Skip to content
logo
Support
For Members
Search
Contact
Want to Opt Out?

NAI Template State Law Processing Addendum FAQ

What problem are we trying to address?

The host of state laws taking effect in 2023 impose numerous requirements for contracting with both service providers and third parties. In addition, those transacting in the ad tech space sometimes act as service providers/processors (such as when a user is opted out, or to perform basic ads functions) and sometimes act as third parties (such as where they engage in targeted advertising) and need a consistent set of rules and contractual obligations for signaling where they play each role and what obligations they undertake for each. The set of terms below is intended to be a model that NAI members and others can use to comply with these new state laws with respect to transfers of data to other entities. 

What does this set of terms cover?

The terms are limited to use for advertising-related transactions in the United States including RTB transactions, upload of or collection of personal information for purposes of showing targeted ads on other sites or services or for ad measurement purposes and showing of ads on a publisher’s site. The terms do not address the use of sensitive information, including processes for obtaining or passing consent to process sensitive information.

How should this template be used?

  1. These terms are intended to supplement an underlying agreement between the parties and not to cover the full scope of the parties’ relationship, to impose commercial terms, or to allocate liability. 
  2. While the parties may update the names of the parties as they wish, the default phrasing allows either party to act as either a disclosing party or a receiving party.

What this template is not intended to do?

  1. This document is not intended to be used: 1) for other forms of sales of personal information, such as providing personal information to a data broker in return for money; nor 2) for EU data or for compliance with any other jurisdiction’s laws. 
  2. This document does not address the use of sensitive information, including processes for obtaining or passing consent to process such information. To the extent the parties share such information, obligations related to such information should be addressed independent of these terms.  
  3. It does not achieve privity between all signatories. Should member companies want the NAI to work on ways to achieve broader privity or otherwise plug into other industry solutions, we are happy to discuss ways we can leverage the work we have already done here to do so. 

How are the terms structured?

The document is intentionally high-level and agnostic as to the type of parties involved, contemplating one or both being the disclosing party or the receiving party. While the parties may update the names to “Disclosing Party” and “Receiving Party” for one-way flows of data, the intent of such terms is to allow for two-way flows.

The template addendum is structured similarly to terms recently published by major social media platforms in light of updates to state laws: 1) general obligations that apply to both parties under the state laws; 2) terms that govern the transfer of personal information to “Third Parties” as mandated by the CPRA; 3) processor terms that apply only when the Restricted Processing Signal is present; and 4) other general contractual terms — i.e. amendment and conflicts. Some key concepts reflected in the template addendum: 

  1. Under these terms, the default state is to transfer data to others as “third parties” or as independent controllers, wherein the receiving party may use the data for purposes that are considered “selling,” “sharing,” or “targeted advertising” under the state laws (but not for any non-advertising purposes such as eligibility decisions). 
  2. Where the parties wish to have the other entity act as a processor or service provider (because the individual consumer has opted out of “sales,” “sharing,” or “targeted advertising”), they must signal such designation.
  3.  Such signal may be an industry-wide signal such as those adopted by the IAB or a proprietary signal as determined by the parties and is referred to in these terms as a Restricted Processing Signal. 
  4. Where such signal is present, the receiving party agrees to act as a processor/service provider with all the attendant obligations provided by the state laws and to use the data for more limited purposes, referred to as “Restricted Purposes” in this document. Of note, the terms reflect a concept of joint processing similar to that adopted in the MSPA in an attempt to address concerns about service providers/processors “combining” personal information collected across clients reflected in the current draft CPRA regulations. 

What is the NAI’s approach?

The NAI’s goal in drafting these terms was to keep them as short and simple as possible while also addressing the numerous and detailed obligations imposed by the state laws. We have heard from most members that they prefer a single, national approach rather than state-by-state systems that are complicated to implement and yield little advantage as a practical matter. As a result, wherever the state laws reflect minor and likely inconsequential differences in their definitions or treatment of a topic, the terms abstract that concept into a simple and yet compliant obligation. Similarly, rather than porting over defined terms from state laws, these terms refer out to the terms used in the laws.  The terms are intended to allow for seamless negotiation and consistent terms across the ecosystem (similar to how the IAB’s Standard Media Buying terms are used, with companies familiar with the concepts in those documents and able to agree to them without having lawyers re-review or re-negotiate them for each deal).

What laws does this cover? 

The following states with enacted omnibus consumer privacy laws: California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Utah, and Virginia. If other states enact substantively similar laws, the addendum could apply with minor revisions. 

How does this template interact with the IAB’s Multi-State Privacy Agreement (MSPA)?

This template aims to help companies comply with state law contractual requirements with respect to their advertising related transactions in the United States. This can be used independently to help meet companies satisfy these obligations, or serve as the backstop where a party has signed onto the MSPA but a) is contracting with a party that has not signed onto the MSPA, or b) when both parties have signed the MSPA and elect to not have the MSPA apply to a given transaction.

How does this template work for opted out signals for joint business and joint service provider status, for the purposes of measurement, frequency capping, and attribution?

At this time, you would execute your activities in accordance with the statutory requirements and the terms of your agreement. Under Colorado, Virginia, Connecticut, and Utah law, the definition of “targeted advertising” includes a carve out for measurement and frequency capping. California law, however, does not include such a carve out. Without contractual restrictions in place regarding an ad tech provider’s use or disclosure of personal information, there is a risk that entities cannot perform these activities as a service provider such that disclosures for that purpose would risk being considered a sale under California law. Regulators have not provided further clarification on anything further.