Skip to Content

Privacy & Data

NAI releases 2009 Online Advertising Compliance Report

On the next-to-last day of 2009, during that mind-numbing parade of top-ten countdowns, the Network Advertising Initiative (NAI) released its 2009 compliance report on online advertising practices. The NAI is an important consortium of thirty-eight online marketing and analytics companies, and its report evaluated the extent to which members were following the group’s 2008 “Self-Regulatory Code of Conduct” for online advertising generally, and behavioral advertising more specifically.
The NAI’s compliance report documents significant improvements in implementations of the NAI's behavioral advertising self-regulatory framework and highlights worrisome holes in the code of conduct itself.
We were impressed with the effort that had been put into the compliance evaluations and with the growing number of companies participating in the NAI's self-regulatory program. This year’s compliance report evaluated the twenty-three companies who were NAI members as of January 1, 2009, and next year the NAI expects to evaluate 35 companies.  The report indicated that participating companies are working hard to ensure timely compliance, and we were encouraged by the NAI's commitment to looking beyond privacy policies and contractual agreements to determine whether companies were acting on their promises to consumers. In the report, the NAI shows a clear commitment to addressing areas of non-compliance.
Simply put, the NAI’s set of self-regulatory principles are insufficient and outdated – compliance with these standards is just not enough to protect consumer privacy. For example, the NAI’s principles distinguish between two types of behavioral advertising; although both types raise significant privacy concerns, companies only have to provide certain protections – like a consumer opt-out mechanism – for one type. Similarly, the NAI continues to distinguish between so-called “Personally Identifiable Information” and “non-Personally Identifiable Information,” although researchers have consistently shown, and the Federal Trade Commission (FTC) has agreed, that such traditional distinctions are inaccurate representations of the actual identifiability of information. And of course, the NAI’s compliance report would have a lot more credibility coming from an independent 3rd party rather than the NAI staff or consultants that are responsible for adding to its membership.
More specifically:
– In its report, the NAI continues to acknowledge privacy policies as an acceptable vehicle for consumer notice of data collection practices, a largely discredited stance. The NAI has emphasized to us that they support enhanced notice for online behavioral advertising – notice outside the privacy policy – and we hope the best practices and model notice language that the NAI is preparing for member companies will promote enhanced notice.
– The NAI has still not completed the long-promised implementation guidelines for collection and use of sensitive information. We hope the NAI will complete this document shortly and will include information about (see if you can say it in one breath): past, present, or potential future health or medical conditions or treatments, including genetic, genomic, and family medical history information of an individual; financial information about an individual, defined more broadly than financial account numbers, and information about an individual's sexual behavior or sexual orientation.
– While the NAI deserves credit as the first trade association to offer consumer opt outs of any type, some problems remain with respect to the robustness of these opt outs. Of particular concern is the use of Flash cookies by companies as a means to subvert user control, a practice that the NAI has made some progress in addressing but that deserves more attention.
– We are disappointed that the compliance review discounted any need for profile access (access to information being collected about your activities online) by companies that were evaluated this year, because the NAI concluded that the data those companies were collecting did not fall under the narrow and outdated definition of “Personally Identifiable Information.”            
We applaud the NAI for completing such a comprehensive report in such a timely manner. With this report, the NAI has lived up to many of the expectations the trade association set for itself in its 2008 guidelines. But as the NAI looks toward the next year, we urge it to consider updating its guidelines to better conform with current best practices and to aim for a place on consumers’ 2010 top-ten list.