• by Wendy Davis  @wendyndavis, March 10, 2025

The self-regulatory group Network Advertising Initiative, which represents ad-tech companies, is no longer requiring members to follow a privacy code that imposed specific restrictions on the collection and use of consumers' data.

Instead, the organization has issued a “framework” that requires members to disclose how they process consumers' data, follow applicable state and federal laws, and have procedures to determine compliance.

President and CEO Leigh Freund says the shift was driven by the raft of new state privacy laws, some of which impose requirements that differ from those of the group's former code.

“We didn't want to be a 51st state law,” Freund says. 

The group's general counsel, Tony Ficarrotta, adds that the organization “is not looking to set prescriptive requirements for members that are independent of their existing legal obligations in the U.S.”

“We think we can better serve our members by helping them understand what their obligations look like,” he adds.

The shift represents a significant change for the organization, which first issued a privacy code in 2000. While some specifics have changed over time, the code always broadly required companies to allow consumers to opt out of receiving ads based on non-sensitive data collected across sites and apps, and to obtain express consent from consumers before using sensitive data for ad targeting. The most recent update to the now-defunct code took effect in 2020, when the organization prohibited ad-tech companies and other members from sending behaviorally targeted ads to anyone younger than 16.

The new framework does not explicitly require members to allow consumers to opt out of online behavioral advertising. Instead, the framework only requires companies to let consumers opt out of the processing of their data if an applicable law requires companies to do so.

To date, 19 states have enacted comprehensive consumer privacy laws, according to the privacy focused nonprofit IAPP (formerly International Association of Privacy Professionals), but not all of those laws require companies to let consumers reject online behavioral advertising.

For instance, laws in states including Tennessee, Iowa and Indiana don't appear to appear to give consumers the right to reject ad targeting based on pseudonymous data -- provided that the pseudonymous information isn't linked to an “identified or identifiable natural person.”