The Clean Room Is Not a Room, and It Does Not Clean

The FTC read the label on the data clean room, opened the lid, and found that the privacy was sold separately.

In November 2024 the FTC's technology office published a post titled "Data Clean Rooms: Separating Fact from Fiction," noting plainly that these services "are not rooms, do not clean data," and that, "by default, most services that provide DCRs are not privacy preserving." The protections are constraints someone has to configure, monitor, and mean. Weeks later, in December, the agency moved against data broker Mobilewalla, alleging the "raw location data" it sold "was not anonymized" despite the surrounding vocabulary of deidentification.

This matters because the clean room is sold as an outcome and delivered as a setting. Industry survey data tells the same story from the buyer's side: in IAB's State of Data, the top reported challenge was not privacy but proving the thing worked, and respondents described teams of six-plus people and timelines measured in quarters. A control that requires that much standing labor to switch on is not a guarantee. It is a project with a reassuring name.

What it reveals is the oldest move in the catalog: rename the room and hope the furniture follows. A company that cannot define "customer" internally does not acquire that definition by joining tables with a stranger inside a neutral enclosure. The match key is still a guess; the schema is still nobody's; the constraints are still whatever the busiest engineer remembered to set. The clean room makes the exchange auditable, which is not the same as making it sound.

Watch the configuration, not the procurement. Ask who owns each constraint by name, who reviews exports, and whether the default is deny or share. Watch for the second FTC pattern, too: when a regulator stops accepting "deidentified" as a noun and starts treating it as a claim to be tested, every clean room becomes a place where the test is run.