NAI's New Privacy Principles Still Fall Short

The Network Advertising Initiative (NAI) has released updated privacy principles for their members. While the move is a step in the right direction, it falls short of ensuring best-practices in security and privacy.

The Security Principle requires members to "provide reasonable security for that data." The accompanying footnote reads:
Reasonable security is determined in light of several factors including, but not limited to, the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company.
I read this as allowing NAI member businesses to take minimal steps towards security. There are no requirements of best-practices, audits, compliance checks, a named responsible party, staff training and awareness.

Another problem with self-regulatory privacy practices is that they often work in unexpected ways. Case in point is the NAI Opt-out tool, which allows you to opt-out from many NAI advertisers. However, since the choice is cookie-based, your settings will be lost if you choose to delete your cookies (which you might do to enhance your privacy).
The NAI Opt-out Tool is cookie-based. In order for the Tool to work on your computer, your browser must be set to accept third party cookies. If you buy a new computer, change web browsers or delete this cookie, you will need to perform the opt-out task again.

No comments: