May 25, 2022

Volume XII, Number 145


May 25, 2022

Subscribe to Latest Legal News and Analysis

May 24, 2022

Subscribe to Latest Legal News and Analysis

May 23, 2022

Subscribe to Latest Legal News and Analysis

NAI’s 2020 Code Effective January 1 Along with CCPA

The Network Advertising Initiative, which provides guidance to advertisers who engage in personalized advertising, updated its Code of Conduct (2020 Code) earlier this year to address, inter alia, data collected offline and used for tailored advertising, as well as CCPA and TV-based tailored advertising. In anticipation of the January 1, 2020 effective date of the Code, the NAI recently issued a guidance on how to get “opt-in consent.” While the NAI Code and guidance is applicable only to NAI members, the requirements are important for all to know, since it is these members who typically implement companies’ online behavioral advertising.

Under the 2020 Code, opt-in consent is needed in very specific circumstances. This includes when tailoring ads using sensitive information, precise location data, viewed TV content, and a combination of personal information with previously-collected device information. As NAI members prepare for January 1, companies whose advertisements are tailored based on this information may see the mechanism by which consent is obtained change. This is especially true as the Code has specific provisions about what NAI members should require contractually of others in ad tech ecosystem.

For opt-in consent to be valid, under the guidance, the user must be given a clear explanation of how their information will be used. This would include saying that information would be used for advertising purposes, and being specific about what those advertising purposes are (i.e., tailored advertising, analytics, etc.). The notice should also indicate if information will be shared. The NAI cautions, however, that the short-form notice provided when asking for consent “should not be overly complicated.” To present this notice -and get the requisite opt-in consent- the NAI suggests using an interstitial (pop-up) that requires the user to take an affirmative action to give consent. For example an “allow” or “don’t allow” button.

Of particular interest for those who are not NAI members are the discussions in the guidance about what “reasonable assurances” might look like. The NAI requires that members get “reasonable assurances” that opt-in consent has been obtained (to the extent such opt-in consent was required). Specific contractual requirements must be included for the NAI member to feel it has gotten such assurances. These provisions include contracts that require provision of just-in-time notice and choice. The NAI guidance also encourages using technical measures to make sure opt-in consent is obtained.

Putting it Into Practice: Expect to see an increase in pop-up consents beginning in January, as the ad tech industry addresses the NAI Code’s opt-in consent requirements. Companies who have tailored advertising served based on the collection and use of certain information – including precise location data and PII combined with device identification data – should also expect to see more asked of them contractually by the ad tech industry.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume IX, Number 351

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

Elfin Noce Business Trial Attorney

Elfin L. Noce is an Associate in the Business Trial Practice Group in the firm's Washington, D.C. office.


  • Litigation


  • Communications


  • J.D., University of Missouri, Columbia, 2005

  • B.A., Truman State University, 2000


  • *Not admitted in District of Columbia; supervised by partners of the firm

  • Missouri


Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...