Data clean rooms (DCRs) are hyped as a privacy-safe alternative to audience targeting, but the FTC isn’t buying it.
In a blog post, the FTC says that DCRs “are not rooms, do not clean data, and have complicated implications for user privacy, despite their squeaky-clean name.”
And they have a message for any brand or publisher that uses them: the commission plans to monitor this sector from now on, so make sure the DCR you use is configured and implemented to protect privacy.
What’s Really at Stake?
“A clean room is not a washing machine. You can’t throw a Tide pod in and say it is clean,” says Richy Glassberg, co-founder and CEO of SafeGuard Privacy. The FTC’s message is equally blunt: they’re watching for companies trying to use DCRs as privacy theater.
The agency is particularly concerned about three types of behavior: using DCRs to evade privacy obligations, making deceptive claims about data sharing based on DCR use, and hiding problematic data practices behind the technology. As Jessica B. Lee, Chief Privacy & Security Partner; Chair, Privacy, Security & Data Innovations at Loeb & Loeb notes in a LinkedIn post, this follows a similar pattern to the FTC’s earlier warnings about hashed data. They’re not against the technology per se, but they’re drawing hard lines around its misuse.
The stakes are significant. “Companies must do their due diligence on all parties that they share data with,” Glassberg told AdMonsters, “and a clean room does not act as your due diligence or assessment. Your obligations don’t magically disappear when you use a clean room.”
The FTC’s enforcement history suggests they’ll take action against companies that try to use DCRs as a smokescreen for privacy violations.
The Configuration Conundrum
At the heart of the FTC’s warning is the assumption that DCRs are privacy-preserving by default. In reality, many DCRs allow full access to all data out of the box, leading to configuration issues that can land the publisher or brand that uses them in hot water.
Matt Karasick, VP of Product, Insights, at LiveRamp, agrees that configurations can be a problem, but they can also be a solution. “The clean room itself is not a privacy-enhancing technology nor a guarantee of anything,” he told AdMonsters in an email. “It’s an environment that operates within the privacy and governance controls established by the companies involved, helping to enforce trust boundaries and prevent data misuse.”
This is where the technical details become crucial. As Lee points out, “The devil is in the details, which can be quite technical, but critical to understanding the legal risks.” DCRs that default to allowing data combination and extraction may pose the same privacy risks as cookies or pixels. But when properly configured with appropriate constraints, they can offer genuine privacy benefits.
Going further, LiveRamp argues that the right configuration can actually streamline privacy protection: “Clean rooms can ensure no consumer record is shared and offer configurations that automate data protection to minimize technical resource strain.” This differs from traditional data sharing, which often relies on lengthy legal documents rather than technical guardrails.
This balance between technical capabilities and practical implementation speaks to a broader industry conversation about the role of DCRs in privacy protection.
Many Views of DCR Value
Although DCRs are accepted as privacy tools, they’re not without their detractors. Do DCRs represent meaningful privacy progress or just another layer of technical obfuscation?
Privacy advocate and Digiseg CEO Søren Dinesen takes a hard line, saying “I have strong reservations about data clean rooms; they amount to little more than consent laundering and fall short in addressing core privacy concerns.” His fundamental issue? “While clean rooms anonymize data, they still allow for user tracking without explicit consent, which ultimately undermines true privacy protection.”
LiveRamp disagrees with Dinesen’s view, but Karasick still challenges the FTC’s characterization of DCRs as primarily data-sharing tools. “A primary use of clean rooms is for analytical use cases that don’t require actually exposing the underlying personal data to the other party. Typical data sharing gives your data to partners with 100 pages of legal documentation requiring they don’t misuse it. Data collaboration via a clean room allows you to skip the complicated contracts to ensure you can only do what you and your partner agree to.”
Glassberg lands somewhere in the middle. While warning against treating DCRs as automatic privacy solutions, he notes that “when you are doing your due diligence and assessment of all of your partners and have the proper contracts in place, a clean room is an incredibly powerful technology that enables you to transact with your data in a safe way.”
While these industry experts may disagree on DCRs’ ultimate value, they align on one crucial point: DCRs aren’t inherently good or bad. Their value depends entirely on how they’re used, how they’re configured, and what problems users try to solve with them.
What Publishers Need to Know
Jessica Lee identifies three key areas of FTC scrutiny that publishers should watch: First, how your DCR is configured matters. Default settings that allow unrestricted data combination and extraction raise the same red flags as cookies and pixels. Second, the FTC will examine whether DCRs are being marketed deceptively. And third, they’ll look at whether companies are using DCRs to obscure their actual data practices.
LiveRamp offers practical guidance for implementation: “If you’re using a clean room in the way it should be used, the audit trail will exist to prove policies were enforced.” Karasick recommends looking for clean rooms that “allow companies to set privacy guardrails from the start and avoid the need to build every control” and can “ensure no consumer record is shared.”
But technical safeguards aren’t enough. Glassberg emphasizes the need for comprehensive due diligence: evaluating partners, establishing proper contracts, and maintaining oversight. Clean rooms should be part of your privacy strategy, not a replacement for it.
The Bottom Line
You can’t just implement a DCR and assume they’re privacy-compliant. You need to:
- Understand and document exactly how your DCR is configured
- Verify what data is being shared or exposed
- Maintain clear records of all data practices
- Be transparent about how you’re using DCRs
- Prepare for increased regulatory scrutiny in this space
DCRs are a powerful tool when used correctly, but they are not a silver bullet. With the FTC promising heightened scrutiny, the responsibility for privacy compliance still lies squarely with the companies that use them.
The post The FTC Casts Shade on Data Clean Room Privacy Promises appeared first on Chief Marketer.