The NAI's
Annual Report
2025

Under the Framework, each member company must provide transparency into its processing of personal data. In reviewing these practices, the NAI staff inquired about each member’s notice that describes the processing of personal data it controls, reviewed the content of the notice and public-facing disclosures, and provided recommendations and considerations regarding applicable best practices for transparency.

The NAI staff found the vast majority of member companies disclosing the processing of the personal data in detail, and providing notices outlining the personal data the member collects, the categories collected, the sources of collection, and the purpose of the processing. While the NAI staff did provide recommendations to some members about how they could improve the clarity of the purposes for processing or sharing or describe the partners to whom the company discloses information in more detail, largely the notices adhered to the NAI Framework. The NAI staff noted required action items in some cases where references to deprecated NAI tools were outdated, and also suggested members provide more comprehensive notices in one place for all consumers (as opposed to, for example, in a state level notice).

Timely Updates

The principle of transparency is important under law and under the NAI Principles, and timely updates to consumer-facing disclosures with relevant changes are an important part of adhering to the principle of transparency. Given that the NAI sunset its legacy consumer choice tools in 2025 and replaced them with a GPC browser extension and other resources, the NAI staff focused on reviewing members’ websites to ensure members update disclosures so consumers will be able to locate appropriate choice mechanisms. Similarly, the NAI staff reviewed disclosures and flagged links to outdated policies. Staff advised members to refresh those links, add “last updated” dates as part of the disclosures and verify all links function as intended so consumers receive accurate information.

State regulators in Connecticut, Minnesota, and Delaware have made clear that they will treat outdated timestamps as an indicator that a company is not maintaining its notices in alignment with modern practices and requirements, and have cited stale notices in enforcement contexts. The California Consumer Privacy Act (CCPA) requires businesses to update their privacy policies at least every twelve months, which is a cadence that the NAI staff was able to remind several members of as they considered their next planned updates. The risk associated with longer spans without updated notices is compounded for ad-tech companies where innovation can drive more frequent changes in business activities. The NAI staff recommends that members treat the “last updated” date as a compliance consideration in its own right. Even where substantive changes to data practices are minimal, periodic review and refresh of consumer-facing disclosures demonstrates an ongoing attention to transparency that regulators now expect to see.

Declarative Rights

Under the transparency principle, the NAI staff also discussed with members the importance of clarity regarding consumer rights. Members typically had privacy policies that included both notice to consumers about their privacy rights, as well as sections that outline how to exercise those rights. Some members would include conditional phrasing in their privacy notices, such as “you may have certain data rights under state privacy laws,” “depending on where you live,” and “residents of certain U.S. states.” Notices that took this approach would typically include a list of states that had specific privacy laws, but sometimes would inadvertently omit states with recently enacted comprehensive privacy laws. With twenty states now having operative privacy statutes, and more on the way, failing to timely update disclosures may result in residents of some states not being properly informed of their rights, a common issue which regulators are taking note of. State regulators have actively and specifically rejected the approach where companies include conditional phrasing such as “you may have certain data rights under state privacy laws.”² During reviews, the NAI staff surfaced a clear and converging enforcement signal from multiple state regulators: conditional phrasing is not just a stylistic weakness—it is being considered by regulators as evidence of legal noncompliance.³

Given the regulators’ statements, the NAI staff amplified that message during privacy reviews to businesses who could improve on clarity for consumers. The NAI staff consistently pointed members toward two possible compliance paths: either (1) plainly stating that all U.S. consumers may exercise the enumerated rights (where accurate), or (2) providing an explicit, maintained list of covered states that is updated as new laws come into force. The NAI staff observed that many members were moving in the direction of broadly applying rights and already stating that all U.S. consumers may exercise the certain rights (particularly opt outs), and the review process facilitated direct conversations about practical approaches to evolving privacy notices and aligning consumer choice tools and rights request portals. In these conversations, it was apparent that members are carefully balancing the considerations for a single consolidated notice compared with state-specific listings and the burden of maintaining updated state law references and rights portals and tools that track various states’ requirements.

Variation of Certain Rights Among the States

While states have largely coalesced around providing consumers certain privacy rights (e.g., the right to request access, deletion, correction), other provisions related to consumer rights have a broader range of divergence among the states. For example, the scope of an authorized agent’s ability to exercise rights on behalf of consumers, a consumer’s right to appeal a controller’s response to a rights request, and a controller’s obligation to provide information about third-party disclosures of personal information vary between different comprehensive state privacy laws and present additional complexity for companies working to operationalize compliance.

The NAI staff developed member-only resource materials to assist companies in their compliance efforts for authorized agent rights and requests, as well as appeal rights. The NAI staff highlighted regulator guidance on these points, such as Indiana’s Data Consumer Bill of Rights document, which emphasized the need to include the entire appeals process in the privacy policy, as well as the need to provide resources for where a consumer can report a complaint to the Office of the Indiana Attorney General.⁴

Deciding how to effectively provide transparency into third-party sharing of personal data is one of the most nuanced notice issues members face, as specific expectations appear to vary meaningfully depending on which state’s law applies, and in what context. The NAI staff flagged this divergence in state approaches across numerous member reviews. The core tension in the approaches is that states address this obligation in two structurally different ways: (1) through what must appear in the privacy policy, and (2) through what must be provided in response to a consumer access request. These two tracks carry different requirements, which can present challenges for companies seeking to apply a consistent approach.

A number of states⁵ permit (or require) privacy policies to list categories of third parties rather than specific company names. This approach offers meaningful operational flexibility, as a member can disclose categories like “analytics companies,” “data brokers,” “third-party advertisers,” and “payment processors” without naming every individual partner⁶ (which can, in some circumstances, implicate trade secrets). Colorado’s regulations add important nuance, however: they specify that category-level disclosure must be at a “sufficiently granular level of detail” that gives consumers a meaningful understanding of the type of, business model of, or processing conducted by the third party.⁷ Oregon’s consumer privacy law similarly requires that privacy notices describe all categories of third parties “at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data[.]”⁸

One of the more operationally difficult parts of the third-party disclosure landscape involves states that require disclosure of specific third-party names. Minnesota’s Consumer Data Privacy Act gives consumers the right to obtain a list of the specific third parties to which the controller has disclosed their personal data.⁹ Oregon takes a similar approach to access requests, requiring disclosure of specific third parties when requested by the consumer, as opposed to the more common approach of providing categories of third parties in access requests.¹⁰

Further complicating the landscape, Rhode Island’s data privacy law, which came into force on January 1, 2026, requires controllers to disclose the names of specific third parties to whom “personally identifiable information” has been sold directly in the privacy policy. This requirement is particularly challenging for ad-tech members because Rhode Island has not defined “personally identifiable information” in the statute, even though it is a distinct term from “personal data,” and that creates interpretive uncertainty.¹¹ Equally notable, unlike the CCPA and other states’ express trade-secret protection, Rhode Island does not appear to include a comparably explicit trade-secret carve-out—creating doubt as to whether companies can omit the names of some or all partners on proprietary grounds.¹²

In discussions with member companies, the NAI staff discussed practical approaches to entity-level transparency in this fragmented landscape and how it can pose a significant challenge: members with large, dynamic publisher and exchange partner ecosystems must now consider whether maintaining a continuously updated, publicly posted list of named third-party recipients is operationally feasible, legally required, and competitively defensible. Furthermore, as states revise their statutes, as Connecticut has (with a new right to third party disclosure of specific entities coming into force this summer),¹³ businesses must continue to monitor and revise their compliance posture on this important point.

Transparency of Opt Outs and the Global Privacy Control

Transparency of the scope of opt outs and consumer controls was a major priority for privacy reviews. Given regulator focus on companies not only honoring consumer choice but also providing transparency into the scope of the control, the NAI staff spoke with member companies at length about disclosure language concerning choice mechanisms, such as Opt-Out Preference Signal detection, processing and scope. With regulators actively enforcing on this point—and in particular CalPrivacy’s enforcement action against Tractor Supply, which penalized the company not only for failing to honor Opt-Out Preference Signals, such as the Global Privacy Control (GPC), but for failing to explain in its privacy policy how those signals would be honored—the NAI staff reinforced that regulators not only expect tools to effectively provide for consumer choice, but also that businesses accurately describe these choices to consumers in privacy notices.¹⁴

With this in mind, the NAI staff analyzed privacy policies for disclosures and prompted members to reflect on their posture as to GPC, the ability to detect GPC, how it was described in the notice, and whether there was a display indicating to the consumer whether and how GPC was processed. The NAI staff and members discussed how to distinguish the GPC scoping from any older “Do Not Track” notices, and informed members about regulations that govern expected scoping of opt outs.¹⁵ For example, the NAI staff closely analyzed disclosures for descriptions of whether the GPC as an opt-out signal would cover the device, the browser, associated consumer profiles, and/or pseudonymous profiles. California’s enforcement action against Disney noted that consumers who opted out through GPC “were opted out from Disney’s data sharing with ad-tech partners, but only for the specific service and device the consumer was using when they requested to opt-out, even if they were logged in to their Disney account” and underscores both the need to implement the opt-out and also that it is an enforcement priority. The importance of this issue was also highlighted by the fact that Connecticut regulators announced a collaboration with California and Colorado in a joint investigative sweep focused on GPC compliance; an effort that spotlights the scrutiny disclosures face and the trend of state regulators working together to elevate messaging.¹⁶

The NAI staff also closely examined the opt-out mechanisms members provided directly on members’ websites and the language used to describe and scope those mechanisms. Regulators expect opt-out mechanisms to describe the consumer’s right to opt out and provide instructions for how consumers may submit a request.¹⁷ With this in mind, the NAI staff encouraged members to provide clear instructions and use statutorily defined terms, such as “targeted advertising,” “sale/sharing,” and “profiling,” when describing the scope of an opt-out mechanism. Similar to evaluations of opt-out preference signal-related disclosures, the NAI staff also closely examined whether members’ opt-out mechanisms sufficiently described its application to a consumer’s device, browser, associated consumer profiles, and/or pseudonymous profiles.

Under the Framework, each member company must offer consumers method(s) to signal a choice about how the company processes their personal data, for those activities which require choice under applicable laws. The NAI staff reviewed each member company’s process in place describing how the member provides and honors methods for consumers to signal choice about processing of personal data. The NAI staff also reviewed those activities which require choice under applicable laws and provided recommendations and considerations regarding applicable best practices for consumer choice and control.

Reviewing Consumer-Facing Tools

In this initial privacy review cycle under the Framework, the NAI staff focused on consumer choice and usability of consumer-facing tools. The NAI staff aligned its priorities with those identified by state regulators, noting that a top priority across the states was to ensure companies are receiving and responding to consumer requests, with a particular focus on company websites and consumer-facing portals.¹⁸ To accomplish this, the NAI incorporated website testing and utilized inbox submissions to assist members in understanding how their consumer-facing tools are working in practice. The NAI staff amplified warnings from state regulators where they made known that they are sending test emails to companies’ privacy inboxes to monitor response times. As part of the review, the NAI staff submitted test requests to opt-out mechanisms and Data Subject Access Request (DSAR) portals, emailed messages to inboxes and monitored for responses, reviewed cookie banners and settings, and evaluated how member company webpages behaved when a GPC signal was present, among other measures.

On the whole, the NAI staff found a strong record of timely and substantive responses from member companies, reflecting the meaningful investments member companies have made in privacy compliance and operations. For example, members typically provide thoughtfully designed choice mechanisms that are clearly presented to consumers and effectuate choice immediately upon submission. In addition, many members have tools designed to surface information requested by consumers in a timely response, and with thoughtful and proportionate verification measures. Nevertheless, the reviews surfaced a range of technical and usability issues and identified opportunities for members to improve their practices. Among the most common technical issues observed were outdated or broken links within privacy disclosures and opt-out sections, missing confirmation emails that left NAI testers without any indication that their requests were received, “endless scroll” barriers that could obscure access to choice mechanisms, and broken CAPTCHAs. The NAI staff also observed instances where privacy preference center pages failed to load properly when common browser privacy tools or extensions were enabled, raising the concern that the very consumers most actively seeking to exercise their rights may find it more challenging to do so.

The NAI staff also reviewed cookie banners closely, and accompanying disclosures. The majority of companies had cookie banners and prominent, accessible statements about the use of cookies. Some companies also provided more granular disclosures concerning different categories of cookies, such as those that are “necessary,” as compared to others that might relate to marketing and advertising. The NAI staff urged some member companies to review their cookie policy disclosures and the categorizations reflected in their cookie preference tools to ensure accuracy and consistency. In several instances, the NAI staff observed potential discrepancies between how cookies were described in policies and how they were categorized within cookie tools, which could create confusion for consumers. At times, it appeared that the names of cookies or classifications of certain cookies as “necessary” could be revised to better align with consumer expectations. For example, some cookies categorized as “necessary” appeared to support analytics or advertising related functions, rather than being strictly required for the site to operate.

In addition, the NAI suggested some member companies using third-party vendors to provide cookie management tools consider whether the names and public-facing descriptions of the cookies are sufficiently clear and accurate and do not mislead consumers. In some cases, vendor-provided cookie names or descriptions are highly technical or abbreviated, making it difficult for consumers to meaningfully understand the function of the cookie without additional context. Companies should consider whether these descriptions can be clarified to improve transparency. In addition, the NAI suggested that if partners with cookies were previously listed in a privacy policy, it may make sense to revise that approach and refer the consumer to the cookie tool for such information, rather than trying to keep a dynamic list updated in a policy. The NAI staff noted that given the evolving nature of vendor relationships and tracking technologies, ensuring that disclosures are consistent across the policy and consent tool and reflect current practices will reduce the likelihood of consumer confusion.

Symmetry in Choice & Design

In 2025, the NAI staff observed continued heightened regulatory scrutiny over user experience (UX) best practices, particularly the need to design user-friendly cookie banners and preference centers and consumer controls that avoid dark patterns. While this has been an ongoing priority, CalPrivacy’s enforcement action against Honda provided helpful guidance for offering symmetry in choice, noting that the path for a consumer to exercise a more privacy-protective option cannot be longer, more difficult, or more time-consuming than the path to exercise a less privacy-protective option, effectively stating that opt-out workflows cannot be harder than opt-in workflows. This led to the NAI staff having conversations with several members to clarify that regulators may expect that cookie tools that feature a clear “Accept All” button, for example, should also then present a clear “Reject All” button. In practice, many NAI member companies had thoughtfully designed pathways to enable consumers to utilize mechanisms. The NAI staff raised with some members the importance of clearly labeling all opt-out mechanisms, including any toggles, with an understanding that interfaces should not assume user knowledge about what is the default or that a given toggle would effectuate an opt-out of sale and sharing and not an opt-in.

The NAI staff also identified and flagged a range of design issues that are at risk of falling short of emerging best practices. Several members’ opt-out and DSAR flows included points of unnecessary friction for consumers, such as requiring consumers to provide more personal information than necessary to implement an opt-out request. Furthermore, the NAI staff discussed what regulators have classified as verifiable rights compared to non-verifiable “Opt-Out of Sale/Share” requests from consumers. As CalPrivacy’s Honda decision drew a sharp line between verifiable consumer requests (such as requests to know, correct, and delete) and non-verifiable consumer requests (such as requests to opt-out of sale/sharing and requests to limit the use of sensitive personal information), there are emerging best practices on ensuring the use of identity verification (such as an email confirmation, a signed affidavit, or providing a government ID) is limited only to those requests that allow for it, such as requests to delete, requests to correct, and requests to know.¹⁹ The NAI staff also noted that CalPrivacy’s enforcement action against Ford also found that requiring consumers to confirm their email address before processing an opt-out request effectively imposed a verification requirement that created unnecessary friction and prevented the company from processing some opt-out requests unless consumers completed that additional step. Where member companies may have appeared to require personal information to implement an opt out, staff discussed what information may be strictly necessary to process the opt-out and where eliminating verification measures from opt-out workflows would be a more favorable posture. The NAI staff also reflected to members that they should ensure the information provided is clear and readily accessible to consumers; and website or tool designs cannot require a user to scroll down through a lengthy privacy policy, or click “read more” to locate relevant information for a choice or links for submitting a request.²⁰

Though California Attorney General’s matter against Disney was announced further into the Privacy Review Program review cycle, it serves to highlight how confusing partially effectuated opt-outs can be for consumers, and how partial opt-outs could be viewed as deceptive practices by regulators.²¹ When managing opt-outs across different services and devices, or through various opt-out mechanisms, members were reminded to be clear on the effective scope of the tool and encouraged to rigorously evaluate their methods and confidence for implementing choice and communicate any limitations clearly to consumers (such as articulating any limit to how an opt out can be implemented or how long an opt out can persist) to avoid subverting consumer choice.

Data Rights Requests & The Back-End Data Reality

Data subject access and deletion requests are increasingly interpreted by state regulators as broad requests that extend beyond simply providing a user with their visible account information. Insights from the Oregon Department of Justice's One-Year OCPA Enforcement Report²² explicitly address this issue, warning companies that relying solely on “self-help” or account-centric tools to satisfy consumer rights requests may not comprehensively cover the scope of the rights. The report emphasizes that when consumers request a copy of their data or ask for its deletion, controllers have a strict obligation to provide all data, which includes derived and “back-end” data. For many companies, providing back-end data, which may encompass modeled marketing profiles, audience segments, and inferred shopping patterns, can be time- and resource-intensive, as they may need to pull down and format each consumer request. Moreover, certain companies that may have particularly sensitive data have to continually evaluate the sensitivity of the data against the verification measures they are able to use to validate whether an access request should be granted.²³

During discussion of the challenges accompanying access and deletion requests, several members articulated that satisfying a single access request can be further complicated by the reality of data silos across the digital advertising ecosystem. Because a consumer’s information rarely lives in a single, centralized database, businesses often face the significant operational challenge of querying highly distributed data environments to retrieve or delete the necessary records. This task could include tracking down personal data that may have been securely hashed and pushed into data clean rooms, shared with offline onboarding partners, or fragmented across various internal analytics and measurement platforms. As the NAI staff reminded member companies, the Oregon enforcement report makes clear that a business cannot satisfy its legal obligations by leaving out data from distributed environments; instead, it must ensure its DSAR fulfillment processes are robust and provide both raw and derived data from across services, even if needing to draw on disparate silos of data.

Deletion Requests

Beyond the initial retrieval of data, businesses must also grapple with the complexities of cascading both access and deletion requests to ensure a consumer’s request is comprehensively effectuated. When a consumer submits a deletion request, the controller must ensure that this is effectively passed downstream to processors, vendors, and partners who have received the data. Methods for notifying others about deletion requests vary widely, from manual email updates with file attachments, to shared files in the cloud, to fully automated technical integrations.

Those member companies that registered as data brokers in California, in particular, experienced a large spike in deletion requests relative to their size. Some smaller companies that previously received very few or no requests before registration then saw a growth in requests from dozens to hundreds or so of requests per month once registered. Other companies experienced a more severe spike in deletion requests, with several companies attributing the large increase in requests to authorized agents. These companies otherwise noted seeing a moderate increase in individual consumer requests. Where there is an uptick in authorized agent requests, many members continue to struggle with an “actionability gap” as they are provided data from incoming deletion requests that does not allow the member to match the request with data the member company has (e.g., a MAID is not provided), or the necessary verification step is not completed by the consumer (or their agent).

Member companies must also currently navigate state privacy laws that are split on the scope of the deletion right. Where a minority of states (California, Iowa, and Utah) limit deletion rights only to data the consumer provided directly, the vast majority of state privacy laws now give consumers a broader right to delete all personal data a controller has concerning them, which would include data obtained from third parties.²⁴ The NAI consistently highlighted the importance of maintaining comprehensive and thoughtful data maps across all internal systems to best understand where personal data about any given consumer is coming from.

The NAI staff also spoke with some member companies about the importance of ensuring that personal data is purged and putting in place measures to ensure that the data remains deleted over time. This represents another obligation that requires strict additional controls and sophisticated data governance. In response, some member companies noted they anticipate some friction when implementing consumer deletion requests, as data may reemerge through data sources and repopulate a deleted profile, such as may occur when a consumer changes their phone number or gets a new email address.

GPC Implementation of Opt Outs

Beyond analyzing user interfaces, the NAI staff replicated the testing methodology employed by some regulators on business websites, such as A/B testing a webpage with GPC enabled and GPC disabled to observe which third-party tracking tags fire and which cookies are dropped in each state. In some cases, it was unclear whether a member’s website limited tracking when a GPC signal was active, and in some instances staff did not observe one or more valid GPC specifications being detected by certain tools used in testing. During reviews, there was also some discussion about how there are technical limitations where GPC signals received through websites may not be broadly implemented across the member’s services due to an inability to match the browser signal to other services. The NAI staff emphasized the importance of closely evaluating the technical reach of an opt out, especially for those members who maintain device graphs, as regulators in California made clear through enforcement that a business limiting the opt-out request received via GPC to the specific device the consumer was using, even when the consumer was logged into their account across several other devices, would be treated as a deceptive practice.²⁵ However, rightsizing the scope for an opt out may be challenging for businesses, particularly where device graphs are probabilistic and not deterministic. Among probabilistic device graphs there may be a risk of either over-matching and opting out the wrong person or device, or under-matching and failing to fully opt out the right person or device. Moreover, as confidence in a device’s association with other devices or browsers or individuals may evolve over time (as is the nature of probabilistic device graphs), so too may the ability to track and honor the opt out.

In addition, the scope of the opt-out preference signal and whether it would be respected for consumers in states without specific legal requirements to honor such a signal was also a question for some members. Providing consumers with adequate information to understand what a signal would actually accomplish is important to ensure consumer expectations are met and not frustrated. The NAI staff also flagged for members a new and visible CCPA regulatory requirement that took effect January 1, 2026: businesses are now required to display on their website whether a consumer's Opt-Out Preference Signal has been processed as a valid request to opt out of sale or sharing.²⁶

Because regulators increasingly treat a company’s public-facing website and privacy notice as visible indicators of its potential overall compliance posture, the NAI staff highlighted that regulators would expect websites to detect and process GPC signals regardless of whether a company primarily operates in a business-to-business (B2B) context. Even if a B2B company processes very limited personal information through its website and has a website only for business clients, regulatory bodies are actively testing these sites to see if businesses are correctly detecting and processing GPC signals. The NAI staff reinforced that the absence of GPC-related disclosures or functioning opt-out capabilities on a publicly accessible B2B website could draw regulators’ attention and broader scrutiny of privacy practices.

Under the Framework, each member company must limit its processing of sensitive personal data to disclosed purposes (and purposes consented to by the consumer as required by applicable laws) and provide additional safeguards when processing such data. During reviews, the NAI staff asked questions about the internal policies members have in place for assessing when personal information may be sensitive. This included closely examining the various types of health-adjacent data members may collect and process, as well as any information that is derived or inferred from nonhealth information. If it is determined that a member does process sensitive personal data, the NAI staff would review relevant safeguards, disclosures, as well as how and when the member obtains the relevant consent or ensures such consent is obtained on its behalf.

The Challenge of Classifying “Sensitive Data”

Members have overwhelmingly developed internal policies for classifying sensitive personal data. However, given the evolving and somewhat varied frameworks for determining when personal information meets a higher threshold of sensitivity that requires heightened protections, the NAI staff observed a lack of uniformity for classifying sensitive data amongst members. Concerning health data specifically, the NAI staff observed a wide variety of approaches taken at the state level to define health-related sensitive personal data, and the challenges these different approaches present to members. For example, some states define health-related sensitive personal data narrowly, limiting the classification only to data revealing a mental or physical health diagnosis, whereas other states take a broader approach that envelops all data identifying a consumer’s past, present, or future physical or mental health status.²⁷

Beyond statutory definitions, the NAI staff also paid close attention to enforcement actions that provide additional context on when personal data should be classified as sensitive and often during Privacy Reviews raised matters for members’ consideration. For example, in the settlement between the California Attorney General and HealthLine Media, there was strong emphasis placed on the CCPA’s provisions that limit the use of personal information for only those purposes that are consistent with the reasonable expectations of the consumer.²⁸ Known as the “purpose limitation principle,” its application in the Healthline matter suggests that there may be varying degrees of data sensitivity, and that the sharing of personal data “of a more intimate nature” with third parties may be unlawful when consumers would not expect that to happen.

In the face of this complexity, there are a range of compliance approaches that the NAI staff observed during Privacy Reviews: (1) members attempting to force simplicity by over-classifying any information related to health as sensitive and therefore subjecting the data processing to heightened requirements; (2) members under-classifying what constitutes sensitive personal data, or failing to recognize in certain cases where a broader category of data could meet various legal definitions, creating a compliance gap; or (3) members choosing to withdraw altogether from jurisdictions where they perceive risk that almost any data processing could trigger broad definitions of what is sensitive.

To support consistent, well-reasoned sensitivity classifications for health data, the NAI staff developed a Factor Analysis for Health-Related Sensitive Personal Information as a tool to assist members with the growing challenge of classifying health-related sensitive data.²⁹ The tool acknowledges that health data sensitivity often emerges from a confluence of factors: how data is collected, what it contains; how it is used; and what risks it creates. For those members struggling with the complexity of reasoning through sensitivity classifications, the NAI recommended the adoption of this tool, and encouraged members to pay close attention to the concerns of regulators regarding the types of data that should be classified as sensitive under state and federal law.

Disclosure, Consent, and the “Limit the Use” Choice Mechanism

Those members that process sensitive personal data for Network Advertising, must adhere to a stricter—and in some ways more fragmented—regulatory framework. However, despite the disjointed approach to regulating sensitive personal data at the state level, there is a universal understanding that the processing of sensitive personal data carries a heightened risk of harm to consumers that warrants increased transparency and choice. For example, some states have explicit requirements to disclose the categories of sensitive personal data collected and the specific purposes for the processing.³⁰ As part of the privacy review, the NAI staff evaluated privacy notices and other disclosures to understand how members currently approach these heightened disclosure requirements. Overall, members that are knowingly processing sensitive personal data have sufficiently disclosed the categories of sensitive personal data they collect and the purposes for the processing.³¹

As the vast majority of state comprehensive privacy laws require opt-in consent to process sensitive personal data,³² members that are knowingly processing sensitive personal data have taken varying approaches for either obtaining consent, or verifying that proper consent has been obtained when the data was initially collected. Indeed, consent obligations are generally tied to the processing of sensitive personal data, not merely its collection.³³ This means that a controller receiving sensitive personal data from a partner to use for advertising likely needs valid consent for its own processing and cannot simply rely on the fact that the partner obtained consent for its separate use of the data. As such, consent language needs to be transparent and encompass all intended uses of the data—including downstream uses for advertising.

For these reasons, the NAI encouraged members that are processing sensitive personal data to go beyond contractual provisions concerning consent to conduct due diligence and review the consent language presented to consumers. For members that partner with a small number of publishers, this task is relatively easy and manageable, and can be done by reviewing each individual publisher or asking each publisher to provide screenshots of the relevant consent prompt. However, the NAI encouraged members that partner with a large number of publishers providing sensitive data to conduct necessary due diligence, recognizing it may be approached in a more scalable manner.

California is unique in that its comprehensive privacy law requires providing a conspicuous link titled “Limit the Use of My Sensitive Personal Information” when a business is processing sensitive personal data for purposes outside of what is strictly necessary.³⁴ Known as a Limit the Use mechanism, it must be offered alongside California’s other distinct “Do Not Sell or Share My Personal Information” mechanism. With few exceptions, NAI members are well attuned to these requirements, and often bundle these mechanisms under a single “Your Privacy Choices” alternative opt-out link.³⁵

Precise Geolocation Data

During the 2025 Privacy Review cycle, the NAI staff again emphasized to member companies that precise geolocation data remains one of the most sensitive and heavily scrutinized categories of data in the digital advertising ecosystem. Recent state laws in Maryland and Oregon introduced strict limitations on the sale of precise geolocation data, representing a meaningful shift from prior state law frameworks that primarily relied on notice and choice. Rather than conditioning processing on consumer consent alone, these laws impose categorical restrictions that directly constrain how location data may be used and monetized.

These restrictions have had significant and, in some cases, immediate operational implications for companies engaged in location-based advertising. In practice, some companies scaled back or discontinued certain location-based activities, while others reassessed whether to operate in particular state markets at all. These responses reflect the extent to which the new legal requirements are reshaping core business practices, rather than simply requiring incremental compliance adjustments.

In response to these two state laws, NAI members and their partners have made significant adjustments to their standard business models. Some companies have chosen to withdraw certain location-based services from these jurisdictions altogether, rather than attempt to redesign those offerings within the new constraints. As a result, certain products and use cases that depend on precise geolocation (such as in-store visitation measurement or attribution of advertising to real-world outcomes) may no longer be available in those states. Other companies have continued operating in these jurisdictions, but with more limited functionality. In practice, this has generally involved restricting or eliminating the use of precise geolocation data in those contexts and limiting services to those that can be supported without relying on that data. While these approaches allow for continued operation, they can materially reduce the effectiveness and precision of advertising and analytics capabilities, highlighting the tradeoffs companies are making to navigate evolving legal requirements.

Compliance through Technical Measures

As there has been greater scrutiny of the use of precise geolocation information, many companies are exploring and adopting technical measures to reduce the sensitivity of location data while preserving utility. One method observed in the reviews is the truncation of IP-derived location data, such as limiting precision to two decimal places. While these approaches may reduce granularity, they also raise important questions about whether such transformations meaningfully mitigate sensitivity under emerging legal standards, particularly where re-identification risks may remain, or where the data can still be used (alone or in combination with other data) to approximate a user’s precise location or visits to sensitive points of interest. Regulators are increasingly focused not just on how data is labeled, but on whether it can still reveal precise or sensitive insights about individuals in practice.³⁶

In speaking with members that process precise geolocation data, the need for robust filtering of sensitive points of interest remained a key compliance challenge for some. Across reviews, companies demonstrated varying levels of maturity in identifying and excluding locations that may reveal sensitive characteristics, such as healthcare facilities, places of worship, or other locations tied to intimate aspects of individuals’ lives. This issue has taken on heightened importance in light of recent legal developments, including state laws that specifically call out health-related location data as requiring enhanced protections. Notably, New York’s geofencing law prohibits the establishment of a geofence of 1,850 feet or less around a healthcare facility for the purpose of delivering digital advertisements, building consumer profiles, or inferring an individual’s health status or treatment. Since the development of the NAI's Voluntary Enhanced Standards for Location Information Solution Providers in 2022, the NAI has been encouraging members to identify sensitive locations and take steps not to process or share precise geolocation data related to these locations. In the NAI's privacy reviews with members, the NAI staff highlighted the consistent focus of regulators on data related to sensitive locations and promoted the NAI's Voluntary Enhanced Standards.

New state regulations and increased scrutiny of the use of geolocation information, particularly data that can approximate visits to sensitive points of interest, such as health facilities and places of worship, reinforce that compliance in this space must be an ongoing function requiring continuous refinement and validation.

Meaningful & Informed Consent

Regulators and enforcement actions continue to emphasize that the collection and use of precise geolocation data must be grounded in meaningful, informed consent. This expectation extends beyond the initial point of collection to the broader data supply chain, meaning that companies that receive or rely on location data are increasingly expected to conduct due diligence and implement contractual safeguards to ensure that upstream partners, such as app publishers and SDK providers, are obtaining valid consent.³⁷ As a result, accountability for consent is no longer limited to the first-party interface; instead, it is distributed across all participants in the ecosystem.

Recent enforcement actions further illustrate this regulatory focus. State and federal regulators have demonstrated a willingness to bring cases where location data practices are perceived to reveal sensitive information or where consumer expectations are not met.³⁸ Regulators are increasingly evaluating these practices holistically, examining not only technical compliance, but also considering the sensitivity of the data and whether the overall use of the data aligns with consumer disclosures and expectations.

Precise Location Information Solution Provider Voluntary Enhanced Standards

The NAI’s Precise Location Information Solution Provider Voluntary Enhanced Standards (“VES”) represent the NAI’s accountability mechanism for the subset of member companies (known as “signatories”) that collect precise location data and use it to provide location-based audience segments or analytical services. Signatories voluntarily sign on to the VES, which prohibit the use, sale, and transfer of U.S. consumer precise location information related to Sensitive Points of Interest (SPOIs), and separately prohibit the use, sale, or sharing of any U.S. consumer precise location information for law enforcement or national security purposes, except where needed to comply with a valid legal requirement. In 2024, the NAI updated the VES to clarify how nationally recognized industry classification systems, such as the North American Industry Classification System (NAICS), can be used to identify sensitive locations and operationalize a process that aligns with the standards, a practical update aimed at improving consistency and administrability across signatories.

The annual accountability reviews of VES signatories surfaced important lessons about how companies are implementing the standards in practice and where the most persistent operational challenges lie. One of the most significant findings concerns the methods signatories use to comprehensively identify SPOIs. Across signatories, the NAI staff observed a range of approaches, including licensing third-party point-of-interest databases, conducting manual location audits, and applying keyword-based search methodologies to classify location data. No single approach has emerged as definitive. Signatories expressed a shared desire for more resources on this front to strengthen the collective reliability of sensitive location filtering. At the same time, they are acutely aware of the inherent limitations of any SPOI dataset, as it represents a best effort at a moment in time; its coverage is constrained by the availability of sources to quality-check against and its durability over time cannot be fully guaranteed. The NAI staff is actively considering what additional resources and coordination mechanisms could support signatories in this work.

Temporary sensitive locations were consistently a challenge identified in VES privacy reviews, given the nature of these geographic locations that are sensitive only during specific events or timeframes, such as a convention center hosting a health-related conference or a park used for a religious gathering. Identifying these dynamically sensitive locations is significantly more resource-intensive than maintaining a static SPOI directory, and current methodologies are limited in the ability to capture this category. The NAI is continually evaluating what practices or tools could help address these challenges, and encourage members to include contractual limitations and the innovation of techniques to more comprehensively capture SPOIs.

Two additional findings from the VES reviews merit recognition. First, the NAI staff observed that several signatories have developed SPOI categories that go beyond what the VES expressly requires to classify additional location types as sensitive. Examples include the classification of parts of Native American reservations and firearms-related locations—such as gun stores and shooting ranges—as SPOIs. This kind of voluntary expansion of protections reflects a mature privacy culture and a proactive posture toward consumer protection that aligns with the spirit of the NAI Framework. Second, in discussions about business practices, signatories reported that they routinely decline business opportunities they assess as carrying unacceptable privacy risk, which the NAI sees as an indication that the values embedded in the VES are integrated into commercial decision-making, and rather than treated as a separate compliance exercise.

Finally, the NAI staff asked signatories about the volume of law enforcement requests they have received for consumer location data—a topic that has drawn significant public and regulatory scrutiny. The responses indicated that the volume of such requests has not been overwhelming. Importantly, signatories reported that they evaluate each such request carefully, asking whether it is properly propounded and narrowly tailored before any response is provided. These processes reflect the kind of principled gatekeeping that the VES were designed to encourage, and they offer a model for how industry can maintain meaningful accountability over government access to sensitive data.

Children’s Privacy

During Privacy Reviews, the NAI staff discussed the topic of children’s data with member companies, focusing on strong compliance and increased activity by both regulators and legislators. The NAI staff provided member companies with updates on developments in the space among enforcement agencies, and often provided links to resources about new and unfolding efforts among industry, as well as state and federal regulators, to ensure members are forward-thinking in compliance efforts related to children’s data.³⁹ The enforcement of these laws is somewhat in flux, as there have been several constitutional challenges that are being actively litigated.⁴⁰

Amidst the evolving landscape of privacy laws in force, the NAI staff highlighted the importance of members continuing to evaluate their entire data ecosystem, particularly regarding app-level data sources. Specifically, members should consider whether and how contracts with partners and data source vendors address app-level data sources. It is essential for members to continue assessing the presence of children and app-sourced data within their ecosystems. Members whose business model does not include processing children’s data should confirm that other parties are both doing their due diligence with regard to any appropriate age verification APIs and then follow through and do not share children's information with members.⁴¹

During Privacy Review meetings, the NAI staff also encouraged members to consider reviewing and updating their privacy policies to clarify the company’s approach to minors’ data in light of the evolving state privacy laws. There is a growing trend among states placing restrictions on the collection and processing of personal data of consumers under the age of 18—rather than 16, the threshold used in earlier laws. This can be seen with the Maryland Online Data Privacy Act (MODPA), which went into effect on October 1, 2025, and prohibits controllers from processing the personal data of a consumer for targeted advertising or selling the personal data of a consumer if the controller knew or should have known that the consumer is under the age of 18. Additionally, Colorado’s Children’s Privacy Amendment, which also went into effect on October 1, 2025, prohibits controllers from knowingly processing the personal data of minors (under age 18) for the purposes of targeted advertising, sale, and profiling without consent. The NAI staff encouraged members to consider reviewing their privacy disclosures and consider raising the age threshold to 18, if they have not done so already.

Under the NAI’s Framework, each member company must take steps to ensure that its processing of personal data comports with its commitments and legal obligations. The NAI staff reviewed member companies for whether each had implemented a written data governance program that addresses personal data processing across its organization. In particular, the NAI staff inquired about whether there was written data governance about how the member honors consumer opt-out requests it receives; processes the member has in place to respond to consumer requests in a timely fashion; steps the member takes to update disclosures to reflect new data processing; and steps the member takes as part of its partner and vendor due diligence. The NAI staff provided recommendations and considerations regarding applicable best practices for data governance.

Data Governance Programs

In our reviews, many members had satisfactory written data governance documentation in place. As this principle did not have a predecessor element in the NAI’s previous codes, it was adopted as a signal to members about the importance of developing and documenting responsible data stewardship. It is understood that state law often requires policies, and regulators frequently ask to see more written evidence for how practices are memorialized, how expectations are communicated to employees, and how companies demonstrate consistency in following the processes. Data governance is also growing in importance as it helps members ensure that data is well managed (with proper consents and known provenance, for example) to then be prepared for potential uses of data for AI and govern the risk and compliance for those areas. The NAI staff highlighted the need to have written records of how companies would recognize and respond to consumer opt-outs and exercising of rights, and required members to take steps to develop such written data governance where needed, to be in adherence with the Framework’s Principle on Data Governance.

The emphasis on written data governance reflects a broader regulatory environment in which federal and state privacy regulators are increasingly expecting companies to evidence their processes through documented policies and procedures—not just verbal assurances or ad hoc practices that are documented only when requested. For example, CCPA regulations require businesses that receive, sell, or share the personal information of 10 million or more consumers annually to establish, document, and comply with a training policy for staff handling consumer requests.⁴² The DOJ Rule on Preventing Access to Americans’ Bulk Sensitive Personal Data (DOJ Bulk Data Rule) similarly requires covered entities to maintain a written Data Compliance Program, including annual certification of written policies and procedures. Regulators are increasingly focused not only on whether data governance processes are written down, but also on whether those policies are communicated to staff through regular training and manuals, and employee training on adherence to data governance programs should not be glossed over by businesses. This focus on employee training underscores that written documentation is becoming a baseline expectation for demonstrating accountability to both self-regulatory bodies and government enforcers.

To support members in meeting these expectations, the NAI produced a new Data Governance Checklist and Template, designed to assist members in formalizing and memorializing their processes in line with both the NAI Principles and federal and state regulators’ expectations. The tool walks members through key considerations for developing an effective written data governance program and provides a template policy as a starting point. It also highlighted certain laws that impose specific obligations around sensitive data, including the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA), the DOJ Rule, and state-specific geolocation and health data laws, such as Oregon’s geolocation restrictions, Maryland’s consumer health data provisions, New York’s geofencing law applicable to healthcare facilities, and Washington’s My Health My Data Act. By providing this resource, the NAI aims to help members both meet evolving privacy standards and build the kind of documented compliance infrastructure that positions them well as regulatory scrutiny continues to intensify.

Cross-Border Data Protection

The federal government’s increased efforts to limit national-security risks posed by the sale of Americans’ sensitive data to foreign adversaries have created new obligations for member companies that rely on the collection and use of data for advertising. The DOJ Bulk Data Rule and PADFAA incorporate new diligence measures and require additional assessments of partners and their data practices.

In reviewing member responses to the 2025 Privacy Review Questionnaire, the NAI observed a wide range of steps taken with respect to the DOJ Bulk Data Rule and PADFAA. A number of member companies reported sophisticated, multi-step frameworks to address obligations that included data flow mapping, transfer impact assessments, third-party screening systems, and transaction evaluation checklists. The most common compliance action reported by members was an update to contracts and data processing agreements to include representations and warranties that counterparties are not “covered persons” or otherwise connected to countries of concern. Some companies’ compliance programs reflected a broader approach where they would identify restricted and prohibited transactions, conduct robust due diligence before onboarding new partners, embed required clauses in contracts, and establish ongoing audit and oversight processes. Members that have taken these more comprehensive steps were positioned to identify and address potential gaps before they became operational risks, as enforcement appears to ramp up.

The NAI staff observed that a number of members are seeking greater clarity on the relationship between the DOJ Rule and PADFAA, and in particular, on where compliance strategies for the two frameworks should diverge. Several members noted that they had taken measures to address obligations for both laws, and acknowledged uncertainty about whether meaningful distinctions warranted differentiated approaches.

During Privacy Review meetings, the NAI staff encouraged members to carefully evaluate the full scope of these laws, including the laws’ definitions of data and identifiers that are broadly classified as sensitive, and review how the companies are performing due diligence on customers, partners, and vendors, particularly for any foreign-controlled entities, and to consult with counsel where applicability is uncertain.