Short answer: the Network Advertising Initiative (NAI) is the self-regulatory body for third-party online advertising, and its Code of Conduct matters to SaaS vendors because it treats data that identifies a device or computer, not just a named person, as regulated. If your product touches third-party ads, tracking, or persistent identifiers, the NAI Code is a useful privacy checklist and an early preview of where US privacy law has since gone.
The Network Advertising Initiative (NAI) has useful guidance in its Code of Conduct on SaaS privacy for the third-party ad business. It is a self-regulatory governing body for third parties in the online advertising ecosystem, and it is useful not just for ad networks but for platforms, aggregators, yield-optimization firms, and anyone dealing in third-party ads.
The Definitions Are the Interesting Part.
- Personally Identifiable Information (PII): data used to identify an individual.
- Non-PII: data not linkable to an individual, but linkable to a device.
- De-Identified Data: data not linkable to an individual or a device.
What is striking is that these definitions do not focus only on identifying a person. They treat identifying a computer or device as regulated, not just identifying a human being. The old rule was that if you could not identify a specific person, you were safe. The NAI flipped that: tracking or identifying a device, especially across platforms, now counts. The FTC has long shared this concern about persistent identifiers.
Why This Matters More in 2026 Than It Did in 2015.
When this post first went up, treating a device identifier as regulated data was the leading edge. It is now baked into law. Under the California Consumer Privacy Act (as amended by the CPRA) and the wave of state privacy laws that followed, “personal information” expressly includes unique and persistent identifiers, device identifiers, IP addresses, and cookies that can be tied to a household or device, not just to a named human being. The same idea the NAI wrote into a voluntary code is now a statutory definition you can be sued under. California’s own CCPA overview spells out that scope.
For a SaaS vendor, the practical consequence is that “we don’t collect names, so we’re fine” is not a defense. If you can single out a device or profile a user across sessions, you are very likely processing regulated personal data, so your privacy policy, your consent flows, and your vendor contracts all need to reflect that.
Frequently Asked Questions.
Is device data really “personal information”? Increasingly yes. The NAI treated device identifiers as regulated years ago, and the CCPA/CPRA and other state laws now define persistent and device identifiers, IP addresses, and cookies as personal information.
We don’t collect names. Are we exempt? No. If you can single out or track a device or profile a user across sessions, you are likely processing regulated data regardless of whether you hold a name.
Who should care about the NAI Code? Any vendor touching third-party ads, tracking, or persistent identifiers, ad networks, platforms, aggregators, and yield-optimization firms. It is a practical privacy checklist even where it is not binding on you.
The takeaway for any third-party ad company is the same as it was: read the Code of Conduct. SaaS privacy is no longer simply about disclosure and choice; it is about tracking devices and computers, and the regulators have followed the data.
For the framework regulators expect SaaS vendors to bake into product design from day one, see Privacy by Design: A Framework for SaaS and Software Vendors.
Disclaimer:
This post is for informational and educational purposes only, and is not legal advice. You should hire an attorney if you need legal advice, which should be provided only after review of all relevant facts and applicable law.
Discover more from Aber Law Firm
Subscribe to get the latest posts sent to your email.