CDT Analysis: Online Advertising Self-Regulatory Effort Improves, But Still Fails to Fully Protect Consumers
For immediate release
December 16, 2008
 WASHINGTON–The Internet advertising industry today took a meaningful step toward protecting consumer privacy by completing a major update of the Network Advertising Initiative Self-Regulatory Code of Conduct. However, while the updated NAI principles address important concerns, they also fall short on several issues, leaving holes in consumer protection that must be plugged by federal privacy legislation, according to an analysis by the Center for Democracy and Technology.
 "The members of the NAI are to be commended for taking real steps to protect consumers, but even the best industry self-regulatory effort only goes so far," said Alissa Cooper, CDT’s chief computer scientist. "We still need a comprehensive consumer privacy law in the United States."
Created by the online advertising industry in 2000, the NAI is one of the Internet’s longest-standing industry self-regulatory efforts. The 2008 NAI Principles represent the industry’s first major effort to respond to emerging issues such as behavioral targeting and online profiling. Although the update indicates NAI’s willingness to adapt to a changing technological landscape, CDT’s analysis of the document found several troubling oversights.
Encouraging developments in the NAI principles include expanded coverage of business models beyond the NAI’s original narrow conception of behavioral advertising. Responding to criticisms by CDT and others that companies engaged in a wide array of data collection and use practices should be held to the NAI standards, the NAI has extended many of its principles to apply to a much broader swath of advertising business models. Another positive: transparency. The updated NAI principles were created in an open environment and with public participation, which led to the development of a more substantive, relevant set of principles.
One of the most disappointing aspects of the updated principles is that the NAI decided to retain its original, widely discredited definition of "opt-out." Consumers must be provided simple mechanisms to request that marketers not collect their information. The "opt-out cookies" allowed under the NAI principles are simply not that mechanism. In the past eight years, the NAI should have had plenty of time to develop a clear, easy-to-use and accessible opt-out standard that honors consumer choices.
Other issues, like a substandard notice requirement, ineffective compliance requirements and a failure to address a key form of behavioral advertising, also mar the principles.
Although some of the problems with the updated principles can and should be addressed through further public consultation and policy development, no amount of self regulation in the privacy space will address the underlying uncertainty that comes from the United States having no comprehensive consumer privacy law.
"The 2008 NAI process epitomizes both the value and major limitations of industry self-regulation," CDT Deputy Director Ari Schwartz said. "A lot of the specifics in this case have been pushed to future implementations guidelines. CDT urges NAI to clarify those areas in the next three to six months instead of the years we’ve waited in the past for changes."
 The full CDT analysis is here:  http://www.cdt.org/privacy/20081216_NAIresponse.pdf
