Clean rooms are required to deploy one or more of these PETs. For example, Infosum uses multiparty computing alongside homomorphic encryption and pseudonymization, among others.

“Clients should ask their agencies and clean room providers what the PET standards are and what’s the approach taken to utilize those standards,” said Rossen. “Without that transparency, we’re just going back to a place of a black box.”

Data leakage risks

Along with its data clean room standards, the IAB Tech Lab launched the Open Private Join and Activation (OPJA) specification to address interoperability within clean rooms. The goal is to find overlapping audiences between buyer and seller data sets and provide a framework to enhance that audience activation without transferring PII between the buyers and sellers.

However, the IAB Tech Lab points to multiple scenarios, albeit not nefarious, where overlapping audiences could lead to information leakage in a data clean room.

In one such case, an advertiser may perform multiple successive matches with a publisher using OPJA, taking special care to insert and remove an individual PII match key records and observe the outputted match rate to determine whether the added or removed record is present in the publisher’s inputted records. Matching system designers could introduce noise or minimum thresholds to the match rate results, mitigating the effects of this in practice.

There’s also a lack of due diligence among marketers and their data collection who digress from data minimization—a core tenet for data security within clean rooms. These include collecting data around sensitive attributes such as age, gender, race and income.

Not only does this create matches in a way that becomes discriminatory, as seen in the 2021 Facebook case, but for brands operating in categories like pharmaceutical or healthcare, it’s not worth the reputational risk of matching data within clean rooms, the media exec said.

“What advertisers need to understand is that while the tool itself may be secure, ultimately, a clean room is just a tool to enable data collaboration,” said Arielle Garcia, chief privacy officer at UM Worldwide. “Advertisers still need to make sure that the appropriate disclosures and permissions, like offering and honoring opt-out requests, are in place.”