UPDATE TO THE
NAI Mobile
Application Code
2015
June 2017
1
INTRODUCTION
The 2015 The NAI may publish from time to time additional guidance documents related to requirements
in the App Code. update to the NAI Mobile Application Code (App Code) governs NAI members’
“Cross-App Advertising” and “Ad Delivery and Reporting” activities as dened herein. This code does
not govern members’ activities insofar as they act as rst parties or as “service providers” who collect and
use data solely on behalf of a single rst party. To the extent members collect data on mobile devices
across websites owned or operated by different entities, that activity will be governed by the NAI Code of
Conduct (Code).
1
Although different member activities may be covered by both the Code of Conduct and
the App Code, the NAI believes that the mobile and desktop ecosystems are rapidly converging. It is the
NAI’s intention to keep the high-level principles of notice, choice, and transparency consistent between its
codes with the goal of merging them together as the mobile ecosystem matures.
The NAI recognizes that the mobile advertising ecosystem is rapidly developing new technologies
and business models to take advantage of the unique opportunities afforded by mobile devices.
2
As a
result, the NAI acknowledges that dening an effective App Code may require, at least initially, regular
iterations, with full notice and participation by stakeholders. Accordingly, this 2015 update to the Mobile
Application Code further takes into account feedback from NAI member companies and others in the
mobile advertising ecosystem, regarding the practical implementation of certain provisions of the original
NAI Mobile Application Code published in 2013. This update also seeks to harmonize the App Code with
the 2015 Update to the NAI Code of Conduct. The NAI may publish from time to time additional guidance
documents related to requirements in the App Code. The App Code includes both code provisions
and commentary. The purpose of the commentary sections in this App Code is not to add substantive
obligations on members or to alter the principles set forth in the App Code itself. Instead, the commentary
explains the intent behind certain provisions of the App Code and provides non-binding illustrative
guidance on methods through which members can meet the substantive obligations herein.
The App Code’s requirements inform both consumers and businesses that NAI members implement, honor
and maintain high standards for data collection for Cross-App Advertising – increasing trust across the entire
ecosystem. The App Code is a self-regulatory code. The NAI recognizes that the application of the App
Code may involve subjective judgments and that technical, operational and policy questions may affect
such judgments. For that reason it is the intent that the NAI, as a self-regulatory body, is the nal arbiter of
how the App Code applies to its members’ practices in any given instance. Only the NAI staff is authorized
to interpret the requirements of the App Code and to evaluate compliance with and enforce violations
of the App Code. If NAI staff determines that there is an instance of non-compliance with the App Code
by a member, and if a member refuses to implement the recommended steps to bring its practices into
compliance, the NAI enforcement procedures allow NAI to refer the matter to the Federal Trade Commission
(FTC). In making such a referral, NAI does not ask the FTC to interpret the App Code, but simply to address
the member’s failure to comply with the NAI’s interpretation and application of the App Code.
1
The 2015 Update to the NAI Code of Conduct is available at https://www.networkadvertising.org/sites/default/les/NAI_
Code15encr.pdf. When necessary, mobile-specic implementation guidance may be provided as a supplement to the 2015 Update to
the NAI Code of Conduct.
2
This App Code covers the collection and use of data across applications on mobile devices. While the NAI recognizes that apps
will expand their reach and use across the ecosystem to devices such as TV’s, game consoles and wearables, the App Code does not
extend to those environments.
2
UPDATE TO THE
NAI Mobile
Application Code
2015
2015 UPDATE TO THE NAI MOBILE APPLICATION CODE
I. Definitions
A. CROSS-APP ADVERTISING
Cross-App Advertising means the collection of data through applications owned or operated by
different entities on a particular device for the purpose of delivering advertising based on preferences
or interests known or inferred from the data collected.
Commentary: Cross-App Advertising does not include the collection or use, for advertising purposes,
ofDe-IdentiedData.Cross-AppAdvertisingalsodoesnotinclude“contextualadvertising,”in
whichtheadselecteddependsuponthecontentoftheapplicationinwhichitisserved.Cross-App
Advertisingdoesnotinclude“rstparty”marketing,inwhichrstpartiescustomizecontentor
suggestproductsbaseduponthecontentoftheapplication(s)orusers’activityintheirapplication(s)
(includingthecontenttheyvieworthesearchestheyperform),solongastheapplicationprovideris
alsothecontentprovider.TotheextentNAImembersengageinsuchactivities,thoseactivitiesfall
outsideofthescopeofthisAppCode.
B. AD DELIVERY AND REPORTING
Ad Delivery and Reporting is separate and distinct from Cross-App Advertising and means the
collection of information from a device for the purpose of delivering ads or providing advertising-
related services, including but not limited to: providing a specic advertisement based on a particular
type of device or time of day; statistical reporting regarding the activity in an application; analytics
and analysis; optimization of ad location and placement; ad performance; reach and frequency
metrics (e.g., frequency capping); security and fraud prevention; billing; and logging the number and
type of ads served on a particular day to a particular application or device.
C. RETARGETING
Retargeting is the practice of collecting data about a user’s activity in one application for the purpose
of delivering an advertisement based on that data in a different, unafliated application. Although it
is a separate and distinct practice from Cross-App Advertising, unless specied otherwise, requirements
and obligations set forth under the App Code for Cross-App Advertising apply equally to Retargeting.
D. PERSONALLY IDENTIFIABLE INFORMATION (PII)
Personally Identiable Information (PII) is any information used or intended to be used to identify a
particular individual, including name, address, telephone number, email address, nancial account
number, and government-issued identier.
E. NON-PII
Non-PII is data that is linked or reasonably linkable to a particular device. Non-PII includes, but is not
limited to, unique identiers associated with users’ devices, such as device or advertising identiers
and IP addresses, where such identiers or IP addresses are not linked to PII. Non-PII does not include
De-Identied Data.
3
F. DE-IDENTIFIED DATA
De-Identied Data is data that is not linked or reasonably linkable to an individual or to a particular device.
G. PRECISE LOCATION DATA
Precise Location Data is information that describes the precise geographic location of a device
derived through any technology that is capable of determining with reasonable specicity the
actual physical location of an individual or device, such as GPS level latitude-longitude coordinates or
location based Wi-Fi triangulation.
Commentary: ThedenitionofPreciseLocationDatadoesnotincludelocationdatathathasbeen
altered,orwillbealtered,uponitsprovisionforuseinCross-AppAdvertising,sothatamemberis
unabletodeterminewithreasonablespecicitytheactualphysicallocationofanindividualordevice.
3
PreciseLocationDatadoesnotincludeinformationthatdoesnotnecessarilyreecttheactual
locationofadevicesuchastheuser’sspeedanddirectionoftravel,orauser-submittedcheck-in.
H. SENSITIVE DATA
Sensitive Data includes:
Social Security Numbers or other government-issued identiers;
Insurance plan numbers;
Financial account numbers;
Information about any past, present, or potential future health or medical conditions or
treatments, including genetic, genomic, and family medical history based on, obtained or
derived from pharmaceutical prescriptions or medical records, or similar health or medical
sources that provide actual knowledge of a condition or treatment (the source is sensitive);
Information, including inferences, about sensitive health or medical conditions or treatments,
including, but not limited to, all types of cancer, mental health-related conditions, and sexually-
transmitted diseases (the condition or treatment is sensitive regardless of the source); and
Sexual Orientation.
I. PERSONAL DIRECTORY DATA
Personal Directory Data is calendar, address book, phone/text log, or photo/video le data (including any
associated metadata), or similar data created by a user that is stored on or accessed through a device.
J. OPT-IN CONSENT
Opt-In Consent means that an individual takes some afrmative action that manifests the intent to opt in.
3
The analysis performed by NAI and its member companies to determine whether location data is imprecise, is discussed more
thoroughly in Guidance for NAI Members: Determining Whether Location is Imprecise, available at http://www.networkadvertising.org/sites/
default/les/NAI_ImpreciseLocation.pdf
4
UPDATE TO THE
NAI Mobile
Application Code
2015
K. OPT-OUT MECHANISM
Opt-Out Mechanism is an easy-to-use mechanism by which individuals may exercise choice to
disallow Cross-App Advertising with respect to a particular device.
Commentary: Anindustry-standardmechanismforexpressingchoiceregardingCross-App
Advertisinghasnotyetbeenestablished.Inlieuofthismechanism,membersshouldmaintain,or
describehowtoaccess,anopt-outmechanismthatis(1)user-friendlyand(2)appropriately
durablegiventhenature,characteristicsanduseofCross-AppAdvertisingtechnology.These
standardswillevolveastechnologiesallowuserstoexpresschoice.Platform-providedchoice
mechanismsthatsatisfytheaboverequirementsaresufcienttomeetthedenitionofOpt-Out
Mechanism.Forexample,the“LimitAdTracking”featurefoundonsomemobiledevicescan
qualifyasanOpt-OutMechanismifamemberusesittohonorauser’schoicetodisallowCross-App
Advertising.TheobligationsundertheAppCodeareindependentofanyobligationsrequiredbya
platformtouseitsprovidedchoicemechanism.
5
II. Member Requirements
A. EDUCATION
1. Members shall collectively maintain an NAI website to serve as a centralized portal offering
education about Cross-App Advertising, the requirements of the App Code, and information
about user choice mechanisms.
2. Members should use reasonable efforts to educate individuals about Cross-App Advertising and
the choices available to them with respect to Cross-App Advertising.
B. TRANSPARENCY AND NOTICE
1. WebsiteNotice: Each member company shall provide clear, meaningful, and prominent notice
on its website that describes its data collection, transfer, and use practices for Cross-App
Advertising and/or Ad Delivery and Reporting. Such notice shall include the following, as
applicable:
a. A general description of the following as applicable:
i. Cross-App Advertising and/or Ad Delivery and Reporting activities undertaken by the
member company;
ii. The types of data collected or used for Cross-App Advertising and/or Ad Delivery and
Reporting purposes including PII, Precise Location Data and Personal Directory Data;
iii. How such data will be used, including transfer, if any, to a third party;
iv. The technologies used by the member company for Cross-App Advertising and Ad
Delivery and Reporting;
v. The approximate length of time that data used for Cross-App Advertising or Ad Delivery
and Reporting purposes will be retained by the member company;
b. A statement that the company is a member of the NAI and adheres to the App Code; and,
c. A conspicuous link to or a description of how to access an Opt-Out Mechanism for Cross-
App Advertising.
2. StandardHealthSegments: Members that use standard interest segments for Cross-App
Advertising that are based on health-related information or interests shall disclose such segments
on their websites.
3. AppStoreNotice:Members shall take steps to require those applications with which they have a
contract and engage in Cross-App Advertising to clearly and conspicuously post notice, or a link
to notice, in any store or on any website where the application may be acquired, when and where
it is technically possible. Such notice shall contain:
a. A statement of the fact that data may be collected for Cross-App Advertising;
b. A description of the types of data, including any PII, Precise Location Data, or Personal
Directory Data, that are collected for Cross-App Advertising;
c. An explanation of the purposes for which the data is collected by, or will be transferred to,
third parties; and
6
UPDATE TO THE
NAI Mobile
Application Code
2015
d. A conspicuous link to, or description of how to access, an Opt-Out Mechanism for Cross-
App Advertising.
Commentary: ThisprovisionoftheAppCodeisintendedtohelpensure,totheextent
practicable,thatusersareprovidednoticeofCross-AppAdvertisingpriortoacquiringan
application,recognizingthatNAImembersgenerallyareunabletoprovidesuchnotice
themselves,becausetheydonotcontroltheapplicationortheappstore.
4. As part of members’ overall efforts to promote transparency in the marketplace, members
should make reasonable efforts to conrm that applications where the member collects data for
Cross-App Advertising furnish notices comparable to those described in II.B.3 above.
Commentary: Asonerecommendedapproachmembersmay,forexample,regularlychecka
reasonably-sizedsubsetoftheapplicationswheretheycollectdataforCross-AppAdvertising
toconrmthatappropriatenoticeisbeingprovidedonthewebsite(s)and/orintheappstore(s)
wheretheapplicationmaybeacquired.
5. EnhancedNotice:Members shall provide, or support the provision of, notice of Cross-App
Advertising data, including any PII, collection and use practices and the choices available to users
in or around advertisements that are informed by such data.
4
If notice cannot be provided in or
around such advertisements, members should take steps to arrange for the application provider
serving the advertisement to provide notice within the application:
a. As part of the process of downloading an application to a device, at the time the
application is launched for the rst time, or when the data is accessed; and,
b. In the application’s settings and/or privacy policy.
Commentary: TheNAIrecognizesthatitmaybeimpracticaltodeliverenhancednoticein
oraroundanadvertisementonsomedevices.Insuchcases,membersshouldtakestepsto
arrangefortheapplicationproviderservingtheadvertisementtoprovidenoticewithinthe
applicationaspartofthedownloadprocess,whentheapplicationisrstlaunched,orwhen
thedataisaccessed,inadditiontothenoticeinanapplication’ssettingsscreenand/or
privacypolicy.
C. USER CONTROL
1. The level of choice that members must provide is commensurate with the sensitivity and
intended use of the data. Specically:
a. Use of Non-PII for Cross-App Advertising purposes shall require access to an Opt-Out
Mechanism.
b. Use of PII to be merged with Non-PII on a going-forward basis for Cross-App Advertising
purposes (prospective merger) shall require access to an Opt-Out Mechanism accompanied
by robust notice of such choice.
Commentary: Tobeconsidered“robust”underthisprovision,thenoticemustbeprovided
immediatelyaboveorbelowthemechanismusedtoauthorizethesubmissionofanyPII.
4
The enhanced notice requirements of Section II.B.5 are separate and distinct from the application store notice provisions of
Sections II.B.3 and II.B.4. Section II.B.5 requires that some form of enhanced notice be provided within the application, whereas
sections II.B.3 and II.B.4 concern notice within the store where an application is acquired as well as on the application provider’s website.
7
c. Use of PII to be merged with previously collected Non-PII for Cross-App Advertising
purposes (retrospective merger) shall require a user’s Opt-In Consent.
d. Use of Precise Location Data for Cross-App Advertising purposes shall require a user’s
Opt-In Consent.
Commentary: AmembermustobtainOpt-InConsentfortheuseofPreciseLocation
DataforCross-AppAdvertisingifitdeterminesthatthelocationdataitiscollectingfor
Cross-AppAdvertisingpurposesispreciseasdenedintheAppCodeandanyadditional
NAIguidance.
5
Aplatform-providedconsentmechanismmaybesufcienttoobtainOpt-In
Consent,solongastheuserisprominentlynotiedthat1)theuser’sPreciseLocationData
maybesharedwiththirdpartiesand2)thepurposesforwhichsuchdatamaybeused,
includingCross-AppAdvertising.TheNAIrecognizesthatatthistime,itmaynotbe
possibletoincludetheaforementionednoticeinallplatform-providedconsentmechanisms,
andaccordingly,theNAImayissueadditionalguidancetoclarifyadditionalmethodsthat
membercompaniesmayemploytofullltherequirementforOpt-InConsentwhenusing
PreciseLocationDataforCross-AppAdvertising.ConsistentwiththescopeofCross-App
Advertising,theAppCoderequirementofOpt-InConsentfortheuseofPreciseLocation
DatadoesnotapplytoAdDeliveryandReporting,orwhenamembercompanydoesnot
storeorotherwisesavethePreciseLocationDatainassociationwithaparticularindividualor
deviceafterservingordeliveringanadvertisementinreal-time.Foradditionalguidanceon
thistopic,pleaserefertothe2015UpdatetotheNAICodeofConductandaccompanying
commentary.
e. Use of Sensitive Data for Cross-App Advertising purposes shall require a user’s Opt-In
Consent.
Commentary: Becauseitcanbedifculttodrawbrightlinesbetween“sensitive”and
“non-sensitive”healthandmedicalconditions,theNAIrequiresmemberstoconsidera
numberoffactorswhendeterminingwhetheraparticularconditionissensitive.These
factorsinclude:theseriousnessofthecondition,howpreciselytheconditionisdened,its
prevalence,whetheritissomethinganaveragepersonwouldconsidertobeparticularly
privateinnature,whetheritistreatedbyover-the-counterorprescriptionmedications,and
whetheritcanbetreatedbymodicationsinlifestyleasopposedtomedicalintervention.
Foradditionalguidanceonthistopic,pleaserefertothe2015UpdatetotheNAICodeof
Conductandaccompanyingcommentary.
f. Use of Personal Directory Data for Cross-App Advertising purposes shall require a user’s
Opt-In Consent.
Commentary: Moderndevicesprovideaccesstonewformsofdatathatwerenotavailable
throughconventionalWebbrowsers.Thisdatacanbeusedtorecognizeindividualsorto
assembleahistoryoflocationdata.Asaresult,greaterdegreesofnoticeandchoiceare
requiredbytheAppCode.
5
Guidance for NAI Members: Determining Whether Location is Imprecise, supra note 3.
8
UPDATE TO THE
NAI Mobile
Application Code
2015
2. When a user opts out of Cross-App Advertising from a particular member or members, those
member companies must honor the user’s choice as to the particular device. Member companies
may continue to collect data for other purposes, including Ad Delivery and Reporting. However,
any data collected by a member company while a device is opted out may not be used for
Cross-App Advertising purposes, regardless of the future opt-out status of the device and
regardless of the technology or technologies used for Cross-App Advertising by the member
company, absent Opt-In Consent.
Commentary: Membersmaycontinuetocollectandusedataforpurposesotherthan
Cross-AppAdvertisingfollowingauser’sopt-out.Anyuserdatacollectedwhiletheuserisopted
outofCross-AppAdvertisingshallnotbeusedforCross-AppAdvertising.Such-collected 
dataremainsoptedoutofCross-AppAdvertisingregardlessofthetechnologiesusedtocollect
thedataandregardlessoftheuser’sfutureopt-outstatus.
TheNAIworkswithallmembersduringthemembershipapplicationandannualreview
processestoensurethattheiroptouts,atminimum,stopthecollectionofdataforCross-App
Advertising.Certainpractices,suchastheprovisioningofofinedataforuseinCross-App
Advertising,arenotdirectlycoveredbytheAppCode.Somemembercompanieshave
committedtoapplyingNAIprinciplestothesepracticesinordertofurtherpromoteconsumer
privacy.NAIwillenforcetherelevantAppCodeprovisionsonsuchmembers.NAIwillapply
anyfutureupdatestotheAppCodethatcoverprovisioningofofinedataforuseintargeted
advertisingtoallNAImembers.
3. The technologies that members use for Cross-App Advertising purposes must provide users with
an appropriate degree of transparency and control.
Commentary: TheAppCodeisintendedtobetechnology-neutral,imposingobligationson
membersregardlessofthetechnologiestheyuseforCross-AppAdvertisingandAdDelivery
andReporting.Atthesametime,theNAIbelievesthatthetechnologiesthatmembersusefor
Cross-AppAdvertisingshouldprovideusersanappropriatedegreeoftransparencyandcontrol.
TheuseofimmaturetechnologiesforCross-AppAdvertisingwillbeevaluatedona
case-by-casebasis.TheNAIalsorecognizesthatsometechnologiesusedforCross-App
AdvertisingmaynotprovideadequatetransparencyfortheNAIcompliancestafftoconduct
independenttechnicalmonitoringofmembers’adherencetotheAppCode.Inthese
circumstances,membersmayberequiredtoimplementtoolsand/orpoliciesthatallowNAIstaff
toperformthisnecessarycompliancefunction.
D. USE LIMITATIONS
1. Member companies shall not create Cross-App Advertising segments specically targeting
children under 13 without obtaining veriable parental consent.
2. Members shall not use, or allow the use of, Cross-App Advertising or Ad Delivery and Reporting
data for any of the following purposes:
a. Employment Eligibility;
b. Credit Eligibility;
c. Health Care Eligibility; or
d. Insurance Eligibility and Underwriting and Pricing.
9
3. Members who make a material change to their policies and practices around Cross-App
Advertising shall obtain Opt-In Consent before applying such change to data collected prior
to the change. In the absence of Opt-In Consent, data collected prior to the material change in
policy shall continue to be governed by the policy in effect at the time the information was collected.
E. TRANSFER RESTRICTIONS
1. Members shall contractually require that any unafliated parties to which they provide PII for
Cross-App Advertising or Ad Delivery and Reporting adhere to the provisions of this App Code
concerning PII.
2. Members shall contractually require that all parties to whom they provide Non-PII collected
across applications owned or operated by different entities not attempt, for Cross-App
Advertising purposes, to merge such Non-PII with PII held by the receiving party or to re-identify
the individual for Cross-App Advertising purposes without obtaining the individual’s Opt-In
Consent. This requirement does not apply where the Non-PII is proprietary data of the receiving
party.
F. DATA ACCESS, QUALITY, SECURITY, AND RETENTION
1. Members shall provide users with reasonable access to PII, and other information that is
associated with PII, retained by the member for Cross-App Advertising purposes.
2. Members shall conduct appropriate due diligence to help ensure that they obtain data used for
Cross-App Advertising from reliable sources that provide users with appropriate levels of notice
and choice.
3. Members that collect, transfer, or store data collected for use in Cross-App Advertising and/or Ad
Delivery and Reporting shall provide reasonable security for that data.
Commentary: Membersarerequiredtoattestinwritingthattheyhavereasonableand
appropriateproceduresinplacetosecuretheirdataasrequiredbytheAppCode.NAIstaffdoes
notconductsecurityauditsofmembercompaniesorotherwisereviewthedatasecuritypractices
ofmembers.NAIstaffdoesnotopineonorotherwiseadvisemembersonspecicdatasecurity
measures,aswhatisreasonableandappropriatedependsonthemembers’businessmodels.
Becausebusinessmodelsvaryfrommembertomember,membercompanies,notNAIstaff,are
inthebetterpositiontodeterminewhatisappropriateunderagivensetofcircumstances.
4. Members engaged in Cross-App Advertising and/or Ad Delivery and Reporting shall retain
Non-PII and PII collected for these activities only as long as necessary to fulll a legitimate
business need, or as required by law.
10
UPDATE TO THE
NAI Mobile
Application Code
2015
III. Accountability
A. MEMBER OBLIGATIONS
1. The App Code is self-regulatory in nature and is binding on all members of the NAI.
2. To help ensure compliance with this App Code, each member should designate at least one
individual with responsibility for managing their compliance with the code and providing training
to relevant staff within the company.
3. NAI membership requires public representations that a member adheres to the App Code
as it applies to its business model, as supplemented by applicable implementation
guidelines that shall be adopted by the NAI Board from time to time. Such representations
involve explicit acknowledgement of NAI membership and adherence to the App Code in
a member’s publicly available privacy policy, and inclusion in a membership listing of participating
NAI companies on a designated page of the NAI website.
B. NAI OVERSIGHT
1. Members are required to annually undergo reviews of their compliance with the App Code by
NAI compliance staff or other NAI designees. Members shall fully cooperate with NAI
compliance staff or NAI designees, including in the course of annual compliance reviews and any
investigation of a potential violation of the App Code.
2. The NAI’s policies and procedures for annual compliance reviews and compliance investigations
may be updated from time to time. These policies and procedures shall not only describe the
process undertaken for a compliance review, but shall also articulate the penalties that could
be imposed for a nding of non-compliance, including referral of the matter to the U.S. Federal
Trade Commission. These policies and procedures, including any updates or revisions, shall be
made available on the NAI website.
3. The NAI shall annually post on its website a report summarizing the compliance of its members
with the App Code and NAI policies, including any enforcement actions taken and a summary of
complaints received.
C. USER COMPLAINTS
1. The NAI website shall include a centralized mechanism to receive an individual’s questions or
complaints relating to members’ compliance with the App Code.
2. Each member shall provide a mechanism by which individuals can submit questions or
concerns about the company’s collection and use of data for Cross-App Advertising purposes,
and shall make reasonable efforts to timely respond to and resolve questions and concerns that
implicate the member company’s compliance with the App Code and NAI policies.
Commentary: Membersmayutilizethesamemechanismtheyhaveinplaceforquestionsand
concernsregardingInterest-BasedAdvertising(asdenedbytheCode)ormaycreateandusea
separatemechanismspecicallyforquestionsandconcernsregardingCross-AppAdvertising.
www.networkadvertising.org