Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
April 1st, 2022
Are “Privacy-First” Clean Rooms Safe From Regulators?
Privacy & Data Security Group Chair Daniel M. Goldberg was quoted in the article, “Are ‘Privacy-First’ Clean Rooms Safe From Regulators?” published by Cybersecurity Law Report. The article discusses “data clean rooms” which enable companies to share consumer data with each other for targeted marketing while supposedly protecting privacy. Daniel is quoted saying, “Does this really move the industry forward? Or are we solving the issue of the disappearing third-party cookie, but bringing companies another bucket of privacy concerns?” He adds, “Not all data clean rooms rely on the same technology or security measures. They definitely could be subject to scrutiny, especially by regulators who don’t understand the technical nuances in the technology.”
Daniel comments on the claimed protections of a clean room, “you can use your first-party data to facilitate the types of advertising that you wanted to do previously. Don’t worry about the fact that third-party cookies are going away. We will still allow you to achieve what you need to be achieving.” Companies having an interest in clean rooms is positive, Daniel noted. This shows a company is “already thinking about the sophistication and importance of deidentifying data and the security around it,” he said.
Daniel says, “From a regulatory perspective, using a clean room sounds great in theory” because clean rooms have promoted themselves as privacy secure. However, Daniel notes, “clean rooms each have their secret sauce, with proprietors citing ‘fragmented architectures’ and other obscure approaches to protect PII.” One recently acquired start-up, DataFleets, noted that its clean-room technology “is very cutting edge and uses privacy-preserving algorithms coming out of academia and other corporate research programs.”
Regulators have already batted at adtech magic, Daniel said. They may look past the de-identified means of data sharing to focus on its ends: companies are using clean rooms to effectively target consumers on a one-to-one basis. He says, “A regulator's interpretation may be that there should not be any individually targeted ads in the ecosystem at all, period."
Given the potential regulations with clean rooms Daniel says, “Companies should investigate how the provider strips out identifiers and stops reversals of the process. Companies must confirm the clean room’s deidentification approach sufficiently ensures that one is not able to re-identify people in any context.” Daniel advises, “Companies should check the security of the systems to ensure that access restrictions are operating and rely on two-factor authentication or stronger measures.”
Daniel suggests a marketing or sales team to learn about the contract language review, “A marketing team or sales team is talking to the sales representative of the clean room, who will make all these promises around how it works. When you look at the contractual language, it doesn’t necessarily impose all those obligations or expressly state or incorporate those,” he said.
“Get on the line with the technical team, those who actually are responsible for the product, so they can explain to you how the product works,” Daniel says. Ask questions around what data goes in and how the data is joined with other data. What type of analytics can each party perform on the data? Companies considering using a clean room should confirm that the contract specifies the implementation measures, Daniel adds. The contract also should show what type of data can leave the room. “One reason that these clean rooms exist and are effective is because they compile the data of many, many different customers,” Daniel adds in conclusion.
Read the full article here. (Behind paywall)
Other Quoted
Advertising Opt Outs Drive New Privacy Strategies in 2025
Cybersecurity Law Report quotes Daniel M. Goldberg in an article on how the advertising industry is facing greater scrutiny from state attorneys general as more people opt out of targeted ads. Speaking on a California Lawyers Association (CLA) panel, Mr. Goldberg noted how adtech is now a key focus for regulators. Due to the extensive marketing of many companies, privacy program leaders across industries must assess the impact of adtech on their companies and mititgate risks. View article (available through trial or paid subscription).
December 18 2024
The Biggest Copyright Decisions of 2024
Law360 quotes Jacqueline Charlesworth on the Hachette Book Group Inc. v. Internet Archive lawsuit, in which the Second Circuit affirmed a Manhattan federal judge’s ruling that a nonprofit’s scanning books to a create e-books was not fair use. (Behind paywall) View Article
December 17 2024
Deciphering the New CPPA Proposed Regulations for Data Brokers
Cybersecurity Law Report quotes Daniel M. Goldberg on the CPPA's proposed regulations that expand upon and clarify key provisions of the Delete Act, broadening the universe of what entities constitute a data broker. (Behind paywall) View Article
December 12 2024