The FTC has set its sights on the adtech industry once again (it feels like there’s a pattern here), this time scrutinizing the emerging data clean rooms (DCRs) space.
In a new blog post, the FTC argues that “DCRs, like any technology, only protect privacy when companies choose to prioritize it – the technology itself isn’t inherently protective.” The post makes a series of claims about DCRs, suggesting that:
- Data clean rooms do not automatically apply privacy safeguards. Companies must intentionally configure and enforce constraints for them to be effective.
- Data clean rooms can be used in ways that make it easier to identify and track individuals across both the web and the real world.
- Data clean rooms create additional points of data access, increasing the risk of leaks and breaches.
This critique comes on the heels of a February blog post where the FTC criticized privacy-enhancing technologies (PETs), which aim to protect user data while enabling product functionality.
The latest post basically concludes with a threat or a warning, depending how you look at it: “Liability for violations of the FTC Act isn’t magically mitigated by clever technology. Simply using a DCR to disclose consumer data won’t help a company avoid liability.”
Why This Matters:
Organizations in digital marketing and advertising often need to share audience or customer data across internal teams and external partners. To address privacy concerns, data clean rooms have emerged as a popular solution for securely managing and sharing first-party data.
For example, according to the IAB State of Data Report 2023, about two-thirds “of companies leveraging privacy-preserving technologies are using DCRs.” Gartner also estimates there are currently 250 to 500 active or in-development data clean room deployments.
According to the IAB, data clean rooms “specifically have risen as an essential technology by enabling privacy-compliant data matching and sophisticated cookie-agnostic measurement capabilities across the buy- and sell-sides, and therefore mitigating concerns that data decision-makers have had with other privacy-preserving technology.”
The FTC, however, is watching the rise of DCRs with some skepticism, essentially saying, “Hold on a minute.”
Experts React:
Lauren Wetzel, CEO of InfoSum, a top data clean room provider, responded by noting that the FTC’s post really points out “the misuse of the DCR label.” She explained that InfoSum has “long maintained that not all DCRs are created equal, and this analysis only reinforces that position.” Wetzel emphasizes that true PETs must be “enabled by default.” She criticized DCRs that allow full access to personal data, saying such configurations “should never be an option in a true DCR.”
Wetzel went on to add: “DCRs should be purpose-built to prevent errors. Our PETs are embedded into our infrastructure, making it impossible to misconfigure, and they can’t be turned off. Additionally, no permission ever grants access to another company’s personal data. Companies investing in DCRs should heed this as a warning not to settle for ‘DCR-lite’ solutions. We agree that DCRs alone are not a single solution to all data privacy concerns; no single PET is.”
See her full response here.
Our Take:
The FTC has an increasingly antagonistic relationship with the adtech industry, which is sad given it plays a key role in keeping much of the internet free to use. Under the incoming Trump/Elon Musk administration, it will be interesting to see if any of this changes.
