An identifier by any other name? NAI issues Guidance on Deterministic Shared Accessibility Identifiers (DSAIs)

NAI issues guidelines for Deterministic Shared Addressability Identifiers. Key points:

• A Deterministic Shared Addressability Identifier (DSAI) is a unique identifier that is created by converting a Direct Identifier so that it cannot reasonably be used to directly identify a consumer but allows multiple parties to pseudonymously distinguish the same consumer over time and across websites, applications, and devices.
• Deterministic Shared Addressability Identifiers do not include encrypted versions of such identifiers that can only be decrypted by the Participant or other Participants, where the encryption changes frequently enough to reasonably prevent the collection of Usage Information over time in combination with the DSAI (no more than every 24 hours).
• Participants shall not use Social Security Numbers, other non-public government-issued identifiers, financial account numbers, or other similarly sensitive Direct Identifiers to create a DSAI
• Participants shall not use, or permit the use of, a DSAI to make any eligibility determinations about consumers, including for health care, insurance, employment, credit, tenancy or housing, or education.
• Participants shall only create a DSAI using Direct Identifiers collected directly from the consumer to whom the DSAI relates.
• In order to create a DSAI, Participants shall provide clear and conspicuous notice informing consumers that:

1. The consumers’ email addresses, telephone numbers, or other permitted Direct Identifiers will be used for advertising purposes;
2. The Direct Identifiers will be hashed before being shared with partners for the purposes of delivering relevant advertising and/or measurement of advertising’s effectiveness; and
3. The consumers may, at any time withdraw consent for the Participant’s use of the DSAI for Tailored Advertising purposes, along with instructions for such withdrawal of consent, if the Participant uses DSAI’s for Tailored Advertising.

• Participants may license DSAIs from other parties only if: (1) The Participant is able to identify the party that initially collected the Direct Identifier used to create the DSAI; and (2) The party that initially collected the Direct Identifier used to create the DSAI did so in accordance with the requirements of these guidelines, as well as all applicable laws, regulations, and existing self-regulatory principles
• Direct Notice: When creating or using a DSAI, Participants must include detailed information in their privacy notices including: how the DSAIs are collected, that they are shared and that consent can be revoked at any time.
• Participants shall only use a DSAI for Tailored Advertising purposes with the Opt-In Consent of the consumer to whom the DSAI relates
• Participants engaging in collecting, disclosing, or otherwise sharing Sensitive Information in combination with a DSAI must obtain a consumer’s Opt-In Consent specific to the type(s) of Sensitive Information and use cases in question, distinct from general Opt-In Consent for the use of a DSAI for Tailored Advertising
• Participants may not create a DSAI for consumers they know to be under 16 years old, or otherwise use a DSAI to knowingly engage in Tailored Advertising to consumers under 16.
• Participants shall employ reasonable technical, administrative, and procedural safeguards to protect the security of DSAIs and any information associated with DSAIs, including Usage Information.
• In order to protect the integrity and security of DSAI ecosystems, Participants shall only disclose DSAIs to other Participants of the same DSAI ecosystem.
• Participants shall retain any Usage Information collected with a DSAI only so long as necessary for the purpose for which it was collected, and no longer than 13 months.
• Participants shall not link, or cause to be linked, Usage Information with Direct Identifiers, except and solely to the extent necessary to comply with a specific obligation of an applicable law.