The NAI Self-Regulatory Program

The new NAI Self-Regulatory Framework (the “NAI Framework”) is effective for NAI members beginning Feb 1, 2025. The NAI Framework supersedes and replaces the 2020 NAI Code of Conduct.

Membership in the NAI requires participation in the NAI Framework. The purpose of the NAI Framework is to promote strong privacy practices for NAI members engaged in Network Advertising (defined below).

The NAI Framework is comprised of the following:

• The NAI Principles for Privacy in Network Advertising (the “NAI Principles”) – adherence to the NAI Principles is required for NAI members, and sets forth baseline privacy standards for NAI members.
• Standards of review for each Principle that will serve as a guide for NAI’s annual privacy consultations with members.
• Privacy guidance, tools, and best-practices that are intended to help members adhere to the NAI Principles, as well as to assist them in developing processes for compliance with privacy legal requirements in the U.S.

The NAI Framework applies to Network Advertising undertaken by NAI members in the United States. Network Advertising is data-driven, digital advertising involving interoperable exchanges of personal data used for or derived from the selection, delivery, and measurement of such advertising. It may include activities that support “sales,” “shares,” “cross-context behavioral advertising,” “targeted advertising,” or similar practices as defined by applicable laws in the United States. Network Advertising does not limit its scope to the use of particular technologies, and may be carried out via cookies, APIs, server-to-server transfers, privacy enhancing technologies, or other methods. As such, Network Advertising is agnostic to the technologies used and the types of devices (e.g., web browsers, mobile devices, or CTVs) where data is collected or used for these purposes. However, Network Advertising does not include digital advertising that is selected, delivered, and measured entirely by a single controller relying solely on personal data obtained or derived from the users of its owned-and-operated properties unless it involves exchanges of personal data.