FAQs

The NAI’s mission to promote high standards for privacy in digital advertising has not changed, and we are confident that membership in the NAI will continue to demonstrate a strong commitment to developing and adhering to privacy best practices. Members will still need to adhere to a foundational set of privacy and data governance principles, and to align their privacy programs and operations to such principles. In addition, the NAI’s guidance and best practices will complement the Framework’s principles, and help members establish processes for compliance with legal requirements. Finally, a key distinction of NAI membership, a required annual privacy review, will continue under the new Framework. This review process, which will include both a written questionnaire and meetings with NAI staff, will help NAI members implement and promote best practices while confirming adherence to the Principles.

However, in a dynamic legal and regulatory environment, a flexible approach to self-regulation focused on compliance processes better serves our membership and better supports adherence to privacy best practices that also contribute to legal compliance. As such, the NAI’s new approach to self-regulation emphasizes processes that member companies must undertake as part of their membership instead of prescriptive self-regulatory requirements that may not align with state law. 

For example, the new sensitive data principle requires member companies to have processes in place to identify sensitive data and implement additional safeguards for processing that data. Because different state laws have highly variable definitions and treatments of sensitive data (e.g. different categories, different choice standards for opt-in/opt-out), this requirement for having strong processes in place helps members handle sensitive data responsibly without the NAI adding the equivalent of a 51st state law with our own unique interpretation for what categories are sensitive. 

The NAI offers its members many impactful benefits (more info here). The self-regulatory program specifically provides the following benefits:

1. Commitment to and demonstration of a mature privacy program needed to meet both the process and substance requirements set out in the Principles. 
2. Participation in the annual Privacy Review Program as a privacy “check-up” that helps members consider their own privacy programs as they confirm adherence to the Principles.
3. The ability to contribute to the development of industry leading privacy guidance and best practices through a community of thought leaders and privacy professionals.

The NAI’s objective is to establish a flexible framework based on a set of foundational principles. The NAI continues to develop and update industry best practices, guidelines, and voluntary standards that are consistent with current legal requirements for responsible data collection and use. The NAI seeks to achieve this in the face of an evolving legal landscape characterized by multiple state privacy laws and uncertainty surrounding potential state and federal policy changes. Therefore, the intention is not to create new or different requirements through the Framework, but to provide a foundation for responsible industry behavior that aligns with current legal compliance efforts, and to heighten standards where existing law is silent, vague or inconsistent with voluntary enhanced standards that companies can commit to as an added benefit where appropriate.

No, the NAI does not believe that it is practical for third party organizations to effectively interpret and enforce U.S. privacy legal compliance in the current disparate and evolving legal environment. As of February 2025, there are approximately 20 comprehensive state privacy laws, many with significant variance in their definitions and requirements, along with myriad other state and federal laws and regulations. New privacy laws are introduced in virtually every legislative session, including at the federal level.  

Therefore, the NAI is not attempting to synthesize all of those requirements into a new version of a detailed, prescriptive code of conduct. Indeed, we believe any attempt to do so would ultimately fall short and be short-lived.

Instead, the new Principles are intended to be consistent with state law requirements and flexible enough to support compliance with them, even as they continue to undergo changes over time. The NAI plans to continue developing and offering best practices and guidance to help members stay informed about privacy legal requirements in the U.S., and to promote best practices for complying with them. The NAI Framework will serve as scaffolding for those more detailed supporting documents. 

Participation in the Privacy Review Program every year continues to be a requirement for NAI membership and a key differentiator that sets the NAI program, and its members, apart from other industry efforts. The new Privacy Review Program will, however, change to focus on processes and programs that help companies meet their legal requirements. Going forward, these reviews will focus on two main elements:

1. Confirming that members have adequate processes in place to adhere to the NAI Principles – this is the “compliance” element of the Privacy Review Program.
2. Discussing how voluntary standards, guidance, and best practices promulgated by the NAI relate to the member’s business, as well as providing context for how meeting those best practices can facilitate compliance with privacy law requirements.

The result of the NAI’s implementation of this new Framework is that members going through this program are in a position to demonstrate that they have a mature privacy program focused on keeping pace with evolving legal requirements. New state laws present a substantial focus on data protection assessments, which are substantially consistent with the long-standing role of the NAI. Therefore, the Framework seeks to track and support companies’ assessments. For example, a written data governance program that addresses how internal changes to data policy are reflected in public-facing disclosures is a core element of compliance with the data governance principle. 

While this is less prescriptive than previous NAI Code requirements such as requiring members to list specific items in their privacy policies, it’s substantially beneficial for companies to receive oversight and guidance about these decisions, particularly from an organization like the NAI with decades of knowledge and experience about ad-tech practices and a mission to raise the bar across the industry.