Clean room and privacy - What the FTC left out

The FTC's blog post "Data Clean Rooms: Separating Fact from Fiction" prompted a sharp but nuanced discussion about what clean rooms actually do—and don't do—for privacy compliance. The central premise the FTC addressed, that placing data in a clean room magically resolves privacy obligations, was already a well-worn critique from the legal community. The core point stands: putting data into a clean room does not retroactively create permission to use it. Businesses must still ensure proper legal basis for what goes in, what is processed, and what comes out. However, the FTC blog's broad strokes fail to account for the significant variation in how clean rooms are actually used. There is a meaningful difference between internally processing retained data in a secure environment like AWS and using a clean room to match and activate data for targeted advertising. Privacy-enhancing technologies built into clean rooms—such as minimum segment size thresholds and k-anonymization—do provide genuine data security benefits. But those tools address how data is handled, not whether a company had the legal right to use it in the first place. That obligation remains squarely with the business. Clean rooms are still a nascent technology, and industry working groups are actively developing standardized terminology and guidelines. Businesses should not look to their clean room provider for legal sign-off on whether a given use is permissible—that requires a proper legal analysis accounting for the patchwork of applicable laws. Companies must be granular: understanding what data enters the clean room, on what legal basis, what processing occurs inside, and what outputs are generated. Continued peer benchmarking and industry dialogue are essential, particularly as regulators themselves are still in the process of getting up to speed.

**Colleen:** Can I ask you about clean rooms? **Alysa:** You may ask me about clean rooms. **Colleen:** So the FTC came up with a blog last week, data clean rooms separating fact from fiction. And they start with this premise that people thought that you could throw whatever you wanted to in terms of data into a clean room, and it would just fix everything from a privacy perspective. And so my first thing is, did anybody actually think that? Did anyone actually thought that outside of marketing? **Alysa:** But I will say that from the lawyer side of the house, we had we've been criticizing for quite a bit that it just because you call it a clean room is not a magic halo as to what happens. So that is a truism. No argument from us there. **Colleen:** One of the pieces that kinda stuck out to me in the FTC blog was they don't prevent impermissible disclosure. So this idea that if you didn't have permission to throw that data in the clean room or to use that data with whatever output you had in the clean room, it doesn't fix that. If any business out there thought it's in the clean room, it's good. No. You need to think about what you're throwing in there, and it needs some proper permission. **Alysa:** I mean, I so I think parts of that are right, and I I took issue with some of the broad strokes in that blog post, but I I didn't think was that all constructive because the facts matter. So for example, you're not gonna ask permission from customers if you're gonna process hold retained data in AWS. Right? And I think that's a different scenario than if you are taking data to match and then activate for, let's just say, targeted advertising purposes. Those are different things. And so I think the broad strokes doesn't really highlight what are you doing in the clean room. I think at a minimum there's some data security components that are positive, and yes your privacy policy has to account for the disclosures that you are doing if there is in fact a disclosure that is occurring in the clean room. But there's a lot of things there's a lot of options that companies have in how they use a clean room, and there's a lot of tools and technologies available. Doesn't mean that companies are using all of them, but I think the answer is going to diff be different depending on what you are doing with the clean room. **Colleen:** Right. And there is privacy enhancing tech in the clean room. A good example would be you can't get to a sample size or a segment size less than x. Right? There's a ton of examples like that. And so when folks say, hey. It's privacy preserving. Yeah. It has those kinds of tools. It just doesn't have an idea of what am I allowed to do with this data. Is that fair to say? And then that the obligation for that should be on businesses who have collected and stored the data. **Alysa:** Okay. I think that's fair. What I would also say is clean rooms are relatively nascent. You have a lot of different industry working groups working to come up with standardized guidelines. Right? Standardized terminology so that there is common understanding around what you mean when you refer to, for example, k anonymization. What problem are you trying to solve with that? So I think, one, we are going we are in early phases as to what the options are in a clean room and what data flows and processes, how to look at those a little bit differently. The privacy layer onto that, what privacy problem are you trying to solve? You have different obligations depending on what is happening. I think it is it's not correct to look at your clean room provider to say, give me the answers. Is this privacy safe if I do it this way? They're not your lawyer. We're still at a point where this is a complicated legal analysis because we've got different laws that look at things slightly differently. So I still think you have the burden of proof. You need to get really granular on what is going in the clean room, on what basis, what is happening in the clean room, and what is going out of the clean room. It is not just about the in and the out. It does matter what is happening inside. **Colleen:** Well said, Luisa. People are talking about it. Right? It's all over Ad Exchange. I have an article on it. We'll post it down below. Any closing comments? **Alysa:** Well, I think it's something that folks should absolutely be talking to peers. This is a time where you really do want to continue to benchmark and have dialogue. Yes regulators I think are also in the process of getting educated on what is happening and so I think we're gonna hear lots of different statements that may in fact be premature because it was on the basis of a more narrow set of facts. And so I I'm just I'm encouraging of have industry continue to talk and put out best practices, get some clarity around terminology, and privacy enhancing tools, what they are, how you might look, why you might use different privacy enhancing tools. All of those, I think, are really important. **Colleen:** Thanks, Alyssa. Thanks as always. **Alysa:** You're welcome.