When the FTC speaks, listen carefully. On November 13, 2024, staff in the Commission’s Office of Technology and Division of Privacy and Identity Protection released a new blog titled “Data Clean Rooms: Separating Fact from Fiction.” It recognizes the potential benefits of DCRs, but warns that their misuse or misconfiguration can turn a promising data sharing and analytics tool into a serious privacy liability. 2024 has seen regulatory focus on topics such as unauthorized disclosure via SDKs and misleading generative AI claims; now, that spotlight has shifted to include DCRs. 

What’s the deal with data clean rooms?

DCRs are cloud data processing services that let companies exchange and analyze data, constrained by rules limiting data use. They offer a secure environment for multiple parties to merge and match first-party data under predetermined conditions, generating new analytics according to agreed-upon rules to protect personal data. Common privacy and security measures include pseudonymization, restricted access, differential privacy, and noise injection.

DCRs can help marketing, advertising, and data analytics businesses generate better audience insights, profile enrichment, measurement, and attribution. They have been proposed as a panacea to the strict rules imposed by data privacy regulations and platform pressures like Apple’s App Tracking Transparency Framework or Google’s third-party cookie deprecation. However, the FTC warns DCRs may not be a silver bullet.

Transferring data to DCRs under existing legal frameworks has not always been a seamless fit. For instance, whether the transfer is governed by a service provider or third-party relationship can depend on the DCR provider's rights and obligations in relation to the data and have different consequences for the consumer and underlying contract.

What does the FTC say?

Privacy authorities have been curious about clean rooms of late. At a 2024 IAPP Global Privacy Summit session, former California Privacy Protection Agency Executive Director Ashkan Soltani expressed skepticism about their potential as a privacy-preserving technology. Now, the FTC has added its voice to the chorus of concerned regulators. When the agency with authority over deceptive practices raises concerns about potential consumer deception in its blog posts, businesses should note that investigations and enforcement actions may follow.

The FTC warns businesses of DCR use pitfalls, including the failure to configure and deploy proper constraints and the creation of new data breach risks. It compares DCR data sharing to cases involving unauthorized disclosure, like BetterHelp, GoodRx, InMarket, and X-Mode, and misleading technology claims to Snapchat and Zoom settlements. The blog assesses DCR privacy promises through the lens of its Section 5 authority, leaving instructive lessons for businesses using or planning to use DCRs.

What can businesses do?

Conduct due diligence for clean room providers. Ensure provider contracts contain appropriate data use terms, review code, platform functions and configuration, and consider reputation. Businesses should understand relevant data flows and the rights and obligations of the DCR provider and other parties.

Critically evaluate DCR marketing claims, ensuring privacy protection and data security statements are accurate and substantiated.

Don’t rely on default DCR settings and deploy constraints according to data protection laws and agreements. This care should extend to how a business transfers data sets before uploading to a DCR. For instance, when transferring sensitive data sets prior to uploading, businesses should avoid insecure methods like email.

Train relevant personnel on proper DCR use and configurations to ensure employees understand the consequences of usage and prevent contractual and regulatory privacy violations.

Closely monitor regulatory developments as the FTC and other regulators scrutinize DCR implementations and may issue additional guidance.