The industry continues to take significant steps to better protect the privacy and security of consumer data. But there is still a long way to go. There is a vital need to educate the industry and organizations about new developments, such as new privacy regulations, evolving technologies, and new standards. It’s important work that IAB Tech Lab is undertaking and streamlining, bringing key stakeholders, people and organizations together to demystify an evolving landscape.
In the latest episode of our Identity Architects podcast, InfoSum's VP, Product Marketing, Devon DeBlasio, sat down with Shailley Singh, COO & EVP, Product, at IAB Tech Lab, to discuss the IAB Tech Lab’s work, data privacy, identity, and more.
“I think the industry should - and it's undergoing a lot of changes because of regulations, and because of platform changes - we should really embrace these changes, because all of our lives have moved online and it's really important to honor and preserve privacy of consumers throughout the supply chain.”
Definitely. And even though policies and regulations can never go as fast as technology moves, IAB Tech Lab and its members are certainly working hard to provide the relevant information organizations need on new and evolving technologies, as well as regulations. Most recently, IAB Tech Lab released much-needed guidelines and standards for data clean rooms to help marketers understand what exactly a clean room is, the use cases they power, and to provide clear definitions the industry can use and abide by.
“Our CEO puts is like, you mention the word clean room in a meeting and it's like throwing a grenade and everybody goes off with different meaning and understanding. But the way this industry operates is pretty sophisticated. There are multiple people who come together and they are on a particular transaction and they collaborate on making it work so one of the important things in the industry is to have interoperability and a common understanding, common taxonomy, and specifications with well-defined APIs or formats, so that all the partners can talk to each other. I think these were the driving forces for us to create these two documents. The first one establishes the common understanding, the common taxonomy, and the second one establishes a well-defined format and specification to execute one particular operation.”
And this is so important because everyone has a different understanding of data clean rooms. They have quickly become a must-have for customer-centric organizations, which has led to a sharp increase in the number of clean room providers. But not all clean rooms are created equal. How will these new guidelines help organizations cut through the noise and identify the right solution for their needs?
“It is hard to define a clean room because there are different flavors of it available. It's an evolving product category and people are coming up with different innovative ideas on how to execute a data clean room. So what the working group did was instead of having like a one or two line definition, we went about describing some of the key characteristics that define a modern data clean room that you should look at that helps you kind of cut through the bullshit and identify that is a proper data clean room.”
And what characteristics did the working group agree on?
“Some of these characteristics were. One was isolation of data [...] the team operating the clean room should not be able to learn the other party's data, but be able to extract inferences that they need for their business purpose. The second one was that a clean room must deploy at least one, or more, privacy enhancing technologies to ensure the privacy preservance of the personal data that's involved in the datasets. The third one [...] was that the clean room should apply certain governance and control in the use cases and from end-to-end purposes so that your privacy's personal data is preserved and your personal information of consumers that is involved in the data set is secured. And of course governance control like any other system we define it should have scoped access and controls on how long the data is there, what is the expiry and transparency around all of that. Those characteristics help you assure that you are working in a proper clean room.”
With so much that can go wrong, especially when it comes to consumer data, privacy and security, these definitions and standards will help organizations select the right technology partner and level the playing field in the data clean room landscape. Going back to the document Shailley talked about, what is not covered in it?
“One of the things that we decided early on on what we would not cover as part of this recommendation guidance was the legal and policy aspect of engaging in a data clean room for a couple reasons. One, we wanted to focus on the work on helping you understand what a clean room is from a function and technology perspective, and the second one was that you know the policy can change from company to company based on the needs and how they conduct their business - and that's probably a separate project in itself to define a policy for data clean rooms - and the third one was the policy or the legal side of privacy based on the privacy regulations is a layer that will always be there over and above any technology that you work on and we don't typically define that. That's best defined by each company's legal counsels.”
Makes sense. So what are you currently working on?
“One is the guidance similar to what we did for data clean rooms but ID solutions. There's a whole new breed of ID solutions that have come to market [...]. That's the next thing that we're picking up in the addressability working group to provide guidance and recommendations on ID solutions, going into details of what is an ingredient of an ID solution so people can assess themselves what is sustainable and what works for them. And then the second one is going back to the PETs working group to provide more deeper dives into these specific technologies. The first one that we're picking up is differential privacy [...]. You don't have to define differential privacy but what we want to do is define the guidance or practices and application of differential privacy of different use cases and advertising for targeting, for attribution or for doing any other operation that is typically a part of an advertising workflow.”
So important to have these for the larger industry. For more information and updates from the IAB Tech Lab, check out their website.
Thanks for all the work you are doing, and thanks for the chat, Shailley!