Prog IO: What Will Be The Fate Of Third-Party Data After GDPR?

Europe’s General Data Protection Regulation (GDPR) will kill the third-party data ecosystem. Or third-party data isn’t going anywhere.

The truth sits somewhere in the middle, said Alice Lincoln, MediaMath’s VP of data policy and governance, at AdExchanger’s Programmatic I/O in San Francisco on Wednesday.

“Third-party data is here to stay – if it’s high-quality,” said Lincoln, who’s both a man and a woman – if you go by the data floating around about her in the third-party ecosystem. She’s been targeted as both.

Patrick Salyer, CEO of SAP-owned Gigya, is slim and around six feet tall, but when he looked up what data the brokers have on him, “weight-loss products” was listed as an interest.

“I question the validity of third-party data moving forward,” Salyer said. “The brands we’re working with, including large CPGs, are realizing that a direct digital connection with consumers is extremely important – in fact, it’s a differentiator.”

Third-party data has been having a hard time lately.

Post-Cambridge Analytica, Facebook decided to kill third-party partner targeting through its platform to the great consternation of data brokers, like Acxiom. And with GDPR coming down the pike, advertisers are increasingly looking inward to foster their first-party relationships.

But that doesn’t mean third-party data is circling the drain in a GDPR world.

Some brands will always need to supplement with third-party data, and the data will just have to get cleaner out of necessity. Not every brand has enough first-party data to power a digital advertising strategy, said Fatima Khan, chief privacy officer at Demandbase

“I don’t want to go to a website and for it to think that I’m a man in his 40s,” she said. “Third-party data … is an important thing, but it will need to be fixed going forward.”

GDPR will help by encouraging data controllers to shore up their supply chain partners, as it lists clauses that have to be included in data protection agreements, including a requirement for processors to help their controllers fulfill data subject requests and cooperate in the case of a breach.

But third-party vendors shouldn’t just sign whatever lands on their desk, said Emily Jones, a data privacy and technology partner at law firm Osborne Clarke LLP, where she leads the Silicon Valley office.

GDPR codifies what should be in these agreements, but that “doesn’t mean every agreement looks the same,” she said. “Be careful about what you’re asked to sign, and don’t just assume it’s covering the bare minimum. We’ve seen a lot of companies try to include additional obligations.”

But the risk cuts both ways.

In doing its due diligence on partners, MediaMath has seen some try to claim in their written responses that they’re 100% GDPR compliant already – and there’s just no way that’s true.

“I have to call BS on that,” Lincoln said. “I don’t think anyone can say that with certainty at this point. The spirit of GDPR is clear, but what that means practically is unclear. May 25 is just the beginning of how regulation will be implemented and applied, especially across an ecosystem as complex as ours is.”

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!


  1. 3rd party data has always been a bit of a sham. It gives insight into a person at a moment in time, but the time it is sold, all of that can generally be thrown out of the window. This has been knowns for close to a decade, but nobody seems to care. The challenge in digital advertising is that the only systems to understand and target ads efficiently are computer based, not people or agency based. If you are creating a media plan with drop down menu’s and aggregating data segments, you aren’t employing the right strategy. If a machine is given the goals of a campaign and access to any and all data it can find, it will do the most efficient job at accomplishing a given task. Bad 3rd party data, media “plans” and people are what get in the way of efficiency.

  2. But this is about privacy, not about data quality at all… Seems to me that the speakers are missing the point, or are in denial. It isn’t about a threat from P&G to boycott 3rd party data because it garbage, but a government regulation that could potentially render 3rd party data as legally illegitimate. Either way, I agree that May 25 is only the beginning.

  3. The expressions on the faces of the people in the picture tell the whole story.