Why CIOs should be thinking about clean rooms

A “clean room” in which two businesses can share data will help both gain new insights, but could raise serious legal and security questions


If there is one area of IT that chief information officers (CIOs) will need to master this year, it is so-called clean rooms. 

These have been used for some time, most notably in digital marketing. The likes of Facebook, Google and Amazon have offered them to some of their largest advertisers in the past few years, but their use was relatively limited, in part due to cost.

This is going to change in the year ahead as companies adjust digital marketing plans to cope with the loss of third-party tracking cookies. Businesses realise they need to be more reliant on their own first-party data, but they also need to be able to combine data insights to understand an industry better and improve their marketing performance. 

Sharing personally identifiable information with another business would mean breaking the General Data Protection Regulation (GDPR), unless the consumer has expressly given permission for their details to be shared. So the race is on to develop a means of allowing two parties to interrogate one another’s data without revealing personal information.

Driving clean room adoption

Use of clean rooms is likely to be led by advertisers and publishers. Brands have databases of customers and their target audience, while media companies have information on who visits their sites. Combine the two and, without revealing identities, a site would be able to confirm the type of people reached by a campaign and compare it with the brand’s desired audience. 

A case in point comes from the Financial Times, which is actively investigating how it could use clean rooms to build a deeper relationship with brands that goes further than advertising, but would not require personal data to be shared beyond the organisation. Anthony Hitchings, digital advertising operations director at FT.com, says it is early days, but that the company is investigating clean rooms as a means to discover if someone who saw an advert, read a sponsored article or registered for an event fits within an advertiser’s target audience list.

“We want to build deeper relationships with partner brands with an offering that includes partner content, webinars, roundtables and events,” he explains.

“It will be interesting to understand how the technology progresses and whether clean rooms can be explained to users in such a way that they understand and consent to. Our approach is typically conservative when it comes to user privacy. For that reason, we are digging deeply to understand the technology and implications.”

Shot in the arm for events

Clean rooms are also likely to gain traction towards the end of the year by helping to get the events industry back up on its feet, according to Chris Sainsbury, founder and managing director of digital marketing agency UX Connections. He is investigating the technology as a means to enable event operators to work with publishers to reach their target audience. Whether it is a new conference with no database to work from or an established event whose data needs refreshing, clean rooms will enable an events business to know where it can find its target market.

“We’re working with a new luxury yachting event that has a very specific, affluent target audience, but has no database,” he says. “We’re going to be looking at whether a clean room will allow us to ensure we only work with yachting publishers and perhaps other event organisers who have access to that audience. Without this technology sitting between companies, it’s going to be hard for companies without a pre-existing list of contacts to build up a new event.”

Use in benchmarking

It is likely the publishing, advertising and events industries will lead the way on clean rooms in 2021 because digital marketing has traditionally relied on third-party data. When walls are erected around first-party data, publishers will need to find a way to show advertisers they are opening up their desired audience. 

However, in the longer term, any businesses that could benefit from comparing data with others are likely to join the trend towards clean rooms. Mike Reid, chief technology officer of Clir Renewables, explains the technology he is developing is starting to allow energy companies to benchmark their performance so they can learn from one another.

“Renewable energy companies need to know if their installations are producing as much energy as they should be and when maintenance is likely to be due so they can plan ahead,” he says.

“They are reluctant to share data directly, but by pooling it they can find out if, say, a turbine isn’t producing the industry average for wind conditions, perhaps because a sensor is faulty and it isn’t being directed into the wind properly. The companies are also able to see the mechanical performance of similar turbines so they can get a good idea when maintenance is going to be required.”

Security and privacy concerns

If this trend is ringing security alarm bells for CIOs, it is for good reason. There are potential legal problems but, according to data privacy lawyer and partner at Linklaters, Georgina Kon, the key is in the technology. There are several options, but she believes the best way to avoid GDPR infringements is to allow computer databases to interrogate one another, possibly by artificial intelligence, but only take away “high-level” learnings that do not reveal any identifiable information.

She also cautions that CIOs need to think beyond privacy laws to ensure clean rooms are only built with reputable partners. “Our clients will look much more widely than just the GDPR,” she explains. “They will also be thinking about issues such as control of the underlying data, confidentiality and professional secrecy.”   

This need to protect data beyond GDPR and ensure both sets of data are legally compiled and strongly protected is going to be vital, according to Andrew Barratt, managing director of data security business Coalfire. He is actively investigating building clean rooms for clients, but advises businesses to proceed with caution.

“Put two sets of data in the same place and you have a potential treasure trove for an intruder to plunder,” he warns.

“Then there’s the issue of how clean the clean room can actually be. There may not be a problem with your own database. The real issue is who you’re going to let into a clean room. You just don’t know where someone else has got their data from. It’s a little like having a sparkling kitchen floor you let someone else walk on without knowing whether or not their boots are muddy.”