NAI staff will review:

• Whether each NAI member provides a publicly accessible notice on its website that describes the processing of personal data it controls (“Privacy Notice”).
• The content of the Privacy Notice and any additional public-facing disclosure(s) provided by the member.
• Whether the Privacy Notice and any other disclosures (if provided) describe the member company’s processing of personal data that it controls.
• Whether there are any appropriate non-binding recommendations regarding other applicable best practices for transparency.

• Existing NAI Guidance and/or Best Practices: N/A
• Potential future NAI Guidance and/or Best Practices:
  • Privacy Policy Checklist – The NAI may develop a checklist & guidance about the types of information to assess for in Privacy Notices that tracks legal requirements (e.g. information about company personal data collection practices, types of personal data collected, uses, technologies, retention, sharing/disclosure, etc.).
  • Guidance on Notice Generally – The NAI may develop resources explaining requirements for different types of notices recognized by state law and required contents of those notices – e.g. privacy notice, notice at collection, just-in-time, health-specific, etc.
  • The NAI may develop best practices on describing digital advertising technologies to consumers.

NAI staff will review:

• Whether each member company has a process in place describing how the member (1) provides and honors its own method(s) for consumers to signal choice directly to the member about its processing of personal data (e.g. cookie opt-out request tool, email opt-out request tool, etc.), and/or (2) honors a method other than one provided directly by the member for consumers to signal choices about the member’s processing of personal data (e.g., platform flags, opt-out preference signals/universal opt-out mechanisms (such as Global Privacy Control signals).
• The product and technology descriptions (and/or links and URLs leading to those descriptions) provided by the NAI member that involve processing consumer personal data controlled by the member for those activities which require choice under applicable laws.
• Any links, URL(s), or other method(s) for accessing mechanisms (and content thereof) offered directly by the NAI member and enabling consumers to signal choices about the processing of personal data controlled by the member for those activities which require choice under applicable laws.
• Whether there are any appropriate non-binding recommendations regarding other applicable best practices for consumer choice and control.
• The links, URL(s), or other method(s) for accessing mechanisms (and content thereof) that the NAI member recognizes or honors (but not offered directly by the member) enabling consumers to signal choices about the processing of personal data controlled by the member for those activities which require choice under applicable laws.

• Existing guidance and best practices:
  • Best Practices for User Choice and Transparency
  • Best Practices: Non-Marketing Uses of Data
• Potential future guidance and best practices:
  • Signal Passing Provisions (e.g., how to vet & verify signals)
  • GPC Guidance – this could cover just policy/UI implementation, or could also include technical elements like meta-data indicating what implementation of GPC is used.

• Existing tools and standards:
  • NAI Opt-out pages
• Potential future tools and standards:
  • NAI-developed GPC extension

NAI staff will review:

• Whether each member company has implemented a written data governance program that addresses personal data processing across its organization. This program should cover, but is not limited to the following topics:
  • How the member honors consumer opt-out requests it receives.
  • What processes the member has in place to respond to consumer requests in a timely fashion.
  • What steps the member takes to update disclosures to reflect new data processing.
  • What steps the member takes as part of its partner and vendor due diligence.
• Whether there are any appropriate non-binding recommendations regarding other applicable best practices for data governance.

• Existing Guidance and Best Practices: N/A
• Potential future guidance and best practices:
  • Contracting Guidance/Checklist
  • Vendor Due Diligence Guidance
  • DPIA checklist and best practices
  • Personal Data Minimization best practices
  • Interoperability best practices: Potential guidance for open standard methods for technical interoperability, defined as the business-initiated “high-quality, continuous, real-time exchange of information,” which is fundamental to decentralized competition and choice as well as organizational measures to distinguish personal data and non-personal data used in their interoperable exchanges with other organizations.

• Existing tools and standards:
  • NAI State Law Processing Addendum
  • NAI Privacy Consultation Questionnaire
  • NAI Best Practices: Non-Marketing Uses of Data
• Potential future tools and standards:
  • Model DPIAs for:
    • Targeted advertising
    • Precise location
    • De-identified & pseudonymous data use
  • De-identification approaches for Common Match Keys
  • Open Web Real-time Transport standards (e.g., HTTP)
  • Open Web Real-time Storage standards (e.g., cookie files for browsers)

NAI staff will review:

• Whether a member has implemented an internal policy that:
  • Allows the member to assess whether personal data is sensitive.
  • Is designed to ensure that the member’s processing of sensitive personal data is limited to legally permitted purposes, including, as applicable, purposes disclosed to or consented by the consumer.
  • Outlines additional safeguards the member has in place when processing sensitive personal data in those jurisdictions that place additional requirements around the processing of sensitive information.
  • Provides for regular risk assessments to identify and mitigate risks associated with the processing of sensitive personal data.
• NAI staff may also review for and make non-binding recommendations regarding other applicable best practices for processing sensitive personal data.

The NAI has, and will continue to create best practices and/or guidance to help companies minimize their use of sensitive personal data, obtain consent for the use of sensitive personal information, and develop best practices for the use of inferences in areas where existing law is silent or unclear, including:

• Existing Guidance and Best Practices:
  • NAI Legal & Regulatory Analysis: Sensitive Health Advertising
  • Demographic Health Advertising Best Practices
  • Best Practices for User Choice and Transparency
  • Best Practices: Non-Marketing Uses of Data

• Potential future guidance and best practices:
  • NAI Precise Location Data Best Practices (under development)

• Existing Tools and standards:
  • Precise Location Information Solution Provider Voluntary Enhanced Standards