Quoted

April 1st, 2022

Are “Privacy-First” Clean Rooms Safe From Regulators?

Privacy & Data Security Group Chair Daniel M. Goldberg was quoted in the article, “Are ‘Privacy-First’ Clean Rooms Safe From Regulators?” published by Cybersecurity Law Report. The article discusses “data clean rooms” which enable companies to share consumer data with each other for targeted marketing while supposedly protecting privacy. Daniel is quoted saying, “Does this really move the industry forward? Or are we solving the issue of the disappearing third-party cookie, but bringing companies another bucket of privacy concerns?” He adds, “Not all data clean rooms rely on the same technology or security measures. They definitely could be subject to scrutiny, especially by regulators who don’t understand the technical nuances in the technology.”

Daniel comments on the claimed protections of a clean room, “you can use your first-party data to facilitate the types of advertising that you wanted to do previously. Don’t worry about the fact that third-party cookies are going away. We will still allow you to achieve what you need to be achieving.” Companies having an interest in clean rooms is positive, Daniel noted. This shows a company is “already thinking about the sophistication and importance of deidentifying data and the security around it,” he said.

Daniel says, “From a regulatory perspective, using a clean room sounds great in theory” because clean rooms have promoted themselves as privacy secure. However, Daniel notes, “clean rooms each have their secret sauce, with proprietors citing ‘fragmented architectures’ and other obscure approaches to protect PII.” One recently acquired start-up, DataFleets, noted that its clean-room technology “is very cutting edge and uses privacy-preserving algorithms coming out of academia and other corporate research programs.”

Regulators have already batted at adtech magic, Daniel said. They may look past the de-identified means of data sharing to focus on its ends: companies are using clean rooms to effectively target consumers on a one-to-one basis. He says, “A regulator's interpretation may be that there should not be any individually targeted ads in the ecosystem at all, period."

Given the potential regulations with clean rooms Daniel says, “Companies should investigate how the provider strips out identifiers and stops reversals of the process. Companies must confirm the clean room’s deidentification approach sufficiently ensures that one is not able to re-identify people in any context.” Daniel advises, “Companies should check the security of the systems to ensure that access restrictions are operating and rely on two-factor authentication or stronger measures.”

Daniel suggests a marketing or sales team to learn about the contract language review, “A marketing team or sales team is talking to the sales representative of the clean room, who will make all these promises around how it works. When you look at the contractual language, it doesn’t necessarily impose all those obligations or expressly state or incorporate those,” he said.

“Get on the line with the technical team, those who actually are responsible for the product, so they can explain to you how the product works,” Daniel says. Ask questions around what data goes in and how the data is joined with other data. What type of analytics can each party perform on the data? Companies considering using a clean room should confirm that the contract specifies the implementation measures, Daniel adds. The contract also should show what type of data can leave the room. “One reason that these clean rooms exist and are effective is because they compile the data of many, many different customers,” Daniel adds in conclusion.

Read the full article here. (Behind paywall)