Whitepaper: Legal Compliance of Data Collaboration in Advertising
Aligning Legal Governance with Privacy-by-Design Technology to better insights, responsible activation, and lasting trust
Data collaboration is quickly becoming one of the most valuable capabilities in modern advertising. The promise is straightforward: when advertisers, publishers and retail partners can connect their datasets in a controlled way, the result is richer intelligence. Customer understanding improves, audiences can be defined with greater precision, and marketing investments become easier to optimise. Yet the same feature that makes data collaboration so powerful – its ability to combine information across ecosystems – also makes it legally and reputationally sensitive. Because the data involved can relate directly or indirectly to individuals, collaboration must be designed to work not only commercially, but also sustainably under the GDPR and the ePrivacy framework.
This executive white paper sets out a practical and future-proof approach to data collaboration built on two ideas. First, strong technical controls are essential, and data clean rooms provide the backbone. Second, legal compliance is not a “check at the end”, but a core design principle. In practice that means being clear about roles, being disciplined about outputs, and choosing legal bases that match the reality of how data is used.
From “more data” to “better data”
Data collaboration is not about collecting ever more information. It is about improving the quality and usability of what already exists. Advertisers typically hold customer and prospect data, often anchored in account identifiers such as email addresses or customer IDs. Publishers hold data about media users – what content people read, watch, or engage with – and retail partners increasingly contribute transactional and purchase history data that brings real-world behaviour into the picture. When these datasets are connected responsibly, advertisers can move beyond broad assumptions and build a clearer picture of who their audiences are, what they care about, and where the best opportunities lie.
In most collaboration scenarios, three categories of data play a role.
Three categories of data
- Account data: declared information provided by users – often forms the key that makes matching possible.
- Observed data: such as content consumption, website behaviour, or purchase history – adds behavioural depth.
- Derived data: segments or inferred interests built from account and observed data – creates actionable intelligence.
The value is real, but it only materialises if the collaboration can be performed without exposing raw data or creating uncontrolled “spillover” between databases.
Why data clean rooms matter?
This is where data clean rooms become central. A data clean room is a secure technical environment that enables datasets to be compared and matched without parties exchanging raw data with each other. Rather than moving data across organisational boundaries and relying solely on contractual restrictions, clean rooms are designed so that the processing itself is constrained by technical and organisational measures.
At Ads & Data, only best-in-class data clean room providers are used, including partners such as InfoSum and LiveRamp. While providers differ in their technical implementations, the underlying logic is consistent. Each partner’s data is ingested into the clean room under a Data Processing Agreement with the clean room provider. Inside the clean room, each dataset is stored in a strictly segregated environment – often described as a “bunker” – that is isolated from other participants. No party can browse, view, or otherwise access another party’s raw data. Matching and computation occur solely within the clean room on the basis of predefined queries, and only constrained outputs are produced.
This architecture reflects the relative approach to personal data under EU data protection law
Whether data qualifies as personal data must be assessed from the perspective of the specific recipient and its realistic means of identification, taking into account the effectiveness of the technical and organisational safeguards in place. Applied to data clean rooms, this means that data uploaded by a participant remains personal data for that participant, but does not necessarily constitute personal data for other participants, provided that the clean-room safeguards effectively prevent access, re-identification, or linkage in practice. .
Accordingly, data clean rooms are not merely a security solution; they function as a structural GDPR safeguard. They reduce the risk of unintended data disclosure, prevent uncontrolled enrichment of datasets, and enable data collaboration while maintaining clear legal separation between participants, subject, as always, to the safeguards being effective and enforceable in real-world use.
The decisive distinction: insights versus activation
A compliant data collaboration strategy depends on one key distinction: whether the output is insights or activation.
Insights scenario
In an insights scenario, the outcome of the clean room processing is aggregated and anonymous. The output might answer questions such as the degree of overlap between customer bases, how a segment behaves across environments, or what audience patterns emerge at a statistical level. Because the exported output is not linked or linkable to individuals, GDPR no longer applies to the output itself. This matters strategically, because insights can offer an entry point for organisations that want to explore collaboration without immediately stepping into deeper, more complex activation models. Insights help stakeholders “see the opportunity” in a controlled way.
Activation scenario
In an activation scenario, the outcome is a list of pseudonymised identifiers, such as media user IDs, that can be used to deliver a targeted advertising campaign. The output is designed to be operational: it enables a specific audience to be reached. While the identifiers are protected and pseudonymised, the output remains personal data under GDPR, and the compliance requirements rise accordingly.
These two models, insights and activation, are not competing approaches. They are layered solutions that allow collaboration to scale with maturity: start with insights to build confidence and business value, then move to activation when partners are ready for stronger governance and deeper operational use.
Clarifying GDPR roles: who is responsible for what?
The way clean rooms are structured has direct implications for GDPR roles. Before any data is ingested, each participating party acts as an independent controller for its own dataset. The processing that takes place inside the clean room does not automatically alter this qualification. The clean room provider itself acts as a processor, operatingunder Data Processing Agreements with the participating partners. Because each dataset remains strictly segregated and no party can access another party’s raw data, the mere execution of matching or computation inside the clean room does not, in itself, result in joint controllership.
A potential change in roles arises at the export stage, and this change is driven by the nature of the output.
Insights
Where the output consists solely of insights that are aggregated and anonymous, no personal data is disclosed and the GDPR is no longer applicable to that output. In such an insights-only scenario, the parties remain independent controllers and a Joint Controller Agreement is not necessarily required.
Activation
By contrast, where the export produces an activation output that enables targeted advertising, the output is, or may be, personal data. It is precisely because GDPR applies to that output that the roles shift: the participating parties typically qualify as joint controllers, as they jointly determine the essential elements of the processing, including the datasets used, the matching logic applied, and the campaign purpose for which the resulting audience is activated. In that case, Article 26 GDPR requires the parties to enter into a Joint Controller Agreement that transparently allocates their respective responsibilities.
A Joint Controller Agreement that reduces friction, not trust
In practice, a Joint Controller Agreement should not be a barrier to collaboration. Done well, it becomes an enabler that increases confidence internally – especially for DPOs, legal teams and governance bodies – because it makes responsibilities explicit. At Ads & Data, the approach is to use a standardised Joint Controller Agreement signed at the start of the relationship, providing a stable framework for future activation use cases. This helps avoid repeated negotiation for each campaign and supports operational scalability.
A well-structured Joint Controller Agreement clarifies the purposes and the data types in scope, describes the processing operations, and allocates core GDPR responsibilities such as transparency, data subject rights handling, security measures and accountability mechanisms. It also includes a critical commitment from each party: that it has the appropriate legal basis and has met its own compliance obligations for bringing data into the collaboration in the first place.
Legal bases: matching the law to the reality
No data collaboration should begin without a defensible legal basis, and the appropriate basis may differ depending on the partner’s role and the collaboration’s purpose. For insights use cases, consent or legitimate interest may be considered, with an important caveat: where cookie or device-derived data is involved, ePrivacy requires explicit consent and legitimate interest is not sufficient for that specific layer of processing.
For activation, the picture becomes more nuanced. Advertisers may rely on legitimate interest for their own direct marketing, or may choose consent as an alternative, while still respecting ePrivacy consent requirements where relevant for cookie data. Publishers and retail partners, by contrast, are generally operating in a third-party advertising context rather than marketing their own products or services, and will typically require explicit consent for the use of data for targeted advertising for third parties. Whatever legal basis is used, it must be supported by proper transparency, user choice mechanisms, and where legitimate interest is relied on, appropriate assessments and opt-out rights.
Compliance in practice: building for the long term
In a market increasingly shaped by regulatory scrutiny and consumer expectations, compliance is not merely defensive. It is a competitive advantage. Data collaboration that is designed responsibly is more likely to be trusted by partners, approved by internal governance, and sustained over time. That is why Ads & Data places compliance and privacy-by-design at the centre of its approach, including standard privacy and cookie policy reviews when onboarding advertisers. These reviews help assess readiness for collaboration and highlight areas that may need improvement, while keeping accountability clear: ultimate responsibility for legal basis and transparency remains with the advertiser or the relevant data controller.
Closing thought
Data collaboration is not the future of advertising because it is technically possible. It is the future because it answers a real business need: better relevance, better measurement, and better use of data that organisations already have. But the winners in this space will not be those who collaborate the fastest; they will be those who collaborate in a way that lasts. That requires an approach where technology and legal governance reinforce each other, where the output is disciplined, and where privacy is engineered into the process from the first design decision. With data clean rooms as a foundation, and with clear separation between insights and activation, data collaboration can be both commercially powerful and legally durable.
