Clean rooms are all the rage these days. They enable parties to engage in certain data processing activities in a more secure and privacy-friendly manner.
Putting data in the possession of a presumably trusted third party makes a world of sense. But while clean rooms are very useful for some things, it is questionable whether they are the panacea for all privacy-compliance challenges.
Restrictions on clean rooms
The term clean room is meant to describe a helpful structure; a neutral intermediary analyzing data of multiple parties without allowing unauthorized access to personal information. The inputs are tightly defined and the outputs are even more specific.
However, the activities within the clean room and the outputs may still have a privacy impact, since clean rooms can be used for matching data, appending data, cross-referencing data sets and other purposes.
For example, the California Privacy Rights Act (CPRA), which introduced a new wrinkle to how the California Consumer Privacy Act (CCPA) defines “service providers,” has important implications for clean rooms. Classifying a business’s recipient of personal information as a service provider is very beneficial, since otherwise the recipient might be deemed a “third party” to whom a business is “selling” personal information. In that case, the business would have to provide consumers with the ability to opt-out of such sales.
Under the CCPA, a service provider is prohibited from retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract with the business. However, service providers could use the data for certain internal purposes, such as improving the quality of services being provided to that business client.
But the CPRA introduced a new restriction for service providers: service providers are now prohibited from “combining” personal information that they receive from, or on behalf of, their clients with personal information that the service providers receive from, or on behalf of, another person or persons, or that the service providers collect from their own interactions with a consumer.
That one word, “combining,” has led to tremendous angst in the ad tech industry since most activities involve combining data from different sources to develop analytics or improve targeting.
The CPRA still allows service providers to use the data internally to build or improve their services, but just for those services provided to that one client and as long as they stay away from “combining” personal information from different sources.
A call for clarity
Amid the confusion, the industry needs standards and consistency. Tech specs from the IAB Tech Lab are forthcoming and will be an important step in the right direction.
But it is incumbent upon the actual users of clean room services to carefully focus on the purpose and instructions for using them so they don’t inadvertently trigger new compliance obligations. One can’t just wash their hands of any privacy impact merely because they are using a clean room.
Perhaps we all just need to channel our parental instincts: “That room better be clean or you’re not going out tonight!”
“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Follow Gary Kibel, Davis+Gilbert LLP and AdExchanger on LinkedIn.
For more articles featuring Gary Kibel, click here.
