You’ve probably heard (dozens of times) by now that first-party data will be the key to post-third-party-cookie ad targeting.
But what exactly is first-party data?
How does it differ from second-party, third-party and zero-party data?
And what makes first-party data more suited to a privacy-centric ad experience?
Defining first-party data
First-party data is data that is collected by a single entity via its direct relationship with the end user.
In other words, “the owner of the data is the one doing the collection,” said Josh Peters, The Washington Post’s head of global commercial data strategy, partnerships and governance.
For an entity like Google, first-party data could be derived from a user’s search behavior on owned sites like google.com and youtube.com, said Permutive CEO Joe Root. For a publisher, first-party data could be generated as the user interacts with that publisher’s domains and products. For a brand, first-party data comes from online and in-person orders, browsing behavior or signing up for personalized Oreos.
But consent to data collection on the end user’s part is the key to compliance with privacy regulations, Root emphasized.
First-party data is commonly conflated with personally identifiable information (PII) like email addresses, but the label “first-party data” relates to the entity that collects the data, not the type of data collected.
“Many unconsciously couple first-party data and PII,” said Forrester VP and Principal Analyst Joanna O’Connell. “We all would be wise to be much more specific and precise” in defining, collecting and storing first-party data, she added.
What’s the difference between first-, second- and third-party data?
As for the difference between first-, second- and third-party data, it also depends on who actually collected the data, not what type of data it is.
A simple way to understand the difference between these types of data is to dust off those old notes from language class. The different types of data borrow their names from the first-, second- and third-person point of view (POV) in speech and writing.
First-person POV uses “I/me/we/us,” second person uses “you” and third person uses “he/she/it/they.”
That means first-party data is data “I” collected. Second-party data is data “you” (a close data partner – usually singular) collected. Third-party data is data “they” collected (i.e., data that is packaged and sold by a data company but that was collected by multiple other entities).
The exact same data could be first-party, second-party or third-party data, depending on who collects it. A retailer’s website browsing data is first-party data if the retailer collects it, second-party data if it’s exchanged with a partner and third-party data if it’s collected via an ad tech tracking pixel (like a third-party cookie).
When discussing first-party data, it is important to be clear about who collected the data.
“The key is always thinking through that numbering, then asking, ‘Who is the first party? Who am I actually talking about?’” said Nicole Perrin, VP of business intelligence for Advertiser Perceptions.
Using another company’s first-party data, when it comes directly from a trusted partner, is technically second-party data. But if you buy that company’s data from a marketplace, it becomes third-party data, which is one reason the term second-party data is rarely used. (It also sounds better to say you’re using someone else’s first-party data.)
Is first-party data better in terms of privacy?
There isn’t anything about first-party data that inherently makes it more privacy-friendly. Remember, “first-party” just refers to who collects and owns the data. It doesn’t refer to whether the party is collecting PII, sensitive non-PII or sharing customer data willy-nilly with others.
When it comes to privacy, consent matters.
“There’s this idea that third-party data is not consented,” Perrin said. “But none of those [privacy] elements are inherent to the definition, which is literally just about who owns it.”
However, having a direct relationship with a customer gives the company more control over how it manages consent.
With first-party data, it’s easier for a publisher or a brand to have a direct data-sharing relationship with a user, which is why Root claims first-party data is more privacy-friendly.
“The real threat to third-party data companies is consent,” Root said. “Third-party data companies don’t have the relationship with the user, so they can’t ask for that consent.” Instead, they must rely on the first parties collecting that data to manage consent, which adds a step to the process. (And, typically, users did not consent to a third party collecting their data when they originally gave consent to the first party.)
Privacy regulation like GDPR may force publishers to rethink who they share the data they collect on their users with, Root added.
Even when publishers bring together all their first-party data, they must think about potential privacy concerns. Pairing consented user data to PII risks violating privacy legislation, said the Post’s Peters.
“If I’m tying your [survey] answers to your email address and your user behavior, and I’ve inferred things like your political affiliation or sexual orientation, now you’re getting into a sticky conversation [regarding privacy compliance],” Peters said. “You’ve got to be careful how you pair that data.”
What about zero-party data?
Zero-party data is a new term Forrester coined in 2020, which describes a subset of first-party data. If the user actively opts into sharing with a brand or publisher, that’s zero-party data. Think of a user typing in registration information with consent, not collecting data from a user surfing the site.
“I typically describe zero-party data as actively and intentionally given data,” O’Connell said. “Visiting a website and having a first-party cookie dropped on me? I wouldn’t say that’s me actively, intentionally sharing something explicit about myself with a brand or site.”
But the ad industry is divided over whether a truly meaningful distinction between first-party and zero-party data exists.
“When people answered your surveys or responded to pop-ups on your website, that was all considered first-party data until Forrester defined it as zero-party data,” Peters said. One entity collects the data in both cases.
Drawing a distinction between first-party and zero-party data on the basis of active consent risks implying that first-party data collection does not comply with privacy regulations, Permutive’s Root said.
“I think ‘zero-party data’ is dangerous terminology,” Root said. “The point of [privacy] regulations, especially GDPR, is that any data you collect and process has to be consented to.”
So, when discussing first-party data, keep in mind: It’s collected by a single entity, and best done with active consent from the user.
