For the first time in five years, the self-regulatory group Network Advertising Initiative is updating its code of conduct.
At first glance, despite some minor tweaks, the new proposed privacy rules don't appear all that different from the old ones. Generally, the organization still says ad networks (as well as exchanges, demand-side platforms and other third-party ad companies) that engage in behavioral targeting must obtain users' opt-in consent before collecting "personally identifiable information," as well as sensitive information. The group also says that ad networks (and other third parties) should allow people to opt out of receiving ads based on their non-personally identifiable information. As with the previous rules, the new proposed code still requires NAI members to obtain members' opt-in consent before merging PII and non-PII.
The NAI, which has around 90 members, defines "personally identifiable information" as the type of data that could be used to identify individuals, as opposed to their devices. In practical terms, that definition encompasses names, addresses, bank account numbers, even, in some situations, biometrics like "faceprints."
The group defines non-personally identifiable information as data that can be linked to particular computers -- like cookies and IP addresses. The NAI also is creating a new category of "de-identified" data, which can't be linked to either a person or a device.
The NAI's decision to maintain the distinction between PII and non-PII is somewhat surprising, given the growing recognition that people can be identified based on information other than their names, addresses or phone numbers. For instance, search queries aren't generally considered "personally identifiable," but outsiders nonetheless were able to identify people based on their search queries after AOL released three the queries of 650,000 "anonymized" members.
At the same time, the NAI clearly hopes that maintaining different rules for people's names (or addresses and phone numbers) will protect consumers' privacy by discouraging ad networks from appending personal data to cookies. The group explains its stance by saying that despite "the increasing difficulty in drawing bright lines between PII and non-PII," it nonetheless wants to "continue to encourage the efforts of members companies to take express steps to prevent the non-PII they collect ... from being linked to particular individuals.
The NAI will accept comments on the proposal through April 5.