Best Practices: Non-Marketing Uses of Data
The NAI is proud to publish a new set of best practices, “Using Information Collected for Tailored Advertising or Ad Delivery and Reporting for Non-Marketing Purposes.” While the NAI Code addresses members’ activities regarding the collection of consumer data as it relates to Tailored Advertising or Ad Delivery and Reporting (ADR), this document provides members and industry with a set of privacy-protective best practices for the non-marketing uses of this information. This applies to any data that was collected for Tailored Advertising or ADR and then subsequently used for purposes outside of Tailored Advertising or ADR. These best practices are particularly pertinent to sensitive information, such as Precise Location Information, where consumers would benefit from more detailed just-in-time notice about the uses of this information beyond advertising and marketing. The NAI’s recent guidance on “Opt-In Consent” details how members should provide detailed just-in-time notice when using opted-in data for Tailored Advertising or ADR. These best practices expand on those use cases and discuss uses not covered by the NAI Code. Members and others across industry should consider these best practices when developing policies about the sharing and use of data for various purposes outside of the NAI Code of Conduct.
As the COVID-19 pandemic has revealed, information collected as a result of Tailored Advertising or ADR, particularly location data, can be a valuable resource for public good. Many of our members have collaborated with government agencies and research institutions during this time, sharing aggregate and de-identified data. The NAI supports their efforts and we hope that this document can serve to guide any company that shares information for non-marketing purposes. Members should refer to these Best Practices to determine whether further disclosure of any information would be beneficial to the user, in what form the data can be shared to minimize any privacy risk, and what restrictions could be placed to protect the data.
Best Practice 1: NAI Members should apply a materiality test to determine whether non-marketing uses of information collected for Tailored Advertising or ADR should be explicitly disclosed. For certain categories of data that the NAI considers “Sensitive Information,” which includes Precise Location Information, the NAI requires Opt-In Consent and detailed notice of the proposed uses and sharing of the data. If a member intends to use location information collected for Tailored Advertising or ADR for non-marketing purposes, the NAI recommends applying a materiality test to determine whether that non-marketing purpose should also be disclosed in the just-in-time notices that are already required for Tailored Advertising or ADR purposes. The NAI follows the FTC’s guidance on what constitutes a “material” consideration: The basic question is whether the act or practice is likely to affect the consumer’s conduct or decision with regard to a product or service. The Best Practices provides hypothetical scenarios in which a company may determine that the sharing of data for law enforcement purposes, for example, is material and therefore discloses that in a just-in-time notice.
Best Practice 2: NAI members should use aggregate group data and/or de-identified user-level data whenever possible for non-marketing use cases. In general, the use of aggregate and/or De-Identified Information mitigates privacy risks to individuals because such information does not pertain to an individual user or device. NAI members who share information that requires Opt-In Consent for non-marketing uses should render it de-identified or aggregate it whenever possible, consistent with the purpose for sharing it.
Best Practice 3: NAI members should extend privacy protective NAI Code requirements to the use of information collected for Tailored Advertising or ADR for non-marketing purposes. While the NAI Code applies specifically to data collected for advertising and ADR, the NAI recommends applying the NAI Code requirements of data minimization, use limitations, transfer restrictions, and reasonable security to the sharing of data for non-marketing uses.
To help companies apply the Code, the Best Practices include hypothetical scenarios that provide additional context for non-marketing uses. The NAI recommends that members consider all three best practices in any non-marketing use case–applying the materiality test, sharing data in the most privacy protective manner, and placing restrictions and protections on the further use of the data.
As NAI members continue to innovate and find new uses of information collected as a result of Tailored Advertising or ADR, they should continue to look to the NAI Code as a guide for their activities that do not fall squarely under the scope of the Code. The NAI staff hopes these best practice recommendations will assist NAI members in continuing to develop innovative uses of data and technology in a way that preserves user trust and privacy.