Audience-Matched Advertising Opt Out Member Guidance
The Network Advertising Initiative’s 2020 Code of Conduct expands the scope of activities it covers to include all uses of previously collected user-level data for Tailored Advertising across websites and applications, as well as on covered devices. One result of the 2020 NAI Code’s expanded scope is that offline data onboarded for use in tailoring digital advertising through a matchpoint derived from PII is now covered as a subset of Tailored Advertising. The 2020 NAI Code defines this practice as Audience-Matched Advertising (AMA).1
Because AMA is a form of Tailored Advertising under the 2020 NAI Code, members engaged in AMA must comply with new obligations when the 2020 NAI Code goes into effect, including new consumer choice obligations. Specifically:
“An Opt-Out Mechanism for a member’s use of PII or hashed PII shall apply to the member’s use of that PII or hashed PII for Tailored Advertising on all devices and shall be made available on both the member’s website and on the NAI website. If an NAI member uses types of PII or hashed PII that are not supported by the NAI Opt-Out Mechanism, and are not linked to the types of PII or hashed PII supported by the NAI Opt-Out Mechanism, the member shall provide an Opt-Out Mechanism for such PII or hashed PII directly on the member’s site.”2
The NAI has recently finalized the technical specification for a centralized Opt Out Mechanism for AMA based on email addresses (the “Centralized AMA Opt Out”) that will help members engaged in AMA to meet this new obligation.
This blog post aims to provide clarity regarding which NAI members will need to provide their own opt out for AMA, which members will need to integrate with the NAI’s Centralized AMA Opt Out, and what obligations fall to members who engage in AMA indirectly through third parties. The blog post will then outline a number of other policies related to AMA opt outs.
NAI Member Obligations According to Business Practice
1. NAI members directly onboarding offline data
a. If an NAI member engages in AMA directly using PII or hashed PII in their own systems as a match-point for onboarding, that member must provide an Opt-Out Mechanism linked to the PII or hashed PII they use for that purpose. This Opt-Out Mechanism must allow users to provide their PII to the member company, so that the PII can be opted out from AMA on a going-forward basis.
i. If an NAI member uses email addresses as the match point for AMA, in either plaintext or hashed format, the member must integrate with the NAI’s Centralized AMA Opt Out. The NAI member must also provide a link to the NAI’s Centralized AMA Opt Out in its privacy policy with an explanation of where the link will take a user.
ii. If an NAI member uses forms of PII or hashed PII other than an email address as a matchpoint, and those forms of PII or hashed PII are not also linked to an email address, that member must separately provide an Opt-Out Mechanism for such data-points on the member’s own website. For example, if an NAI member uses mobile phone numbers or hashed mobile phone numbers as match-points, the member must provide a way for users to enter their mobile phone number to be opted out of AMA on a going-forward basis.
2. NAI members that encounter PII, in hashed or plaintext format, in their systems but pass it on to a third-party for onboarding
a. If an NAI member encounters PII, in hashed or plaintext format, in its systems but forwards that data to a third-party for onboarding for AMA purposes, the NAI member will need to develop its own Opt-Out Mechanism for AMA, consistent with the requirements of point 1.a.
i. If an NAI member encounters email addresses, in either plaintext or hashed format, the member must integrate with the NAI’s Centralized AMA Opt Out. The NAI member must also provide a link to the NAI’s Centralized AMA Opt Out in its privacy policy with an explanation of where the link will take a user, consistent with the requirements of point 1.a.i.
ii. If an NAI member encounters forms of PII or hashed PII in its systems, other than an email address as a matchpoint, and those forms of PII or hashed PII are not also linked to an email address, that member must separately provide an Opt-Out Mechanism for such data-points on the member’s own website, consistent with the requirements of point 1.a.ii.
3. NAI members that utilize third parties for onboarding offline data
a. If an NAI member at no point encounters hashed or plaintext PII in its systems but engages a third party to onboard offline data on its behalf, for AMA purposes, the NAI member must contractually require the third party to offer an Opt-Out Mechanism linked to hashed or plaintext PII, consistent with the requirements of point 1.a. aside from the requirement for the integration with the NAI’s Centralized AMA Opt Out, which is available only to NAI member companies. Additionally, the NAI member should provide a link in its privacy policy to the third party’s AMA Opt-Out Mechanism.
4. NAI members that license onboarded AMA data from third-party data providers
a. If an NAI member licenses data from a third-party data provider that includes a consumer’s onboarded AMA data, the NAI member must contractually require the third-party data provider to offer an Opt-Out Mechanism linked to hashed or plaintext PII, consistent with the with the NAI member’s obligations under the “Responsible Sources” requirement of the Code3 and the requirements of point 1.a. aside from the requirement for the integration with the NAI’s Centralized AMA Opt Out, which is available only to NAI member companies.
5. NAI members that operate a service platform that makes onboarded data from third-party data providers available to the member’s clients
a. If an NAI member operates a service platform that makes onboarded data from third-party data providers available to the member’s clients for AMA purposes, the NAI member must contractually require the third-party data provider to offer an Opt-Out Mechanism linked to hashed or plaintext PII consistent with the requirements of point 1.a. aside from the requirement for the integration with the NAI’s Centralized AMA Opt Out, which is available only to NAI member companies.
6. NAI members that provide functionality that allows its clients to match its online identifiers with PII or hashed PII in its’ clients’ possession for AMA
a. If an NAI member provides functionality that allows its clients to match its online identifiers with PII or hashed PII in its clients’ possession for AMA, the NAI member must contractually require the partner to represent that the user has permitted Audience-Matched Advertising by providing Opt-In Consent directly to that client.
Other Audience-Matched Advertising Opt Out Related Policies
Service Provider Exemption
According to the Commentary to the 2020 NAI Code of Conduct, “an NAI member acting purely as a service provider to an advertiser client, who does not retain any individual rights to the data processed on behalf of the client, may continue to engage in Audience-Matched Advertising on behalf of that client, even in the presence of an opt out linked to a user’s PII, if the client contractually represents that the user has permitted Audience-Matched Advertising by providing Opt-In Consent directly to that client.”
This exemption reflects the NAI’s belief that when a user has provided an advertiser with Opt-In Consent for that advertiser’s use of their PII for AMA, that consent extends to the advertiser’s agents, including NAI members acting purely as service providers to the advertiser. A user seeking to revoke consent for an advertiser’s use of their PII for AMA in that scenario should direct their request to the advertiser, not the advertiser’s service provider.
If an NAI member retains any rights to the onboarded data, or the PII or hashed PII used as a matchpoint and provided by the client and used to onboard the data, the member may not claim the service-provider exemption. For example, if an NAI member onboards data on behalf of a client, and subsequently uses the match to bolster or authenticate its own Cross-Device Linking mechanism, that member is not acting as only a service provider on behalf of the client.
Conversely, NAI members who do not directly engage in AMA, but permit advertiser clients to onboard their own data by attaching PII, such as an internal customer number, to online identifiers provided by the member company, are involved in AMA purely as a service provider if the member company does not receive any information regarding the link between an online identifier and PII, or is not permitted to use such information for the member’s own purposes. In such cases, the member must ensure that the advertiser client has obtained the user’s Opt-In Consent directly, for such uses of the data by the client.
If you believe that your company may qualify for this exemption please reach out to the NAI compliance team (compliance@networkadvertising.org) to confirm.
Use of Data Received to Effectuate an Audience-Matched Advertising Opt Out
Regardless of whether NAI members receive hashed or plaintext PII from an AMA Opt-Out Mechanism, NAI members may only use that hashed or plaintext PII to maintain a user’s opt-out preference.
Opt-Out Duration
The duration of an opt out from AMA is indefinite. However, members may ask users to opt back in twelve months after the opt out was expressed. As noted above, NAI members may not use PII or hashed PII for any purpose except to maintain a user’s opt-out preference, and so may not contact the user via email in asking them to reconsider their choice, but they may present a message to the user during regular app or web use, for example if the user is encountered at a typical match event at least twelve months after having opted out.
In cases where local regulations or legislation require NAI members to delete data (even if that data is being retained exclusively for maintaining a consumer’s AMA opt-out preference) after a given time, NAI members must comply with such regulation or legislation.
Timescale for Processing AMA Opt Outs
NAI members should effectuate AMA Opt Outs in their systems within 10 days of receipt of an AMA opt-out request.
1 “Audience-Matched Advertising is the practice of using data linked, or previously linked, to Personally-Identified Information (PII) for the purpose of tailoring advertising on one or more unaffiliated web domains or applications, or on devices, based on preferences or interests known or inferred from such data.” – 2020 NAI Code of Conduct, Section I.B.
2 2020 NAI Code of Conduct, § II.C.3.
3 2020 NAI Code of Conduct § III.F.2.