On November 13, 2024, the Federal Trade Commission (FTC) published a blog on Data Clean Rooms (DCR).

DCRs are cloud processing services that enable organizations to exchange and analyze data, and will typically be used when organizations want to exchange limited information about their customers.

The FTC stipulated that although DCRs can add privacy protections to the handling of consumer data, disclosure by a DCR can present the same risk of disclosure as tracking pixels. Specifically, the FTC provided that DCRs do not automatically prevent impermissible disclosure or use of consumer data and that the unlawful disclosure or use of consumer data is unlawful regardless of whether a DCR is involved.

The FTC outlined that organizations must intentionally configure and deploy constraints in DCRs to be privacy-preserving, such that the use of a DCR itself is not a reliable guarantor of privacy. Notably, the FTC detailed that DCRs can make it easier to identify and track individuals, increasing the volume of disclosure and sale of data, since data transfers are accelerated by bulk interfaces and industry standards.

In addition, the FTC provided that DCRs represent another opportunity for data theft and breaches. As an example, the FTC noted that a DCR service that does not require the use of security measures such as two-factor authentication for access to data would create the opportunity for phishing or credential-stuffing attacks.

Finally, the FTC outlined cases where it has brought enforcement actions against organizations including BetterHelp and InMarket for the alleged unfair and deceptive disclosure and use of consumer data, and settlements made for the deceptive privacy claims.

You can read the blog here.