Data Clean Rooms Could Ease GDPR Compliance for Digital Ads, Lawyer Says
As retail marketing picks up speed, online advertisers and publishers are increasingly eyeing data clean rooms (DCRs) to ensure GDPR compliance, Fieldfisher data protection attorney Stephan Zimprich said in an interview last week.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
A DCR is a computing space in the cloud, typically owned by the DCR provider, in which an online advertiser and publisher can share personal data, Zimprich said. In the simplest case, the parties might want to know whether the overlap in their audiences is big enough to warrant doing business together.
They would contract with the DCR provider, which would provide each party with an end-point (URL) to which they could upload data. The DCR could then analyze to what extent their audiences overlap.
GDPR requirements make DCRs useful, Zimprich said. To share data with a third party requires a legal basis. Without a DCR, either the publisher must share information with the advertiser or vice versa, meaning someone must determine the appropriate legal basis.
The DCR arguably enables data that goes into it to be anonymized from the perspective of the DCR as well as from the parties involved in the data matching, thus removing the need for a separate legal basis under the GDPR. This makes it easier for publishers and advertisers to run their analyses without having to, for instance, collect consent or comply with other GDPR requirements, Zimprich added.
In a more complex use case, individuals could be matched, Zimprich said. Once the advertiser and publisher combine their datasets in the DCR, they can seek identification matches. If there are matches, the advertiser can instruct its technology to only serve targeted ads to users whose ID has been found on the publisher's website, thus signaling a possible interest in being contacted.
The DCR could mitigate some GDPR complexities related to the legal basis for processing personal data, Zimprich said. It's impossible for publishers to collect consent on behalf of every advertiser they may want to do business with because the GDPR requires consent beneficiaries be identified by name. Since publishers tend to deal with thousands of different advertisers, the consent requirement becomes "unbearably complex."
The DCR is an attempt to find a system where the publisher can collect consent for itself, and only the advertiser would need to seek consent that also covers the publisher, Zimprich said. This is a potential benefit from a GDPR perspective; other benefits include increased data security and leakage prevention, he said.
DCR data-sharing is easier to defend than Open Real-Time Bidding (RTB), where publishers connect to any number of platforms, which, in turn, connect to numerous demand-side platforms, enabling user data to be broadcast to thousands of participants in that market, he said.
DCRs are starting to gain traction as new marketing concepts arise, Zimprich said. For instance, he said, the retail media network area is growing, and DCRs are well-suited to RMNs. An RMN is defined as an "advertising platform operated by a retailer that allows brands to reach consumers directly on the retailer’s owned channels."
An example of an RMN is an online pharmacy on whose website people search for drugs such as Adderall, Zimprich said. There's a fairly high risk that such a search term would fall within the scope of GDPR provisions on sensitive data since it reveals something about a person's health status.
Such data can only be used for marketing purposes with explicit consent, making it harder to monetize, Zimprich said. With a DCR, the online pharmacy can establish a technical structure where user data can be entered into a DCR and the sensitive parts of it removed. The pharmacy can then ask pharma companies to advertise on its website. Via the DCR, the companies can upload their audience data with a link to their website, while the online pharmacy uploads its audience.
Through ID-matching, the parties would then be able to identify users who might be interested in a particular product, and pharmaceutical companies could then display an ad directed at them without coming in contact with personal data related to the pharmacy's users.
Asked whether DCRs have attracted scrutiny from DPAs, Zimprich said watchdogs tend to focus on riskier areas such as the more traditional ad tech world. He said he doesn't expect and isn't aware of organized or coordinated probes of DCRs by privacy authorities.