The Federal Trade Commission published a blog post last week warning companies that using a data clean room isn’t some kind of get-out-of-compliance-free card.
And the first paragraph is a doozy.
“Don’t judge a book by its cover – how a technology is named doesn’t tell you how it is used. This is the case with Data Clean Rooms (“DCRs”), which are not rooms, do not clean data, and have complicated implications for user privacy, despite their squeaky-clean name.”
Well then.
Data clean rooms have become widely adopted in the online advertising industry over the past three to four years as an ostensibly privacy-friendly solution for combining and analyzing first-party data.
The industry-accepted definition of a data clean room, per the IAB Tech Lab’s guidance released last year, is a secure collaboration environment in which two or more parties can use data for very specific, mutually agreed-upon purposes while simultaneously limiting any exposure of the data.
What could be wrong with that?
Potentially a bunch of things, according to the FTC.
‘Not silver bullets for privacy’
Although the FTC acknowledges that data clean rooms can add privacy protections and address certain risks when configured properly, they’re not magic and could be used for privacy washing.
“DCRs, like other technologies that claim to protect privacy, can also be used to obfuscate privacy harms,” the FTC notes.
In other words, implementing a data clean room doesn’t automatically mean data is being managed securely and doesn’t absolve a company from its legal obligation to properly handle personal information.
And also like any other technology, data clean rooms “are not silver bullets for privacy,” the FTC says. Using a data clean room (we hold the line on the DCR acronym, defying the FTC) isn’t a privacy guarantee.
Although data cleans rooms limit data sharing, they can also “provide a pathway for information exchange between untrusted parties,” according to the FTC, and “increase the volume of disclosure and sale of data.”
’Bout time
A blog post written by FTC staff isn’t an enforcement action, and none of the commissioners have their name on it. But it should be taken seriously all the same and regardless of the coming change in administration.
Because this is the FTC being very explicit that data clean rooms are on its radar.
And it’s about time, says Jeffrey Chester, executive director of the Center for Digital Democracy, a DC-based nonprofit consumer advocacy group, which urged the FTC to investigate data clean rooms and what he calls “the industry’s disingenuous claims that the clean room process is designed to protect privacy.”
“Clean rooms are, in fact, a tactic to convince uninformed regulators that somehow privacy is protected and consent given,” Chester tells me. “The opposite is true, and the FTC has now gone on record warning the industry that it better review its claims and operations.”
The industry, however, and unsurprisingly, takes a somewhat different view.
Room for improvement
I gathered comments from three companies that operate in the data clean room/data collaboration space – InfoSum, Habu/LiveRamp and Optable – and they all had a similar flavor: “We welcome the feedback, but (dot, dot, dot).”
Increased scrutiny “is valuable and necessary,” says Matt Karasick, VP of product at LiveRamp, and former chief product officer at the data clean room Habu before it was acquired by LiveRamp earlier this year.
“The clean room itself is not a privacy-enhancing technology nor a guarantee of anything,” Karasick says. But “if you’re using a clean room in the way it should be used, the audit trail will exist to prove policies were enforced.”
Karasick also takes issue with the FTC’s characterization of clean rooms as vehicles for data sharing. The entire point of a data clean room is that the data isn’t shared, he says. “Clean rooms can ensure no consumer record is shared and offer configurations that automate data protection to minimize technical resource strain.”
Frankly, says InfoSum CEO Lauren Wetzel, a data clean room that operates in any other way isn’t really a proper data clean room at all.
“Not all these solutions are created equal,” says Wetzel, noting that the “DCR label” is frequently misused. “True DCRs should deliver both privacy and performance where privacy-enhancing technologies are the default and not an option – this is nonnegotiable.”
Regardless, data clean rooms are really just a starting point.
To meet privacy needs and create business value, they need to be part of a broader approach to data collaboration, says Vlad Stesin, co-founder and chief strategy officer at Optable, which contributed to the Tech Lab’s Open Private Join and Activation clean room interoperability standard last year.
“The truth is, data clean rooms can be complicated and hard to use, which is why we need end-to-end solutions that make the process easier,” Stesin says.
But, more importantly, brands and publishers shouldn’t use data clean rooms as a crutch.
“We agree with the FTC that companies must take responsibility for protecting data and clearly explain how it’s collected, used and shared,” Stesin says. “Privacy is about earning trust, not just checking boxes for compliance.”
🙏 Thanks for reading! And here’s some very important mews: Apparently, if you brush your cat’s head with a wet toothbrush, it reminds them of being cleaned by their mother. As always, feel free to drop me a line at [email protected] with any comments or feedback.
