The Fingerprint File Doesn’t Have to Bring You Down: NAI Offers Advertisers Guidance on Digital Fingerprinting & Location Tracking
Advertisers who use tools such as location data and newer non-cookie technologies to deliver interest-based advertising must carefully balance the use of those tools with consumer privacy. To achieve this balance, the Network Advertising Initiative (NAI) – a digital advertising self-regulatory body – has recently released guidance for advertisers on how they can do both and stay in compliance with the NAI’s Code of Conduct.
The NAI released its Guidance for NAI Members: Use of Non-Cookie Technologies for Interest-Based Advertising Consistent with the NAI Code of Conduct (Beyond Cookie Guidance) on May 18, instructing its digital advertising members who conduct Interest-Based Advertising (IBA) and Ad Delivery and Reporting (ADR) how to employ non-cookie technology in line with the NAI’s Code. Then on July 20, the NAI issued its Guidance for NAI Members: Determining Whether Location is Imprecise (Location Guidance), clarifying under what situations members’ use of location data for IBA may be considered “imprecise” and thus not require users’ opt-in consent. Both releases come on the heels of the NAI’s 2015 update to its Code of Conduct that clarified members’ privacy obligations.
Beyond Cookie Guidance
The NAI’s Beyond Cookie Guidance provides baseline best practices for advertisers regarding: consumer transparency and notice regarding an advertiser’s use of non-cookie technologies (i.e. mechanisms such as browser cache, locally-stored objects (LSOs), or statistical identifiers to identify a consumer’s browser); providing user controls to consumers in the form of opt-out mechanisms; limitations on the use of data collected; and accountability to the NAI.
The Non-Cookie Guidance states that it sets “baseline practices” and details how the organization may evaluate advertisers during annual compliance reviews. The NAI also announced that it would work with its members during an undefined “implementation period” to help members understand and employ the baseline practices.
Transparency and Notice to Consumers
The Beyond Cookie Guidance instructs advertisers using non-cookie technology for IBA and/or ADR must include in their privacy policy:
- A general description of the technology or technologies used for IBA and ADR
- A description of, and easy access to, an “easy-to-use opt-out mechanism” where users can prevent IBA, or IBA based on non-cookie technologies, on specific browsers or devices;
- A description and link to a consumer transparency tool; and
- Updates to statements that browser cookie controls by themselves halt IBA where such representations would be untrue.
Members must also clearly and conspicuously post notices on websites where data is collected for IBA declaring that non-cookie technologies may be used by third parties on the site. Members must make “reasonable efforts” to have such notices posted on their partners’ sites.
Finally, members using non-cookie technologies that cannot be viewed or changed through native browser controls must implement a consumer facing transparency mechanism that:
- Displays on both the member’s page and the NAI opt-out page whether data is collected for IBA using non-cookie technology on a specific browser, and the opt-out status; and
- Shows an icon or other disclosure on the NAI’s opt-out page informing consumers of the member’s use of non-cookie technology as well as a link to the member’s site for information about their use of the technology in question.
User Controls
The Beyond Cookie Guidance calls on members to provide an opt-out mechanism, provided on both the members’ respective websites and the NAI’s opt-out page, to give consumers control whether they want data collected via such technologies to be used for IBA. Data collected for non-IBA purposes via non-cookie technologies during an opt-out period may never be used for IBA.
Members will also have to use the NAI’s recently developed opt-out tool – a web-based option that allows a user to set cookies alerting NAI members that the user does not want to participate in IBA – to set opt-out preferences, and learn and honor consumers’ preferences.
User Limitations & Accountability
If a member makes a material change to its IBA data collection and use policies, the member must obtain opt-in consent from consumers before applying those changes to any previously collected data.
Finally, The NAI requires its members to take the following steps for accountability purposes:
- Allow the NAI to conduct “reasonable technical oversight,” or, failing that, work with NAI staff to develop a regimen allowing compliance teams to engage in external technical oversight.
- Members’ opt-out inspection services should give the NAI the means to determine whether ad interest profile changes have been make following a post opt-out decision, or some other method enabling NAI compliance staff to determine member compliance with the Guidance and the Code.
Location Guidance
Under the 2015 Updates to the NAI’s Code, members are required to obtain a user’s opt-in consent to use his or her Precise Location Data (PLA) for IBA purposes. Accordingly, the NAI’s Location Guidance clarifies when location data is considered imprecise, and thus does not require that members obtain the user’s opt-in consent. The NAI provides the following analysis for members to determine whether they are using PLA that requires opt-in consent:
- A member is not using PLA if it does not store or otherwise save location information;
- A member’s use of location information is de facto imprecise if it stores:
- Latitude and longitude coordinates with two or fewer decimal places;
- Location sizes in the form of geographic shapes larger than 785,398 meters2; or
- Information describing a place larger than 785,398 meters2;
- A member may also render a location imprecise if, before storing or saving, it enlarges location coordinates to two or fewer decimal places, increases the geographic shape or size that is stored, or uses only general descriptors of the location (e.g. “coffee shop”).
If a member does not meet these benchmarks, it must determine whether the location is imprecise by considering: (a) the location’s area; (b) the area’s population density; (c) the location data’s accuracy; and (d) the presence and detail of a location’s timestamp. While the NAI says that a member will not be in violation of the Code if it conducts a reasonable analysis using these factors and determines that a location is imprecise, the NAI staff may ask a member to subsequently change its practices.
Practical Effect
While the NAI Code of Conduct and related guidance is only directly binding on members, NAI members generally contractually require non-members – including website and mobile applications owners and advertisers – to abide by the NAI’s data collection and use restrictions. Because NAI’s members include many well-known data collectors and aggregators, the practical effect can be ripples of NAI compliance throughout the interest-based advertising ecosystem.
Third parties who contractually commit to comply with the NAI’s code should familiarize themselves with its requirements, which do vary slightly from the Digital Advertising Alliance’s Self-Regulatory Principles. Moreover, while framed as “guidance,” NAI members should treat these releases less like suggested best practices and more like mandatory steps they need to take to avoid adverse actions by the NAI during compliance reviews.