Today’s column is written by Paul Bannister, co-founder and executive vice president at CafeMedia.
It’s become a statement of faith among those in digital advertising that first-party data – and first party-ness, in general – will become critical to companies’ success in the future.
But there’s a lot of confusion about what first party actually means, how first-party data can be used and what the future of first-party data looks like. There are also inherent biases and assumptions built into our blind faith in first-party data as the savior of user privacy and targeted advertising on the open web.
What is ‘first party’?
The concept of “first party” with respect to the web was coined in the mid-’90s with the creation of the cookie. Cookies were designed for websites to manage the “user state” – before cookies, a website didn’t know that you were the same user across page views. That made services such as logins, shopping carts and other things we take for granted impossible.
A cookie was viewed as first party if set by the same domain as the site the user was on (such as an Amazon.com cookie when the user is visiting Amazon.com). A cookie was viewed as third party if set by a different domain, such as a company-x.com cookie on Amazon.com. Very early on, it was clear that this setup could lead to privacy issues, and actions were taken to try to prevent this from happening.
There’s another “first-party” concept people often talk about too: data that is created and owned by a given company. This is the source of significant confusion. First-party cookies do not map cleanly to first-party data. If, as a publisher or advertiser, you use multiple domains, first-party cookies can’t be linked across those domains because by definition a first-party cookie is limited to the domain on which it was set.
In the future without third-party cookies, something a company might know about a user on one of its sites (perhaps they added a specific item to a shopping cart, for example), can no longer be linked to that user on another site. For multidomain companies, this presents a huge issue. The first-party relationship a business has with its consumer is divorced from the first-party way cookies work.
What the future holds
Absent third-party cookies, there are two possible solutions to this issue. The first is a shared identifier, such as an email address or phone number. If a user is logged into two sites owned by the same company, the first-party data could be shared across those two domains. There may also be other shared identifiers that require less commitment from users, but it’s unclear which, if any, of those might work in the future.
The second potential solution is called First-Party Sets and is part of Google’s Privacy Sandbox. This essentially allows an organization to group together a batch of its owned domains and share information across them. This primarily allows them to offer shared services, such as a single sign-on, but also allows them to share data for ad targeting purposes.
Enabling Google.com and Google.co.uk to be a part of the same first-party set makes a lot of sense. Allowing Vox.com and partner site Theverge.com to be in the same first-party set might make sense to some users. Allowing Geico.com and Dairyqueen.com, which are both owned by Berkshire Hathaway, to be in the same first-party set doesn’t make sense at all. But all three cases are permitted by the proposal as it stands.
On the reverse side, sites that aren’t owned by the same organization but want to offer shared services can’t group together at all under the current proposal. The major browsers’ user agent policies deem an “organization” as a critical requirement to making a first-party set valid. With three of the four major browsers owned by the largest companies in the world – and the fourth getting nearly all of its revenue from enormous companies – it’s not surprising how biased these policies are toward large companies over small and independent ones.
Another part of the Privacy Sandbox – the Privacy Budget – also comes into play here. This proposal is still very nascent, but the basic idea is that a browser will only reveal a limited amount of information to a site, to ensure that the site can’t use any fingerprinting techniques to discern who the user is. This means that publishers or advertisers that create a first-party set across their domains will be limited in terms of the data they can collect and the services they can provide.
The only way to get around the privacy budget? Have logged-in users – of which only the largest companies in the world have high penetration levels. They also own the biggest browsers, which are setting all of the rules for privacy.
First party-ness doesn’t necessarily protect the user
All of this is based on browser engineers’ views of the world, a very technical and specific view that doesn’t reflect real peoples’ expectations. It’s probably true that when a user is on a site, they are fine with that site offering services built off first-party data. But just because a user is logged into a site and uses it all of the time doesn’t necessarily mean they want that organization using their data across all sites in a first-party set to target them with ads, creepy or not. User privacy is not protected by the simple nature of the fact that they visit a given domain or group of domains owned by the same organization.
First-party data for publishers and advertisers that aren’t enormous will be seriously impacted by these changes, far beyond what is expected. The first-party data systems that publishers are building today may fall apart quickly under the new constraints on first-party cookies in the future.
These standards should be amended to either allow for publishers of all sizes to use first-party data and share information (with consent) or no one should be able to use them, even the largest companies.
All publishers and advertisers should have the right to “first party” in the future.