Last week, the Network Advertising Initiative launched its new Self-Regulatory Framework as part of its 25th anniversary.
The framework offers a model for digital advertisers to self-regulate and help companies comply with U.S. state and federal privacy requirements. The foundations for the framework derive from the five core privacy principles NAI member companies must agree to as baseline commitments to retain membership.
The principles include transparency regarding the use of personal data, offering consumer choice and control, establishing comprehensive data governance operations, ensuring adequate safeguards for collected sensitive data as defined by state and federal requirements, and instituting accountability measures.
The Self-Regulatory Framework, NAI President and CEO Leigh Freund said, replaces NAI's Code of Conduct established in 2020. She indicated the new framework began as a member-driven process to update their best compliance practices beginning two years ago.
Freund said the rapid change in the U.S. privacy landscape in the last five years, with 19 states enacting comprehensive privacy statutes, necessitated new considerations and subsequent replacement of the prior code.
"The NAI decided that we were going to reimagine what self-regulation looks like now that we operate more in a heavily regulated industry," Freund told the IAPP. "We want to focus our efforts not on creating a prescriptive code where we have specific additional requirements that may be different than state requirements and instead create more of an evolutionary framework that can help our members with their state legal requirements."
Crowell & Moring's Privacy and Cyber practice Senior Counsel Justin Weiss, CIPP/A, CIPP/E, CIPP/US, CIPM, FIP, said he believes the new NAI framework will be more adaptable to individual member company's compliance needs, which may vary in some cases depending on the specific industry and where they operate.
"Given the proliferation of privacy laws that are relevant to online marketers, the NAI is smart to channel the needs of its members' own business teams by establishing a unified approach to operating across jurisdictions," said Weiss, who served as NAI privacy counsel from 2006-09. "The key here is that a modern framework will leverage, streamline and reinforce existing compliance efforts, rather than seek to differentiate itself in an environment where marketers' privacy practices are actively being regulated."
The new Self-Regulatory Framework is designed to be flexible for members, according to Freund.
For instance, under the consumer choice and control principle, the new framework does not mandate the specific type of consumer choice controls NAI members must implement on their websites, whereas the code of conduct prescribed a specific universal opt out mechanism.
"This flexible approach has the goal of allowing members to use choice mechanisms to meet their compliance obligations," Freund said. "Companies now may prefer to use methods like their own proprietary opt outs or other signal specifications."
As for the principles of data governance and ensuring the protection of sensitive data under the new NAI framework, Freund said that good data governance practices are "the underpinning of most state privacy laws." Therefore, the framework requires NAI members to provide transparent notice of data uses to consumers, choice and opt out provisions and the ability to demonstrate these governance practices to state regulators, as well as the NAI.
"On sensitive data, definitions vary across the states, so one of the things we've been helping our members with is synthesizing those definitions and seeing what processes companies have in place is to determine the data that they collect is sensitive under any of those state definitions," Freund said. "Then, we're asking what they’re doing to protect the data. Are they putting in place additional choice requirements? Are they asking for consent, and how are they managing that?"
Crowell & Moring's Weiss said as NAI member companies work to fully implement the new framework there may be some initial "tension" due to some members being further along in their overall compliance efforts compared to others.
"Some actors are likely to be more mature than others," Weiss said. “The process members go through to rationalize their compliance practices against one another, as brokered by the NAI staff, may result in pressure on certain members to step up to what the industry has demonstrated is possible."
To ensure the framework's principle of accountability among members, NAI members will still be required to participate in the organization's annual privacy review program in order to retain their membership.
Freund said the key change to the privacy review through the new framework will be more of a focus on confirming NAI members have the internal processes in place to meet the requirements outlined in the framework's principles. Additionally, during privacy reviews with members she said conversations will center on how all of the NAI's best practices, standards and guidance generated by the organizations directly relate to individual member's business operations.
"The (privacy review) has long been a lynchpin of the NAI Code of Conduct, and so while it will feel different, we think it is no less rigorous," Freund said. "Now we have principles that do not change and those principles are baked in every privacy law that has passed so far."
Alex LaCasse is a staff writer for the IAPP.
