Short answer: the Network Advertising Initiative (NAI) is the self-regulatory body for third-party online advertising, and its Code of Conduct matters to SaaS vendors because it treats data that identifies a device or computer, not just a named person, as regulated. If your product touches third-party ads, tracking, or persistent identifiers, the NAI Code is a useful privacy checklist and an early preview of where U.S. privacy law has since gone.
The Network Advertising Initiative (NAI) has useful information in its Code of Conduct on SaaS privacy for the online third-party ad business. The NAI is a self-regulatory governing body for third parties in the online advertising ecosystem. It is useful not just for ad networks, but for platforms, aggregators, yield-optimization firms, and anyone dealing in third-party ads.
The most interesting issue in the Code is in its definitions:
- Personally Identifiable Information (PII): data used to identify an individual.
- Non-PII: data that is not linkable to an individual, but is linkable to a device.
- De-Identified Data: data that is not linkable to an individual or a device.
What is fascinating is that these definitions do not only focus on identifying a person (which is how the world used to work). They are now about identifying a computer or device or a person. Before, if you couldn’t identify a specific person, you were considered safe. Now you have to be careful if you are tracking or identifying a computer or device, especially across platforms.
The Federal Trade Commission is also very interested in tracking devices and computers, and is concerned about what are called persistent identifiers.
Why This Matters More in 2026 Than It Did in 2015
When this post first went up, treating a device identifier as regulated data was the leading edge. It is now baked into the law. Under the California Consumer Privacy Act (as amended by the CPRA) and the wave of state privacy laws that followed it, “personal information” expressly includes unique and persistent identifiers, device identifiers, IP addresses, and cookies that can be tied to a household or device, not just to a named human being. The same idea the NAI wrote into a voluntary code is now a statutory definition you can be sued under.
For a SaaS vendor, the practical consequence is that “we don’t collect names, so we’re fine” is not a defense. If you can single out a device or profile a user across sessions, you are very likely processing regulated personal data, so your privacy policy, your consent flows, and your vendor contracts all need to reflect that.
The takeaway for every third-party ad network company is the same as it was: read the Code of Conduct. SaaS privacy is no longer simply about disclosure and choice. It is now very much about tracking devices and computers, and the regulators have followed the data.
For the framework regulators expect SaaS vendors to bake into product design from day one, see Privacy by Design: A Framework for SaaS and Software Vendors. I hope this helps.
Resources:
Network Advertising Initiative
Disclaimer:
This post is for informational and educational purposes only, and is not legal advice. You should hire an attorney if you need legal advice, which should be provided only after review of all relevant facts and applicable law.
Discover more from Aber Law Firm
Subscribe to get the latest posts sent to your email.