First- Or Third-Party Cookie? Wrong Question

marcgroman“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Marc Groman, CEO of Network Advertising Initiative.

Context – how consumers engage with business – has emerged as a central theme in today’s policy debates about consumer privacy.

The Federal Trade Commission’s privacy framework, outlined in a March 2012 report, posits that privacy is contextual, based on factors such as a consumer’s existing relationship with a company, the expectations of that relationship and the nature of a specific transaction.

More recently, speakers discussing the privacy implications of the “Internet of Things” at last month’s FTC workshop emphasized the need to consider context when thinking about notice and choice in an increasingly interconnected world. FTC Chairwoman Edith Ramirez mentioned context in her opening remarks, talking about “unexpected uses of data,” and referencing examples such as connected cars, smart TVs and heart monitors.

The FTC workshop highlighted the nuances and complexity of context and privacy. Context is too often narrowly and mistakenly interpreted to focus exclusively on the “who” in a transaction, not the “what” – “who,” in this case, referring to either a first party or a third party. In this analysis, there is frequently a rush to judgment about consumer expectations and privacy based solely on this one factor.

The question we should ask ourselves, however, is whether this first-party/third-party distinction in isolation is the appropriate focus in designing a sound privacy framework today. Or is it more important to consumers that the “who” mean “responsible parties?”

Consider this example. When Consumer Smith visits his favorite online retailer’s website, i.e., the first party, he recognizes the brand and knows what information needs to be provided for purchases. In fact, Smith may have already shared certain information with the site on a previous visit to sign up for a service or take a survey, and that information might include details about income, demographics, product preferences and the like.

He may “expect” the first party to collect and use his data. He may even expect advertising or product suggestions to be made based on that data. In this way, many first parties have a direct relationship with consumers that is relevant and valuable. This relationship can be important, but is only one of several factors that should be considered in the privacy framework debate.

Now, let’s say the online retailer partnered with a third-party ad network to serve interest-based ads. Smith did not stop at that network’s site, nor, to the best of his knowledge, did he provide that ad network with any information. Therefore, Smith may not expect his information to be gathered by another party.

Although the first party brought in the third party to provide a service that it believed to be beneficial (a more relevant ad experience), according to the old “context” argument, the third-party data collection in this scenario is assumed to present a potentially greater privacy risk to consumers. This may be driven by the third party’s presence often not being known to the user and the collection of data across multiple, different first-party experiences.

In both examples, we’re missing key information to help drive a meaningful privacy debate: the specific circumstances under which the consumer’s information is collected and used, the scope of the data collection, the type of data, the collection method or the potential for unexpected uses. A discussion of risk of harm also is absent.

At the FTC workshop, speakers emphasized that context is about a wide range of variables and “type of entity” is but one. Simplifying the analysis of data collection down to a black/white, first/third-party issue is limiting and may lead to absurd results. The personal identification and sensitivity of the data collected, the use of the data and the transfer and sharing of the data may be far more significant than who collected it – and these concepts should apply across all parties involved. Each of these principles is part of the NAI’s self-regulatory code of conduct, which is honored by some of the most responsible actors online.

Even before last week’s workshop, the FTC’s director of the Bureau of Consumer Protection, Jessica Rich, affirmed this point at the Privacy Law Scholars Conference in Washington, DC, by emphasizing that choice is not purely about a company’s status as first or third party, but about the context of a transaction and the expectation of a consumer.

Lydia Parnes, former director of the Bureau of Consumer Protection, also recently stated at the IAPP Privacy Academy in Seattle that, “It isn’t clear to me whether the ‘first party’ vs. ‘third party’ distinction ever made sense, but it certainly doesn’t make sense today. Who is a ‘first party’ and who is a ‘third party’ is increasingly difficult to determine in any given transaction.”

We’re living in the era of “big data,” and the digital world is rapidly evolving. When the FTC examined third-party, interest-based advertising, it was 2007. Today, we have the “Internet of things,” with mobile apps, sensor-rich systems, smart products and cross-device recognition resulting in a media world that is increasingly complex and less structured than ever before.

In some interactions, as Parnes observed, it may not be clear who is collecting data and in what capacity. Perhaps there are three or four first parties. In addition, the reach of a first party may not be obvious if there are dozens of affiliates branded as separate entities with multiple collection points and cross-exchanges.

Beyond how the data is transferred, the nature of the data collection should be considered. Think about how much information you feed into a smartphone – say, a personal assistant app. That app collects and uses identifying information, location, time of day, calendar, travel plans, search, email, contacts and address book, digital surfing history and more. From a privacy perspective, many consider the collection of this data to be far more sensitive than inferred interest segments tied to a third-party cookie.

Transparency and notice certainly are relevant to any discussion about sound privacy frameworks, but here, again, the distinction between first and third party may not be as dramatic as some suggest. Self-regulation, and in some cases law, requires that the first party post a privacy policy that describes its data collection and use, as well as the data-collection activities of third-party partners on its site. Thus, a discussion about sharing with third parties and third-party data collection for interest-based advertising should appear near the first party’s discussion of the data it collects and how it may share that data with affiliates.

Add to this the AdChoices icon in advertisements served by third parties and you have an increasingly robust transparency, notice and choice regime. The actual practices of an entity – whether a first or third party – and the disclosure of those practices are essential to any discussion about privacy. We’ve all read privacy policies that are unintelligible, leave open the possibility of any use of data and ask for overbroad consent to use data. That may raise greater concerns than who collected the data.

The reality is that third parties – from networks and exchanges to data platforms and other digital media firms that partner with online properties (“first parties”) for the purposes of marketing and advertising in both online and mobile media – are necessary. They keep costs down and are the backbone of the diverse, ad-supported, free-content model that consumers know and expect today. When discussing privacy concerns related to third parties, the primary issue tends to be that third parties can collect data across many websites. However, when we examine all privacy considerations, the type of data they collect may be far less sensitive to consumers than it is portrayed in the media and in privacy debates. And it may be far less sensitive than data collected in other contexts.

As this analysis suggests, the Internet of Things requires us to rethink old privacy assumptions and paradigms and focus on what’s really important to consumers and competitors today. A sound privacy framework that instills consumer confidence and a fair commercial playing field should center on responsible data collection and use practices by all parties and good data hygiene, not labels.

We should come together to discuss safeguarding sensitive data and applying the Fair Information Practice Principles where it counts most – health care, financial data, information about our children and the use of precise location data. It isn’t simply who is collecting the data, but what data is collected, how it is used, how long it is retained, and what choices consumers have. I would like to see a policy framework that incentivizes best practices and responsible data management by all parties. That strikes me as a win for consumer privacy, competition and the free, advertising-supported Internet users have come to expect and love.

Follow Marc Groman (@MarcGroman) and AdExchanger (@adexchanger) on Twitter.

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!


  1. JIm Spanfeller

    Read this twice and I am still not sure where Mr. Groman is going other than to somehow suggest that third party tracking is just fine as long as it is from one of his members. When all is said and done, transparency is indeed the real answer here. A consumer deserves the right to know who is collecting data and if they are so inclined…to understand how the data is going to be used.

    So as Mr. Groman himself suggests…”Although the first party brought in the third party to provide a service that it believed to be beneficial (a more relevant ad experience), according to the old “context” argument, the third-party data collection in this scenario is assumed to present a potentially greater privacy risk to consumers. This may be driven by the third party’s presence often not being known to the user and the collection of data across multiple, different first-party experiences.”

    The third party data collection here is completely non transparent…which is not a good way to treat ones customer and if I were the online retailer in this case, I would not allow it.

    • I agree that this smacks of ‘these are not the droids you are looking for’ mis-direction.

      The critical thing here is transparency and choice. ‘believed to be beneficial’ – to whom?

      The ‘choice’ of the AdChoices icon is largely a sham. It is not a choice to stop data being collected about the user – merely not to see ads based on that data.

      Also the opt-out information and mechanism is obscure in the extreme.