The Network Advertising Initiative (NAI) just dropped its 2025 Annual Report, and it is worth more than a skim.
The NAI has been the self-regulatory body for digital advertising since 2000 — 25 years of setting standards, conducting member reviews, and trying to keep the industry ahead of regulators. This year’s report is the first published under the NAI’s entirely overhauled Self-Regulatory Framework, launched in December 2024. It covers more than 70 privacy reviews conducted with member companies over the past year, seven new guidance documents, and a candid set of findings that should inform compliance priorities for any business operating in the digital advertising ecosystem.
What makes this report genuinely useful — beyond the milestone anniversary framing — is that the review findings map directly to what state and federal regulators are scrutinizing right now. This is not a self-congratulatory industry document. It is a field report from the front lines of advertising privacy enforcement, and several of its findings have direct, actionable implications for your compliance program.
Here is what the report actually says, what it means, and what you should be doing about it.
Who the NAI Is and Why Its Findings Matter
The NAI is a nonprofit industry association whose members are companies that engage in interest-based advertising — the targeting and measurement technologies that underpin most of digital advertising. Membership is voluntary, but the NAI’s Self-Regulatory Framework is considered a credible and rigorous standard. Regulators have historically viewed NAI membership and compliance as a meaningful signal of good-faith privacy practices.
What makes the NAI’s review findings particularly credible is that they are based on actual audits of actual companies — not hypothetical scenarios or theoretical frameworks. When the NAI identifies a pattern across more than 70 member reviews, it is describing something it has observed in real privacy programs at real organizations. And when NAI findings align with enforcement actions by the California Privacy Protection Agency, the FTC, and state attorneys general — which they do — the signal-to-noise ratio is very high.
For compliance professionals: this report is essentially a preview of what the next wave of enforcement is going to look at.
The Five Compliance Findings You Cannot Ignore
The 2025 Annual Report identifies five key themes from the privacy review cycle. Each one points to a systemic gap in how companies manage advertising-related data. None of them are new issues — but all of them are being treated with new urgency by regulators, and the report makes clear that the industry has not caught up.
Let’s go through each one.
Finding #1: Written Data Governance Is Now a Baseline Requirement — Not a Best Practice
What the NAI found: Federal and state regulators increasingly require documented governance programs. Good practices are no longer enough. Having a privacy policy and some internal procedures is no longer the floor — the floor is a documented, auditable governance program.
What this means in practice:
The regulatory direction of travel here has been clear for a while, but this finding confirms it has arrived. The CPPA’s cybersecurity audit regulations (effective January 1, 2026) require documented governance programs as part of audit readiness. The FTC has made documented governance a centerpiece of its consent decree requirements for years. State AGs examining privacy complaints are asking for governance documentation as a first step.
“Documented” means more than a policy document on your website. It means:
- A written data governance framework that assigns ownership, defines roles, and establishes accountability structures
- A data inventory that maps processing activities, lawful bases, and retention schedules (see our companion piece on building a data inventory)
- Written vendor management procedures, including data processing agreements and due diligence records
- Documented training programs with completion records
- A written incident response plan with defined escalation paths
- Evidence of review — governance documents that have never been updated are not governance
The NAI’s new Data Governance Checklist and Template, released in March 2026 for members, is a practical starting point for organizations that need to close this gap. Non-members can build equivalent documentation using the major privacy frameworks as a guide.
Your action item: Conduct a governance documentation audit. For each element of your privacy program, ask: if a regulator asked for evidence that this exists and is current, what would you hand them? If the answer is “we would have to write it first,” that element needs to be documented now.
Finding #2: Sensitive Data Classification Remains a Top Priority — and the Industry Is Getting It Wrong
What the NAI found: Significant variation persists in how member companies classify sensitive data. This is both an ongoing challenge and a top enforcement priority. The NAI released its Factor Analysis for Health-Related Sensitive Personal Information in February 2026 to help members make consistent, defensible classifications.
Why sensitive data classification is so hard — and so consequential:
Every major privacy framework has a category of “sensitive” personal information that carries heightened obligations. But the definitions vary, and the variation creates real compliance risk.
Under CCPA/CPRA, sensitive personal information includes Social Security numbers, financial account credentials, precise geolocation, racial or ethnic origin, religious beliefs, union membership, contents of communications, genetic data, biometric data, health information, and sexual orientation or gender identity.
Under GDPR, special categories include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (when used for identification), health data, and sex life or sexual orientation.
Under state laws including Virginia’s VCDPA, Colorado’s CPA, and Connecticut’s CTDPA, sensitive categories are similar but not identical — with differences in how “precise geolocation,” “mental health,” and “financial distress” are defined and treated.
The challenge in digital advertising specifically is that sensitive data is often inferred, derived, or probabilistic rather than directly collected. A health publisher’s audience segment doesn’t require users to disclose a health condition — the fact that someone reads content about a specific condition is itself treated as sensitive under several frameworks. A geofenced advertising campaign around a medical facility may implicate sensitive geolocation rules. A behavioral profile that includes signals about religious practice or political affiliation may contain inferred sensitive data the advertiser never explicitly collected.
The NAI’s health-related sensitive data factor analysis is significant precisely because it provides a structured test for cases where the sensitive classification is not obvious — which, in digital advertising, is most cases.
Your action item: Review your data inventory specifically for advertising-related data flows. For each processing activity that involves audience targeting, measurement, or analytics: what data categories are involved, including inferred and derived data? Apply the sensitivity framework from each law that applies to your organization. Document your classification decisions and the reasoning behind them — especially for borderline cases.
Finding #3: That “Depending on Where You Live” Language in Your Privacy Notice Is a Red Flag
What the NAI found: State regulators have explicitly rejected conditional rights language — phrasing like “you may have certain rights depending on where you live” — treating it as evidence of noncompliance. The NAI’s guidance encourages members to either state rights clearly and universally, or maintain a current state-specific list.
This one is deceptively important:
Conditional rights language became common as organizations tried to manage the patchwork of state privacy laws without creating different privacy notices for different states. The logic seemed reasonable: rather than enumerate rights that might not apply to every user, hedge with “depending on where you live.”
Regulators have decided that reasoning is insufficient.
The problem is twofold. First, vague conditional language doesn’t actually tell consumers what rights they have. A California resident reading “you may have certain rights depending on where you live” cannot determine from that sentence whether they have the right to opt out of the sale of their personal information, the right to correct inaccurate data, or the right to limit the use of sensitive personal information. The notice doesn’t fulfill its disclosure purpose.
Second — and this is the regulatory enforcement point — conditional language can be used to obscure rights that clearly do apply. If a company collects California residents’ data, CCPA rights apply. Full stop. Hedging that with “depending on where you live” isn’t a legal gray area; it’s an incomplete disclosure of a concrete obligation.
The compliant alternatives are:
- State all rights universally — offer the same rights to all users regardless of jurisdiction. This is the cleanest approach and increasingly the industry standard for organizations with national or global audiences.
- Maintain a current state-specific addendum — clearly list, by state, the specific rights available to residents of that state, with links or contact information for exercising each one. This requires ongoing maintenance as new state laws take effect, but it is defensible and complete.
- Use a rights request hub — a dedicated page that allows users to select their state and receive a tailored list of applicable rights, with direct request submission functionality.
What is no longer acceptable: a single vague sentence that forces consumers to guess whether they have rights, and forces your compliance team to defend in an enforcement proceeding why you chose ambiguity over clarity.
Your action item: Pull your current privacy notice. Search for “depending on,” “may have,” “certain rights,” and similar hedging phrases. Replace each one with a specific, accurate statement of rights — either universal rights or a state-by-state list. Review with legal counsel before publishing.
Finding #4: GPC Compliance Is More Than Flipping a Switch — And There’s Now a 2026 Disclosure Requirement
What the NAI found: Honoring Global Privacy Control (GPC) opt-out signals is no longer sufficient on its own. Regulators now expect businesses to accurately explain in their privacy notices how GPC signals are processed. And a new CCPA requirement that took effect January 1, 2026 mandates on-site display indicating whether GPC signals have been honored.
What is GPC, and why does this matter?
The Global Privacy Control is a browser-level signal that consumers can activate to communicate a universal opt-out from the sale or sharing of personal information under CCPA. Major browsers and browser extensions support it. Under CPRA, businesses subject to CCPA are required to honor GPC signals as valid opt-out requests — not as a courtesy, but as a legal obligation.
The compliance posture most organizations took was: implement technical processing of GPC signals, add a line to the privacy notice saying “we honor GPC,” done.
That posture is no longer adequate.
What regulators now expect:
Technical compliance: The GPC signal must actually be processed correctly — not just acknowledged and then ignored for certain data flows, advertising partners, or cookie categories. The CPPA has been clear that selective or partial GPC honoring does not satisfy the requirement.
Disclosure accuracy: Your privacy notice must accurately describe how GPC signals are processed. “We honor GPC” is not a description. An accurate description explains what happens when the signal is received: which categories of sale or sharing are stopped, which data flows are affected, whether the opt-out is applied prospectively or retroactively, and how it interacts with other opt-out mechanisms.
On-site display (new January 1, 2026): CCPA regulations that took effect at the start of this year require businesses to display on their website — not just in their privacy notice — an indication of whether GPC signals are being recognized. This is a consumer-facing signal at the point of interaction, separate from the privacy notice disclosure.
The practical compliance gap: Most organizations’ GPC implementations were built for technical signal receipt, not for the layered disclosure obligations that now surround it. Auditing your GPC implementation against the 2026 requirements is a distinct compliance task that belongs on your Q2/Q3 roadmap.
Your action item: Audit your GPC implementation end-to-end. Verify that (1) the signal is being processed correctly across all applicable data flows and advertising partnerships, (2) your privacy notice accurately describes the processing in specific terms, and (3) your website displays the required on-site indicator as of January 1, 2026. If any of these are missing, remediate in sequence — technical processing first, then disclosures.
Finding #5: DSARs Now Cover Derived and Inferred Data — and Most Companies Aren’t Operationally Ready
What the NAI found: Regulators now expect deletion and access requests to cover derived, inferred, and back-end data across distributed data environments. Data Subject Access Request (DSAR) fulfillment has become one of the most operationally demanding compliance challenges companies face.
Why this finding is more significant than it appears:
Consumer rights request fulfillment is not new. CCPA has required access, deletion, correction, and portability rights since 2020. GDPR since 2018. What has changed is the scope of those rights as interpreted and enforced by regulators.
Derived and inferred data is personal information that was not directly provided by the consumer but was generated through analysis, modeling, or inference. In digital advertising, this is the bulk of the valuable data: interest categories, purchase intent scores, demographic predictions, behavioral profiles, lookalike audience memberships, propensity models.
When a consumer submits a DSAR asking “what data do you have about me?”, regulators now expect the response to include derived and inferred data — not just the raw inputs the consumer provided. That means your DSAR response process must be able to:
- Locate derived and inferred data associated with a specific consumer identifier across all systems, including data warehouses, advertising platforms, CDPs, DMPs, and third-party data partnerships
- Attribute that data to the correct consumer — which is non-trivial in environments where consumers may be identified by multiple identifiers (cookie IDs, device IDs, email hashes, phone number hashes) that may not be linked
- Describe inferred data in terms a consumer can understand — not just return a segment ID or a propensity score, but explain what it represents
- Delete it across distributed environments when a deletion request is received — including communicating deletion requirements downstream to data partners
The distributed data environment problem: The NAI’s finding specifically flags “back-end data across distributed data environments” as the operational challenge. Most organizations’ DSAR processes were built for the data in their primary CRM and customer database. Advertising data — especially inferred and derived data — lives across a much more complex ecosystem: ad servers, attribution platforms, clean rooms, data warehouses, third-party measurement partners, and DSP/SSP systems. Fulfilling a DSAR in that environment requires either deep technical integration or manual processes that don’t scale.
Your action item: Audit your DSAR fulfillment process specifically for advertising data. Map every system that holds data tied to consumer identifiers. For each system, confirm whether your DSAR response workflow can locate, retrieve, describe, and delete data held there — including derived and inferred data. Identify gaps. Prioritize remediation based on regulatory exposure.
New NAI Tools Worth Knowing About
Alongside the annual report, the NAI released or highlighted several tools and resources over the past year. For compliance professionals and anyone building consumer-facing privacy controls, these are worth knowing about:
GPC Browser Extension — A user-friendly browser extension that allows consumers to enable Global Privacy Control without technical expertise. Increased consumer GPC adoption means more businesses will need robust GPC compliance — this tool accelerates that dynamic.
NAI Member Badge — A verifiable badge that NAI member companies can embed on their websites, providing consumers with a visible trust signal. For members, this is a tangible benefit of compliance investment.
Consumer Input & Feedback Form — A channel for consumers to submit feedback or complaints about NAI member companies. This creates a direct accountability mechanism that sits outside formal regulatory enforcement channels.
Data Governance Checklist and Template (members-only, March 2026) — A practical documentation tool for the governance gap identified in the review findings. If your organization is a NAI member, this is immediately actionable.
Factor Analysis for Health-Related Sensitive Personal Information (February 2026) — A structured analytical tool for classifying health-related data as sensitive under applicable frameworks. Given the enforcement focus on sensitive data, this is practically significant for any company operating in health-adjacent advertising.
What This Means for Your 2026 Compliance Roadmap
Pull the five findings together and a clear set of 2026 priorities emerges. If your organization is involved in digital advertising — as an advertiser, publisher, ad tech vendor, data broker, or marketing technology platform — these are the areas that warrant prioritization:
Priority 1: Document your governance program If it isn’t written down, it doesn’t count. Build or update your data governance documentation so that every element of your privacy program has a written record, an owner, and evidence of review.
Priority 2: Complete a sensitive data classification review Audit your advertising data flows — including inferred and derived data — for sensitive data content. Apply the sensitivity frameworks from every law that applies to your organization. Document your classification decisions.
Priority 3: Rewrite your privacy notice rights section Replace conditional rights language with specific, accurate statements. Either offer universal rights or maintain a current state-by-state list. Review it with legal counsel before publishing.
Priority 4: Conduct a full GPC compliance audit Technical processing, privacy notice disclosure, and on-site indicator. All three, end-to-end. The January 1, 2026 on-site display requirement makes this time-sensitive if you haven’t addressed it yet.
Priority 5: Extend your DSAR process to advertising data Map your advertising data environment. Identify every system holding consumer-linked data, including derived and inferred data. Confirm that your DSAR workflow can fulfill access, deletion, and correction requests across that full environment.
None of these are quick fixes. But they are the specific areas where regulators are actively looking, where enforcement is following, and where the NAI’s own review cycle confirms the industry is falling short. Getting ahead of them now is meaningfully better than addressing them in response to a complaint.
Frequently Asked Questions
Do I need to be an NAI member for this to be relevant to my organization? No. The NAI’s review findings describe systemic compliance gaps that extend well beyond its membership. Any company involved in digital advertising — interest-based targeting, behavioral measurement, data brokerage, or programmatic advertising — should treat these findings as applicable.
What is the Global Privacy Control and do I have to honor it? GPC is a browser signal that communicates a universal opt-out from the sale or sharing of personal information. Under CCPA, businesses that sell or share personal information are legally required to honor it. As of January 1, 2026, there is also a required on-site disclosure indicating whether GPC is being honored.
What counts as “derived or inferred data” for DSAR purposes? Any personal information generated about a consumer through analysis, modeling, prediction, or inference — as opposed to data directly collected from the consumer. In advertising, this includes interest categories, intent scores, propensity models, predicted demographic attributes, lookalike audience membership, and behavioral segments. Under CCPA and GDPR, these are subject to consumer rights requests.
How is the NAI’s Self-Regulatory Framework different from just following CCPA? The NAI’s framework applies specifically to the digital advertising ecosystem and includes standards and review processes tailored to that context. Compliance with the NAI framework generally supports but does not guarantee compliance with CCPA and other privacy laws. For advertising-specific guidance, the NAI framework is a useful complement to legal compliance — not a substitute for it.
What is the penalty for not honoring GPC? The CPPA can issue administrative fines of up to $2,500 per violation or $7,500 per intentional violation. Given that a single advertising campaign may serve millions of impressions to consumers who have activated GPC, the per-violation exposure is significant. The CPPA has been active in enforcement and has explicitly flagged GPC compliance as a priority.
NAI Compliance Report
The NAI’s 2025 Annual Report is not just a milestone document — it is a compliance signal. Seventy-plus privacy reviews, five systemic findings, and a set of new tools that respond to specific gaps: this is the self-regulatory body for digital advertising telling the industry, clearly and specifically, where the compliance work still needs to happen.
The five findings — governance documentation, sensitive data classification, rights disclosure language, GPC compliance, and DSAR scope — are not theoretical. They are the things regulators are examining, enforcement actions are turning on, and privacy review cycles are flagging as deficiencies in real organizations right now.
If your 2027 compliance roadmap doesn’t address all five, it needs an update and Captain Compliance is the company to help you.
Captain Compliance helps organizations in the digital advertising ecosystem build and operationalize privacy programs that hold up to regulatory scrutiny — from data governance documentation through DSAR process design, GPC implementation review, and sensitive data classification frameworks. –
