Skip to main content

LiveRamp Clean Room Privacy and Governance

LiveRamp Clean Room provides a number of ways for you to collaborate with your strategic partners, while protecting your customer’s privacy and adhering to your own data governance and compliance requirements.

LiveRamp Clean Room Privacy Protections

LiveRamp enables privacy using a number of principles:

  • Interoperability: Collaborate on any cloud or across clouds globally with the only 100% interoperable clean room – all via LiveRamp’s pseudonymous identity. 

  • Cloud-native security: Operates within your existing cloud storage infrastructure, significantly reducing security risks associated with multiple data copies. This cloud-native approach ensures direct and secure access to data in your brand’s cloud environment.

  • Customizable control: Utilize standard controls and role presets for quick setup, or engage with advanced privacy technologies like Differential Privacy and Confidential Computing for heightened data protection, ensuring flexible and secure data operations tailored to your needs.

Within these overall methods, LiveRamp’s privacy capabilities can be broken down into two main categories:

  • Governance controls: Mechanisms that help ensure secure access and data integrity.

  • Privacy-enhancing technologies (PET) mechanisms: Protections that are applied on data analysis.

For more information on the controls and mechanisms available in these two categories, see the sections below.

Governance Controls

 Governance controls include mechanisms that help ensure secure access and data integrity:

  • Data suppression and minimization: Each clean room has its own dedicated controls to making owned data accessible to partners. Clients can filter or exclude sensitive columns based on the collaboration’s goals.

  • Purpose controls: Activation or Analytics only allowed with the express permission of the data owner.

  • Data time bounds and expiration: Data access to partners is temporary and timebound; access can be modified or revoked at any time.

  • Role-based access controls: Ensures each user login has only the access they need for their role; configurable permission settings by login and collaboration.

  • Query transparency: Data owner defines the level of query results details their partner receives. 

  • Query templates: Allows the data owner to specify the precise queries/analytics permissible to be run on their data.

For more information on these controls, see the sections below.

Data Suppression and Minimization

LiveRamp Clean Room gives you the ability to control what data is accessible in each clean room by your partners. You can make all data accessible at the organization level and then filter it down based on what’s required for collaborations in a specific clean room. 

When you create a data connection you connect to your dataset at its source. During this process, you can provision fields only as necessary for collaboration. For more information, see “Cloud-Based Data Connections”.

LCR-Privacy_Governance-include_fields_data_connection.png

Once you’ve connected a dataset, you can provision it to the appropriate clean rooms for collaboration with your partners. During this process, you can provision access to data only as relevant for approved questions. You can revoke access to datasets at any time. For more information, see “Provision a Dataset to a Clean Room”.

LCR-Privacy_Governance-provision_dataset_filters.png

Also, data is not processed in unpermitted regions.

Data Suppression and Minimization

Restriction Level

More Restrictive

Less Restrictive

Use Case

I am planning on allowing self-serve access to my partner’s data scientists and thus need to apply a stricter filtering and minimization setting.

My partner will not have the ability to build queries. Only my organization can do so. Data minimization is less of a concern.

LiveRamp-Recommended Settings

When provisioning your dataset to your partner clean room:

  • Make sure to filter out any fields that you do not want to make available to your partners for querying.

  • Apply row-level filters based on values present in your dataset. For example, you might filter out all transactional records that are not associated with your partner brand and categories.

  • Filtering out fields and records when provisioning your dataset is less problematic since your partner will not be able to access them directly.

  • Applying filters to only make relevant data available to the clean room is however best practice and also improves query performance so ensure to do it, if possible.

Data Time Bounds and Expiration

Each collaboration clean room has a specific start and can include an end date when the clean room is created.

LCR-Privacy_Governance-clean_room_start_and_end_dates.png

After the end date, the clean room will become a read-only clean room and data cannot be queried. These effective dates can be modified at any time.

Data Time Bounds and Expiration

Restriction Level

More Restrictive

Less Restrictive

Use Case

I have a high number of clean rooms with many partners and I want to ensure that contractual start and end dates are embedded in each clean room upon creation so I do not need to worry about revoking access in the future.

I am not concerned about access start and end dates because my partners and my organization have ongoing contracts and / or we are part of the same umbrella organization.

LiveRamp-Recommended Settings

  • When creating your clean room, make sure to set the start and end dates as per your contractual agreement with your partner.

  • The clean room will become a read-only clean room after the specified end date.

  • No new question runs or datasets can be configured and new partners cannot be added to an expired clean room. You can reactivate an expired clean room by changing its end date.

  • Do not specify start or end dates when creating your clean room.

  • You can change this setting at any time.

Role-Based Access Controls

Role-based access controls ensure that each user login has only the access they need for their role. Permission settings are configurable by login and collaboration.

  • Create your own roles for users in your organization based on the permissions you wish them to have (for more information, see “Managing User Roles”).

    LCR-Privacy_Governance-creating_role.png

  • In the clean room, permissions are set at the partner level and are configurable by user, allowing data owners to set distinct permissions for each partner (for more information, see “Managing Clean Room Permissions”).

    LCR-Privacy_Governance-clean_room_manage_permissions.png

  • Manage access levels by user so that each individual has only the access they need, and no more.

Role-Based Access Controls

Restriction Level

More Restrictive

Less Restrictive

Use Case

I have very specific requirements in terms of who can access and perform specific actions. After reviewing the out of the box roles, I require a finer level of access controls than those provided.

I have reviewed the LiveRamp Clean Room roles and believe they fit all of my internal and partner user personas.

LiveRamp-Recommended Settings

  • Create new organizational roles and assign specific rights and privileges to them as per your requirements. These rights and  privileges are organized at the following levels: 

    • Clean Room

    • Data Import

    • Data Out

    • Intelligence Builder

    • Organization Management

    • Question Builder

    • Question Management & User List 

  • Use the pre-configured LiveRamp Clean Room roles and assign them to your Clean Room users as you invite them to collaborate.

Query Transparency

Within clean rooms, the data owner defines the level of query results details their partner receives:

  • You can define clean room question permission defaults for all questions related to a given partnership (for more information, see "Question Permissions and Overrides”).

  • For each question, the query author has the option to allow/disallow their partner to see the query results (for more information, see “Assign Permission Overrides to a Specific Question”).

  • When sharing a query template, data owners have the option to expose the underlying SQL definition of that query template.

Query Transparency

Restriction Level

More Restrictive

Less Restrictive

Use Case

My partner will not have the ability to build queries. Only my organization can do so and I want to ensure that my partner can only run the question and not see the code.

I have reviewed the LiveRamp Clean Room roles and believe they fit all of my internal and partner user personas.

LiveRamp-Recommended Settings

  • Apply permissions at clean room/question level, as needed, to allow / unallow the partner to:

    • View underlying code

    • View query results

    • Copy the question

    • Set and schedule runs

    • Edit or delete question

  • Allow your your partner to:

    • View query results

    • Copy the question

    • Set and schedule runs

    • Edit or delete question

Query Templates

Query templates allow the data owner to specify the precise queries/analytics permissible to be run on their data:

  • Questions allow data owners to create query templates at the clean room or organization level that allow for specific queries with defined input parameters.

  • Questions can be used to control exactly which analytics are allowed by partners.

  • Partners receiving questions can execute them either by requesting reports.

  • The questions use predefined inputs parameters to generate controlled analytic outputs.

Query Templates

Restriction Level

More Restrictive

Medium Restrictive 

Less Restrictive

Use Case

I want to build replicable questions and dashboard templates for all my partners. I do not want them to be able to build their own questions.

I want to build replicable questions and dashboard templates for all my partners but I also want to give them the flexibility with free-form question building.

I want to let my partners build their own questions. 

LiveRamp-Recommended Settings

  • Build question templates and provision them to your clean room templates

  • Provide partner user read-only role

  • Set up question permissions at clean room level to view reports / output (for more info, see query transparency)

  • Provision datasets as required by your question, ensuring you apply the correct level of filtering (for more info, see “Data Suppression and Minimization”)

  • Build your question templates and provision them to your clean room templates

  • Set up question permissions at clean room level to view reports / output (for more info, see query transparency)

  • Provision datasets as required for your clean room (for more info, see Data Suppression and Minimization)

  • Provide partner user query builder role

  • Configure dataset controls if required (for more info, see “Dataset Analysis Rules”)

  • Provision datasets to your clean room, ensuring you apply the appropriate level filter if needed (for more info, see “Data Suppression and Minimization”)

  • Provide partner user query builder role

  • You do not need to provide any question templates. The partner user will be able to run their own queries directly on the data you have made available.

  • Configure dataset controls if required (for more info, see “Dataset Analysis Rules”)

PET Mechanisms

LiveRamp’s privacy-enhancing technologies (PET mechanisms) can be applied on data analysis:

  • Pseudonymization: PII (personally-identifiable information) is optionally removed and data is resolved to RampIDs. No PII ever enters the environment.

  • Differential privacy: You can apply calibrated noise on question result outputs and limit repeat analyses to prevent identification of individuals within a dataset.

  • K-minimization: You can force aggregation, requiring a minimum number of users for query calculation.

  • Dataset analysis rules: Allows the data owner to specify which rows and columns of data are shared, which columns can be output, and which aggregates can be performed on a given column.

  • Confidential Compute/TEE: Executes queries on jailed hardware provisioned solely for the clean room owner. Data is encrypted and secure key release is used to only execute queries at the client’s direction.

K-Minimization

K-minimization (crowd size) allows you to force aggregation, requiring a minimum number of users for query calculation:

LCR-Privacy_Governance-clean_room_parameters.png

  • Crowd size / k-min defines the minimum group size to be included in aggregated results.

  • Crowd size / k-min can be applied to specific query templates.

  • Data owners can choose to group at the individual level (RampID), the household level, or any column of their choosing.

  • Inject noise to output data to further protect against re-identification.

  • You can define an aggregation threshold rule for partner-authored questions.

For more information, see "Privacy-Preserving Techniques and Clean Room Results".

K-Minimization

Restriction Level

More Restrictive

Medium Restrictive 

Less Restrictive

Use Case

My partner will be able to build free-form questions to run against my data and activate out of my clean room to make the most out of our collaboration, however my data is at the individual level and I want to make sure the crowd size follows privacy-industry standards.

My data is at the individual level and I’m planning on letting my partner activate out of the clean room. However, they will not build their own queries. I’m in control of the outputs.

My data will be aggregated in such a way that I am comfortable with a low crowd-size threshold. Besides, I have applied dataset analysis and projection / rules on datasets / only allow query execution and will not be allowing activation out of the clean room.

LiveRamp-Recommended Settings

  • If your data is at the individual or household level, you will want to make sure that the minimum crowd size that can be outputted in reports & audiences is large enough to ensure privacy and mitigate re-identification risk, especially if your customer can run their own free form queries.

  • As an industry standard (e.g. AMC), a high threshold is 100 unique users.

  • If you’ve applied strict query execution controls and that your partner is not going to be able to build their own queries, you can set the threshold to a lower level.

  • If your clean room is purely for reporting purposes, your data is aggregated enough through your templated questions. If you do not plan on letting your partner activate out of the clean room, you can set the crowd size to 0.

  • This is so you do not end up being unable to report anything unless it's completely aggregated and of little value to your partner.

Dataset Analysis Rules

Dataset analysis rules allow the data owner to specify which rows and columns of data are shared, which columns can be output, and which aggregates can be performed on a given column:

CR-_Dataset__Analysis__Rules-analytical_rule_fields.png

  • Data join controls specify whether joins are required for a given dataset

  • You can dictate which columns can be output (projected) in a SQL query

  • You can prevent identifier fields from being projected or apply an aggregation threshold

  • You can dictate which fields can be used in joins

  • You can restrict the type of aggregates which can be run on given fields

For more information, see “Set Dataset Analysis Rules”.

Dataset Analysis Rules - Analytics Rules

Restriction Level

More Restrictive

Less Restrictive

Use Case

  • I am planning on letting my partners run their own free-form queries and despite having set up a minimum crowd size at the clean room level, there are some aggregations I am not comfortable with my partners running. 

  • For example, I only want my partners to run an inner join on my customer universe so they can only find out the overlap between my and their customer data, and not see the total number of my customers.

  • I am not planning on letting my partners build free-form queries.

  • I have set up a minimum crowd size at the clean room level and I’m comfortable with my partners running any aggregation functions as long as no PII-labeled fields can be projected out in reports.

LiveRamp-Recommended Settings

  • You should apply analytics rules at dataset level to ensure:

    • Only inner join is applied

    • Only some aggregation functions are applied

    • A column can be used for join or not

    • A column and its values can in be included or not in a question run’s output

  • LiveRamp clean rooms have the option of enforcing a "global" default rule for all datasets associated to your account which prevents the projection of fields labeled PII in the data connection configuration when executing analytics questions. This means if a question attempts to include a PII-labeled field as an output in report results, the question run will fail.

Dataset Analysis Rules - List Rules

Restriction Level

More Restrictive

Less Restrictive

Use Case

  • I am planning on letting my partners run their own free form queries and despite having set up a minimum crowd size at CR level, there are some aggregations I am not comfortable with my partners running

  • For example, I only want my partners to run an inner join on my customer universe so they can only activate out the overlap between my and their customer data.

  • I am not planning on letting my partners build free form queries.

  • I have set up a minimum crowd size at the clean room level and I’m comfortable with my partners activating out the non-overlap.

  • I am not concerned about any segmentation column and values potentially being included in the activation payload.

LiveRamp-Recommended Settings

  • You should apply list rules at dataset level to ensure:

    • Only inner join is applied to your customer dataset

    • Only identifier can be outputted (not segmentation values)

  • Leave default settings

In this section: