The National Advertising Initiative: Membership Problems of the NAI
For a formal self-regulatory group, the NAI membership includes only a fraction of the industry engaging in behavioral ad targeting. The low numbers have plagued the NAI for its entire existence. One aspect of the problem has been the establishment of a non-full compliance membership category.
When the FTC approved the NAI agreement, the understanding was that the self- regulatory body was going to include the majority of the industry players.
The bedrock of any effective self-regulatory or legislative scheme is enforcement. In a self- regulatory context, this means that nearly all industry members subject themselves to monitoring for compliance by an independent third party and to sanctions for non-compliance, which may include public reporting of violations or referral to the FTC.  [Emphasis added.]
In November 2000, the year the FTC approved the NAI agreement, 12 companies were listed as members. However, just one year after the NAI was formed, the membership consisted of five members. In 2002 and 2003, only two companies remained as members of the NAI. (See Figure 4). Companies have dropped out of and rejoined the NAI at will over the years, without any apparent consequence. The NAI website does not maintain a list of past members or show the dates members joined and dropped out of NAI. The only way that past membership could be determined was by reviewing obsolete pages stored by Archive.org.
The behavioral advertising industry itself is aware of the NAI membership issue. At the 2007 Behavioral Marketing Forum, ad industry expert Alan Chapell said in a panel:
There are at least 50 companies that are holding themselves out to be behavioral targeting companies, and there are about 10 companies give or take who are full compliance members of the NAI. So when less than 20 to 25 percent of the industry is participating in the industry’s own self-reg[ulatory] program, that’s kind of a flare that’s sent up to the FTC saying, well, what is the value of this program?
For me, I think the number one privacy issue is that the industry in and of itself has not embraced self-reg[ulation]. 
It does not appear that, at any time since 2000, NAI has represented a majority of the industry.
NAI Allowance of Non-Full Compliance Associate Members
The NAI established a “non-full compliance” membership category called “Associate Membership” beginning in 2002. The associate members of the NAI were allowed to be members of the NAI. However, associate members of the NAI were not required to comply with the NAI principles. In 2005 and 2006, the associate members outnumbered the full members. (See Figure 4).
The associate membership category was not part of the original NAI agreement, and its existence seems violative of the spirit if not the letter of the agreement. Appendix A includes a complete listing of Associate and full NAI members over time. The category of associate membership was apparently abandoned in 2007, with no explanation given.
It is both noteworthy and disturbing that TRUSTe – the NAI external enforcement mechanism – was allowed to become an associate member of the NAI for one year, in 2005. TRUSTe should not have been a member of the organization for which it provides enforcement. It is hard to understand why TRUSTe sought and why NAI allowed TRUSTe to become a member. Even though the membership lasted for only one year, it undermines TRUSTe’s supposed status as a neutral, independent overseer.
For a self-regulatory body whose purpose was to represent the network advertisers, NAI did not capture the membership it needed to be an effective, viable self-regulatory body. In addition, the creation of a category of non-compliant “members” calls into question the bona fides of NAI as a serious self-regulatory organization.
The NAI Definition of PII is Not Up-to-Date
The current NAI definition of personally identifiable information (PII), crafted in the 1990s, grew out of a culture and an economy still largely rooted in thinking about physical assets. Today, the economic structure prevailing in the U.S. increasingly embodies intangibles such as information and ideas. The definition of PII needs to move with the times. PII must expand beyond overly identifiable information and must include intangibles such as repeated online behavior that can be linked to a particular consumer.
The NAI currently defines PII as follows:
Personally Identifiable Information (PII) is data used to identify, contact or locate a person, including name, address, telephone number, or email address. 
A more complete, modern definition of PII includes information that can directly or indirectly identify a person, and includes behavioral identifications:
Personally Identifiable Information — Personally identifiable information (PII) consists of any information that can, directly or indirectly:
(1) identify an individual, including but not limited to name, address, IP address, SSN and/or other assigned identifier, or a combination of unique or non-unique identifying elements associated with a particular individual or that can be reasonably associated with particular individual, or
(2) permit a set of behaviors or actions to be consistently associated with a particular individual or computer user, even if the individual or computer user is never identified by name or other individual identifier. Any set of actions and behaviors of an individual, if those actions create a uniquely identified being, is considered PII because the associated behavioral record can have tracking and/or targeting consequences. 
The point is that consumer tracking can be accomplished in the absence of traditional overt identifiers such as name and address. It does not matter if a consumer’s name is known when that consumer’s information is used to present offers and opportunities, to establish a price for a product or service, or to otherwise make decisions about a specific consumer. The presence or absence of an overt identifier when these decisions are made is irrelevant when consumers are individually tracked.
Given that much depends on the definition of PII, the NAI cannot be an effective consumer protection instrument until the definition of PII is updated to reflect current thinking and practices and to provide consumers with fair treatment. Hiding behind an outmoded definition of PII only contributes more to the irrelevancy of NAI today.
 Federal Trade Commission Online Profiling Part2, July 2000 at 8.
 BM 2007, Panel discussion, Is Privacy the Third Rail? July 24 2007. Video: <http://www.brightcove.tv/title.jsp?title=1126051143&channel=429048905>.
 NAI FAQs, What is personally identifiable information? <http://www.networkadvertising.org/managing/faqs.asp>.
 Consensus document filed with the FTC for the Nov. 1-2, 2007 Workshop, Consumer Rights and Protections in the Behavioral Advertising Sector. <http://www.worldprivacyforum.org/pdf/ConsumerProtections_FTC_ConsensusDoc_Final_s.pdf >.
Roadmap: The National Advertising Initiative – Failing at Consumer Protection and at Self-Regulation: Part II: Discussion – Membership Problems of the NAI