We Need To Talk About First-Party Data – Because It Doesn’t Belong To You

Robin Caller, CEO & founder, Overmore

Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Robin Caller, CEO and founder of Overmore Group.

Fair warning, this essay is a bit of a rant. I mean no harm to any promoter of ad tech, martech, clean rooms or other digital advertising technology.

I’m sure they’re very nice people who love their families and dogs and recycling.

But that doesn’t change the fact that language matters. It is a trap that can lead to mass delusion. The language we use to describe data in our ecosystem demeans the consumer and strips them of their rights. A rant, in this case, is warranted.

First-party data …  second-class citizens

GDPR, CCPA, CPRA and nearly every other privacy-related regulation is the product of consumer backlash.

You can almost hear the chorus: “Stop collecting and selling our data so that marketers can deploy it against us in algorithms.” 

“Stop using our personal data to manipulate us into buying stuff we don’t want, don’t need or can’t afford.” 

“We want our privacy back.”

The sentiments and principles that underpin these laws are clear. Consumer data should be owned by the consumer. If we want to collect and use it for any marketing purpose, we must explain how we will do so – and obtain consent and permissions. (GDPR explains this quite nicely here.)

But to get that agreement, the consumer must understand the trade-off. They need to understand what’s in it for them and see real value in the arrangement. On the whole, I’d argue we’re not yet holding up our end of the bargain –  if we were, there’d be no outcry against Google’s latest moves.

We're not gonna take it anymore.Why are we failing? Is it because we’d rather stay one step ahead of the regulator rather than stop and embrace the consumer?

It all goes back to the language we use to describe user data and privacy, coupled with the confirmation bias – some might call it a love affair – we have with our own soundbites and cleverness.

Whose data? Our data!

Brands are constantly told to consider the data generated by user activity on their domains as their own “first-party data.”

The thinking goes a little something like this: Because the brand collected the data, the brand owns it … right? If that logic holds true, it follows that the brand has the implicit authority to use that first-party data at their own discretion because, well, they own it.

Talk about hubris! 

Let’s look at this through the consumer lens: If I visit your site and make a purchase, I’m consenting with the understanding that you need my data in order to uphold your end of the bargain, meaning: charge the correct price, send the right product to the right place and resolve any issues that may arise.

But let me be clear: That data is not, and never will be, “your” first-party data. The customer is the first party in this transaction – you, as the marketer, are the second party. This is the only logical party-numbering scheme especially considering our oft-repeated mantra that we “put the consumer first.”

And yet, the industry willfully overlooks this logical fallacy, and seemingly can’t bring itself to reckon with its own self delusion. Instead, we rationalize it through more language manipulation, such as calling customer data “zero-party data.” 

Really? I feel the rant rising again.

That’s ridiculous. I’m not a zero; you’re not a zero. Zero isn’t even a real number – it’s an integer. I am not an integer. I am a real person, and I have legal sovereignty over my data. I share it with brands for “clear and express purposes”, as is my right. But I always retain ownership over it.

And so do you, my fellow marketing professionals. For some bizarre reason, we’re often a little too willing to distort the rights of ordinary people because the companies we work for make good money when we buy into these mindsets. 

But it’s a false narrative. You’re telling yourself my data is your asset, but in reality, it’s increasingly becoming a liability. The law is pretty clear: The consumer is the true first party.

You know what else the law is clear about? As second-party data holders (i.e., you, the   marketer), brands must obtain permission from the first party in order to use their data for marketing purposes.

And don’t get me started on the topic of “clear and explicit purposes.” Oops … too late.

One of the most opaque – and ignored – terms in the world of consumer data and privacy is “purposes.” But make no mistake: Once regulators have beaten enough of us up about the legal meaning of consent, they’ll start investigating permissions. Then it’s only a matter of time before they get to “breaches of purpose.”

How do we escape their future wrath?

The path of least resistance is accepting that “privacy-first” means “user-first.” That needs to be buttressed by express and informed consent, an unbundling of permissions and empowering consumers to retain sovereign control over the what, as well as the why, when and how their personal data is used.

It really is that simple.

Follow Overmore Group (@overmoregroup) and AdExchanger (@adexchanger) on Twitter.

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!


  1. Informed consent is very important… but we should not ignore the obvious fact it is anti-competitive.

    Larger entities, especially those that provide a suite of services, have a fundamental advantage in two ways:

    – They usually avoid the need to acquire explicit consent for the N + 1st service through carefully designed consent language, a practice known as consent bundling. While regulations such as GDPR are clear that consent bundling should be avoided, enforcement is almost impossible given the nature of service implementations.

    – They can strong arm people to consent to almost anything because the cost of withdrawing consent is too high (and increasingly so through consent bundling). There is ample research supporting this in addition to good journalism describing the effect on one’s life from attempting to withdraw consent from one of the big tech platforms.

    Using data–especially personal or sensitive data–to improve people’s lives is ultimately about purpose and a duty of care, which are unfortunately fuzzy legal concepts. The marketers (and intermediaries) who can hold their heads high when it comes to purpose and duty of care have little to fear.

  2. “On the whole, I’d argue we’re not yet holding up our end of the bargain – if we were, there’d be no outcry against Google’s latest moves.” <== what does this refer to? Chrome Privacy Sandbox? FloCs?

  3. I agree with you in a B2C world, but not for B2B – especially when it comes to account-based marketing.