Fortune recently published an article expressing concern about the potential misuse of sensitive personal data in digital advertising. User activity online and across mobile apps is often highly personal and potentially sensitive, and the NAI agrees that any potential misuse of sensitive information, in advertising or otherwise, raises serious privacy concerns.
The protection of sensitive data has long been a key pillar of the NAI Code of Conduct, which prohibits NAI member companies from using sensitive data for interest-based advertising without opt-in consent. Even if a user does provide opt-in consent to receive interest-based ads based on sensitive data, NAI members are prohibited outright from using or sharing any information collected for interest-based advertising for eligibility purposes. For example, an NAI member could not disclose to a life or health insurance company that a user is associated with a cancer interest category for insurance or coverage eligibility purposes, nor to an employer or prospective employer for employment eligibility purposes.
Of course, the concerns raised in the Fortune article do not exist in a vacuum. The article references a European complaint brought by privacy advocates relating to a “taxonomy” of digital content developed by the Interactive Advertising Bureau (IAB). The taxonomy provides publishers and other digital content creators with a standard system to classify what kinds of content they provide through their websites, mobile apps, and other online platforms. The categories in the IAB taxonomy range from benign, such as “amusement and theme parks,” to highly sensitive, such as “sexual health conditions.” The sensitive categories identified in the article broadly overlap with categories the NAI treats as sensitive under its Code of Conduct. These include, but are not limited to, health categories such as cancer, mental health, and sexually transmitted diseases.
However, the existence of this taxonomy and the fact that it includes sensitive categories does not imply that companies are using sensitive personal data to target advertising to various individuals. Rather, the content categories IAB has standardized for use in digital advertising are primarily used by websites, mobile apps, and other online platforms to communicate to advertisers what kind of content they host on their properties. This allows them, for example, to sell space for contextual advertisements that are not tailored to particular web browsers or devices. In practice, this would enable a website that publishes general information about the symptoms of and treatments for sensitive health conditions to tag its own content with categories in the IAB taxonomy. This in turn would allow advertisers (like, e.g. health clinics or pharmaceutical companies) to advertise on the site without targeting individual site visitors. Content tags also allow brand advertisers to make decisions about where their ads will appear for brand integrity purposes. For example, some advertisers may be particularly interested in advertising on, or particularly keen to avoid advertising on, a site that has tagged its content with certain religious or political categories.
The NAI and our membership go to great lengths to prevent the misuse of sensitive data in interest-based advertising. However, we also recognize that there are some bad actors who don’t adhere to our high bar. That is why NAI membership, adherence to the NAI Code of Conduct, and accountability through annual compliance reviews by the NAI staff are so important for building and maintaining trust in the digital advertising ecosystem. Further, the NAI ensures that consumers can choose whether to participate in interest-based advertising using our central, easy-to-use opt-out tool. Finally, the NAI strongly supports a federal privacy framework that would require all companies to adhere to the privacy-protective practices established by our Code. That framework should leverage existing industry self-regulation by creating a strong safe harbor program, which would assist the FTC with enforcement efforts and provide certainty to companies with a compliance mindset.