Industry Briefs

Crossix POV: NAI Guidelines and
Personalized Advertising

February 2020

UPDATE: As of May 12, 2020, Crossix became an official member of the Network Advertising Initiative (NAI). Our products and solutions were built to be privacy-safe and have always met or exceeded the NAI Code of Conduct, so we are excited to formalize our commitment to upholding the NAI’s industry-leading standards of consumer transparency and choice in digital advertising.

Healthcare Communication is Part of Healthcare

Effective communication is an essential part of healthcare. Multiple entities have a need to speak to consumers, including government and public health agencies, non-profits, marketers educating consumers with disease awareness campaigns, and marketers promoting specific therapies and treatments.

To help these groups communicate with a relevant health audience, Crossix has developed HIPAA-compliant and privacy-safe audience targeting solutions. Borrowing from accepted and validated approaches used elsewhere in healthcare, Crossix has introduced an “enhanced demographic” approach for targeted health marketing.

Development of Crossix Audience Segments

Similar to how epidemiologists use demographics like age, gender, lifestyle, geography, etc. to understand the types of people most likely to be at risk for certain conditions, Crossix has introduced a modern version of this using a federated/distributed approach, preserving privacy by avoiding the need to centralize and combine lots of data. The output of the Crossix process is simply the relationship of various demographic variables to a condition. Not only is this HIPAA-compliant, but the output has nothing specifically to do with marketing or targeting at that point.

Crossix uses the output, a propensity model, to score the US adult population based only on national consumer database variables, in order to assess the relative likelihood an individual will be in a desired audience. After scoring the population, Crossix creates segments by dividing the population into 10 equal parts, or deciles. The first decile represents the 10% of the US adult population most likely to be in the desired audience, the second decile is the next 10% most likely, and so on. Segments are activated only at these 10% decile increments, targeting groups of 10-25 million people.

At a fundamental level, the Crossix approach strikes an appropriate balance between a reasonable expectation of privacy and the value of distributing helpful information to a relevant audience. Crossix segments do not use healthcare information of individuals to target those individuals, do not use online behavioral information and are available to target groups no smaller than 10-25 million US adults.

Compliance with the 2020 NAI Code of Conduct

On January 29, 2020, the Network Advertising Initiative (NAI) issued new guidance to its 2020 Code to provide member companies with an updated self-regulatory framework for health-related ad targeting.

Crossix audience targeting continues to be fully compliant with the 2020 NAI Code of Conduct. The new health targeting guidance clarifies that Crossix audience segments are de-facto Non-Sensitive Information, and do not require opt-in consent from users. Across therapeutic conditions, health audience segments created by Crossix:

  1. Target at least 10% of the total targetable population;
  2. Are based only on demographic attributes including age, gender, education level and residential setting; and
  3. Are labeled based on the demographic makeup of the audienceThese characteristics establish Crossix audience segments as non-sensitive under the NAI Code.

These characteristics establish Crossix audience segments as non-sensitive under the NAI Code.

Targeting Approaches to Avoid

Segments containing some individuals based on their actual healthcare data

Any health targeting approach that uses Sensitive Information, such as actual medical records or online browsing behavior, requires opt-in consent from users. The 2020 NAI Code of Conduct specifically prohibits the use of an individual’s health data to target that individual, without opt-in consent.

There are approaches in the marketplace that are in direct conflict with this provision of the Code, including segments that include individuals based on their sensitive healthcare data, with added individuals without the condition (also known as “noise”). These approaches assume that if you add sufficient noise the actual patients cannot be identified. However, any use of actual healthcare data, even if for one person, is prohibited by the 2020 NAI code, and violates an individual’s reasonable expectation of privacy around their healthcare data. Medical records are explicitly off limits for targeted advertising.

Actual healthcare data more precise than ZIP-level

Geo-targeting at the 9-digit zip code level (also known as zip+4) based on actual healthcare data (e.g., medical records) is considered Sensitive Information under the 2020 NAI Code. In rural areas of the country, 9-digit zip may target as few as three households (see for example ZIP 81650-3110). Furthermore, certain conditions are strongly associated with age and gender, further risking re-identification of the actual person in the 9-digit zip code who is the target of a sensitive health condition ad. In other words, this approach may violate consumers’ reasonable expectation that their actual health data will not be used to target advertising to them and may introduce HIPAA risks into the scenario (is the data properly de-identified in the first place?).

Responsible Marketing of Health Information

Crossix believes that advertisers, platforms, and publishers should follow responsible business and marketing practices, not only with respect to data usage in media, but also considering and respecting consumers’ experiences with health messaging. This includes best practices such as exposure limits (frequency management over time and in total) for marketing sensitive conditions and appropriate creative based on the marketer, message, and platform.

A Note on HIPAA-Compliance and Consent

To determine the most relevant consumer characteristics for audience segments, Crossix analyzes massive amounts of de-identified information across its distributed data network. Under HIPAA, no consent or opt-in is required when working with de-identified health data. The Crossix approach is HIPAA-compliant, as reviewed under the expert determination method.

Crossix is happy to discuss segment methodology, NAI compliance, HIPAA compliance or any other questions at your convenience.

Interested in learning more about how Veeva can help?