First-Party Vs. Third: It’s Not So Black-And-White

Allison Schiff, managing editor, AdExchanger

Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Allison Schiff, managing editor at AdExchanger. It’s part of a series of perspectives from AdExchanger’s editorial team.

Everyone knows the difference between first-party data and third-party data, right?

First-party data is collected directly from one’s customers, so it’s good, and third-party data is collected by companies that don’t have a direct relationship with the people they collect from, which makes it inherently bad.

That might be a little reductive, but it’s pretty much how the big platform and browser companies frame the debate about how to protect consumer privacy online.

And it’s hard to dispute the sanctity of a direct relationship. But scratch the surface a little, and the definition of first party – and what constitutes cross-site tracking – starts to get a little fuzzy, at least in terms of how the average consumer might define it.

Because regardless of whether data is collected in a first-party context or a third-party context, it’s still tracking. The question is what people understand and whether the collection is authorized, whatever that means.

Benedict Evans, an independent tech analyst and former partner at Andreessen Horowitz, illustrated the point by way of a Twitter poll in April, a couple of days after iOS 14.5 was released.

Of the 5,977 people who took the poll, 83.1% answered “yes” to the question of whether a publisher collecting behavioral data on its own site to use for ad targeting counts as tracking.

As Evans wrote on Twitter: “I ask because the NY Times does do this, and so does Apple, and Apple is mounting an entire marketing campaign on the premise this is not ‘tracking.’ So how do people understand that word?”

In the responses, a user with the handle @pixeldetracking based in Paris (a self-described “ancient de l’adtech” or “former ad tech”) argued against Evans that “trying to confuse people [about] what tracking really is only serves the trackers.”

Pixel de Tracking isn’t wrong. The ad tech ecosystem thrives on complexity. Just ask ISBA.

But just because the ad tech ecosystem has pretty much microwaved the fish on high doesn’t mean that browsers or platforms – the gatekeepers themselves – aren’t also engaged in cross-site tracking or that their form of tracking is necessarily more palatable to regular people browsing the web or using an app.

Take the first-party sets proposal in Google Chrome’s Privacy Sandbox, which aimed to allow related domain names owned by the same entity to declare themselves as the same first party and therefore still be able to share data between them in the absence of third-party cookies.

What would that change mean in practice? Companies like Gap or Procter & Gamble, which each own an assortment of adjacent brands, could centralize customer data. And in theory, Geico, Kraft Heinz, Duracell and the Acme Brick Company could share data, for example (and for whatever reason), because they’re all subsidiaries of Berkshire Hathaway, while their competitors could not, unless they also share common ownership – which doesn’t make a lot of sense.

An entity like Google, though, could transfer data between its own properties – Maps, Gmail, different Google domains across the world, YouTube, Fitbit, etcetera – while other unaffiliated publishers would have no mechanism to monetize their data through partnerships.

For what it’s worth, back in April, the first-party sets proposal was deemed “harmful to the web in its current form” by the W3C Technical Architecture Group. (Regardless, the first origin trials for first-party sets closed in Q3.)

But putting aside the potential anticompetitive issues related to a proposal like first-party sets, it’s emblematic of gatekeepers taking the reins to define what it means to be a first party on their platforms. And that might not line up with how most people would define it.

Josh Koran, EVP of data and privacy at Criteo and an active W3C member, put it to me like this: “For consumers concerned about cross-organization data transfers, why would they be any happier that Google is the one doing this tracking?”

Sometimes a cigar is just a cigar and tracking is just … tracking.

Follow Allison Schiff (@OSchiffey) and AdExchanger (@adexchanger) on Twitter.

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!


  1. On 25th November the UK ICO helpfully confirmed there is no difference between first and third in their Opinion paper [1]. What matters are the controller(s) and consent.

    “The Commissioner is aware of a view by market participants about how data protection law regards these concepts. For example, that first party has an inherently lower risk than third party. The Commissioner rejects this view.”