into compliance, the NAI enforcement procedures allow NAI to refer the matter to the Federal Trade Commission (FTC). The referral is based on a theory that the member committed to adhere to the requirements of the NAI Code and failed to do so. In making such a referral, NAI does not ask the FTC to interpret its Code, but simply to address the member’s failure to comply with NAI’s interpretation and application of the NAI Code.