For all marketer excitement about the capabilities of data clean rooms, there has been a growing misconception that the data within them is automatically privacy safe.
While there haven’t (yet) been any high-profile data breaches connected with clean rooms, some in the ad industry are trying to limit the likelihood that there will be, and are putting steps in place to continue building confidence among buyers and sellers around data sharing.
“Just because one uses data clean rooms that doesn’t mean it’s the best in terms of privacy compliance,” said Marc Rossen, svp, investment and activation analytics at OMG. “There’s a lot of considerations that go into privacy compliance and data sharing.”
There are several areas to uphold data privacy within clean rooms that buyers and sellers should be aware of, particularly around moving away from hashed email address matching, getting consented user data, pushing for transparency over privacy-enhancing technologies (PET) and mitigating risks with overlapping data.
“There’s an increasing amount of debate whether the anonymization process in cleanrooms truly does anonymize data,” said a global media executive, who requested anonymity to freely discuss industry relations. As a result, some marketers are increasingly becoming wary of using data clean rooms, the executive said.
Compounding the matter is that there are a number of different clean rooms available with different processes, including independent firms like Infosum and Habu and those built by walled gardens, like Google’s Ads Hub. The latter group has run into trust issues with marketers who are voicing frustration with the limitations and compulsion to use walled data clean rooms.
And the concern is growing that clean rooms will be targeted by regulators since user consent for using and passing customer data is increasingly under scrutiny, as shown by recent fines from Sephora and Kochava.
“The biggest risk of using clean rooms is it will come under increasing regulatory scrutiny,” the media exec said.
PETs replace hashed email matches
Currently, the encryption used to translate first-party data into the format it can accurately be read in the clean room isn’t effective, and the process leading up to that encryption is poorly managed, according to the media exec.
This includes gaining peoples’ consent as well as both parties agreeing on a common encryption method.
The IAB Tech Lab mentions 11 encryption methods. Among them is multiparty computing—a substitute for hashed email matching—that ensures sales or ad exposure data never gets transferred to either party. Hashed email address matching is not considered best-in-class for privacy compliance.
