Privacy preserving tech has all the makings of the Great and Powerful Oz building a privacy-safe Emerald Kingdom for AdTech. But the FTC’s recent blog post pulled back the curtain to remind us all that it takes more than technology to actually protect privacy.
Placing confidence in merely privacy-labeled products and platforms to protect privacy is not enough. Vendors, their customers, and their partners, continue to have a responsibility to back up their claims with contracts and policies to maintain true compliance.
On November 13, the FTC made it abundantly clear that technology alone is not sufficient protection for businesses to ensure compliance with the law. Their post singled out Data Clean Rooms (DCR’s) – highlighting the fact that while such technology can aid in privacy controls, it’s no guarantee: “DCRs don’t automatically prevent impermissible disclosure or use of consumer data; and unlawful disclosure or use of data is unlawful regardless of whether a DCR is involved.”
They went on to say that DCRs without the right protections and controls could actually jeopardize the very privacy they’re intended to protect. In short, you need to think carefully about what safeguards are in place to properly assess risk, not just assume that a technology will solve all ills.
To be clear, nothing has changed in terms of regulations. Maybe that’s part of the problem and why the FTC decided to raise a red flag. Despite the increasing awareness of privacy law, there is a counter trend of blind acceptance within the industry that technology which markets itself as “privacy-enhancing” somehow eliminates risks and solves for legal compliance.
In reality – regardless of the technology in question – businesses have always been accountable for the adequate communication of their policies to consumers, and ensuring they have the appropriate contracts and other organizational measures that comprise the necessary safeguards internally and with partners.
The FTC’s final line sums it up nicely: “DCRs, like any technology, are not silver bullets for privacy and don’t change a company’s obligations to consumers to safeguard their data and faithfully disclose its collection, use, transfer, and sale.”
What does this look like in practice? For those building and marketing products, it’s threefold:
First, focus on where, when and how notice is given to consumers about the use of their Personal Data.
Second, establish the right internal controls to protect how Personal Data is used, such as rendering it into de-identified data.
And finally, put in place contractual obligations with partners to prohibit reidentification of this data exchanged. For those buying or using the technology, it’s largely the same, but with the added responsibility of properly configuring the products and platforms in use.
It’s understandable why so many have genuinely believed they were doing the right thing by embracing privacy-labeled solutions. Privacy law can seem daunting and the AdTech ecosystem isn’t getting any less complex. But sometimes the path of least resistance is to put the right internal organizational policies in place, instead of outsourcing compliance with blind faith to privacy-enhancing technology.