Big tech, you’ve got your parties muddled up.
First-party good, third-party bad
There seems to be a strong positive correlation between the size of digital companies, and how often they use the word ‘party’. Perhaps understandable, given the rather large profits that are made, seemingly in good times and bad. But actually, there are are two connected reasons for this phenomenon:
- The first is that the larger the digital company, and the more online services it operates, the more data it is able to collect from direct interactions with its users. This is generally referred to as first-party data, and the bigger you are, the more you can get your hands on.
- The second, is that for a number of years, there has been a narrative that uninhibited use of first-party data is the more ethical choice, somehow vindicated by data protection law. This has been validated through comparisons to third-party data, which involves sharing data between organisations, including those that do not have a direct relationship with the individuals.
In this blog, with the support of an admittedly tenuous reference to Guy Ritchie’s ‘Snatch’, I will shine a light on these unhelpful terms and the misleading narrative that they support. And drawing on results from a recent survey of Gener8 users, I’ll demonstrate that there is only one type of party that sustainable companies should be attending from now on, and that’s one where they’ve been invited.
Whose party is it anyway?
When it comes to data about you and your online activity, it is your party, and you are the host. But in practice that doesn’t always mean you are in charge of the guest list.
There are actually three kinds of party happening online with your data:
- The Zero Party = it’s your birthday, you are in charge of the guest list, and you can even charge for entry if you like. Gener8 security guards man the door.
- The First Party = a few of your friends turn up to your house unexpectedly. They do this a lot. You let them in as you are pleased to see them and you enjoy yourself initially. Gradually more and more of their friends and family arrive that you have never met. You don’t know how to get them to leave without upsetting them.
- The Third Party = everyone in town is having an illegal rave, in your house, wearing your clothes and eating food from your fridge. The sign outside says ‘everyone welcome’. You called the police, but they never showed up.
In truth, and even with more sensible definitions, none of this terminology is really very helpful or important. Most harmfully, it can often be used to imply ownership of data that always really belongs to the individual it relates to.
In the real world, when it comes to personal data, there is only one distinction that really matters: whether or not the data is being processed legally. So if first-party data is superior to third-party data, as the narrative often goes, this must be because it says so in the law, or because people are more freely giving their consent for its use.
Does the law favour first-party data?
No, it doesn’t. And there have been a few helpful clarifications on this point in recent years by the UK’s data protection watchdog (the ICO):
- An opinion published by the ICO confirmed that ‘data protection law does not inherently favour the concept of a first party over that of a third party within the meanings web standards bodies or data categorisations give to those terms’.1
- A joint statement of the ICO and the UK’s competition regulator (the CMA) highlighted specifically the risk of data protection law being interpreted by large integrated digital businesses in a way that unduly favours them over smaller, non-integrated firms.2
- In reference to tracking, the ICO opinion explained that from a data protection perspective, ‘a variety of organisations can undertake it, from single businesses to large corporate entities. For example, a large organisation that operates multiple online services, or many smaller organisations sharing information between them’.
In other words, data protection law applies equally to all companies, large and small, and what really matters is having a legal basis for processing personal data. Meta recently found this out the hard way, with an EU ruling (and associated hefty fine) that has led to Meta announcing it will allow its users to opt out of personalised ads. [Eric Seufert’s excellent Mobile Dev Memo blog is recommended reading on this topic].
If people haven’t given their consent for a large corporation to use their data from one service to serve them targeted ads on another, then it is no more legal than data being sold, shared and used by multiple unknown third parties. In other words, to stretch the party analogy a little further, inviting your friends and family along to a party without invitation is no better in the eyes of the law than putting a sign outside saying ‘everyone welcome’.
From a competition perspective, any narrative of ‘first-party good, third-party bad’ is undeniably harmful. It tilts the playing field in favour of large integrated companies, creates a barrier to entry in ad-funded markets, and creates incentives for acquisitions and integration that will encourage a trend towards higher concentration. It also potentially causes a shift away from ad-funded ‘free’ services towards paid-for services and subscription models (we are already seeing some signs of this with moves toward paid-for verification on social media).
So from a legal point of view, data protection law does not favour first-party over third-party; the interests of very large firms are not inherently more or less likely to be considered ‘legitimate’. There is certainly no carve out in the law that says ‘so long as you collect the data directly from a customer that has signed up to your service then you can do what you like with it’.
If there is no specific first-party legal basis for processing, then the first-party Data Dysons of this world must be inherently better at getting consent for what is going on, or people must just be more comfortable with first-party tracking.
So what do consumers think?
We decided to find out, so we surveyed around 700 Gener8 users about their awareness and attitudes towards tracking, and naturally we rewarded them for choosing to share their views (data) with us. The results do seem to suggest that if you gave every consumer a binary choice, it is likely that more would opt for first-party tracking than third-party tracking.
For example, we presented respondents with two hypothetical scenarios: one where they are served ads on Instagram based on their Facebook activity (i.e. first-party tracking) and another where they are served targeted ads by the Daily Mail based on their earlier online shopping activity (i.e. third-party tracking). A higher proportion of respondents reported a preference for the first-party scenario (21%) than the third-party scenario (10%).
Similarly, when we asked about potential data collection practices by browser operators, 26% of respondents said they would be willing to consent to the browser operator collecting their data in order to target ads on a website that it owns, whereas just 15% would consent to that same data being used to target ads on other third-party websites.
Taken on its own, this data might be used to vindicate the ‘walled garden’ approach to data collection and processing. But there is a stronger, overriding message that comes through from the results. Higher proportions of responses focused on consent and control rather than corporate ownership, and our survey suggests this is relevant in the context of display advertising, browser operators, and app stores.
For example, taking the above Facebook scenario, the most popular response (34%) was that both scenarios are equally creepy and they hadn’t consented to any of it. With respect to browsers, while around half (48%) of respondents said they would consent to data collection for monitoring browser performance, 29% said they wouldn’t consent to any of the data processing.
So yes, if people have a gun to their heads, they are more likely to choose to be tracked by a single company that owns lots of services than by many smaller ones that share data between them. But the implication here is merely that first-party tracking is the lesser of two evils, not the industry standard to aspire to.
When is consent meaningful?
Consent can only be truly meaningful if it is given explicitly and willingly, with a reasonable understanding of the consequences, without fear of penalty from withholding, and without being steered in a particular direction.
This rules out a host of very widely used practices, including but not limited to where: consent is implied or buried in terms and conditions; choices are presented as ‘take it or leave it’; the opt in option is displayed much more prominently; the opt out option is harder to find or involves additional layers of effort; or the description of the consequences or outcomes is unclear or open to being misinterpreted.
The final practice in this list brings me to Apple, and its statement that ‘Apple does not track you’. Now let’s be fair to Apple. By explicitly and prominently requesting permission to serve personalised ads based on first-party data, Apple is very clearly best in class among its contemporaries. But it partially undermines its privacy-first approach with that one statement which, at best, could be open to interpretation by some of its users.
Despite this categorical claim, Apple’s use of data for ad personalisation in the App Store appears to be fairly extensive. According to the CMA, Apple uses the following data to group users into segments for the purpose of ad targeting: ‘account information (eg birth year, gender, location), app and content downloads and purchases from its own apps (eg Apple Music, Apple TV, Apple Books) and third-party apps (segmented by App Store category) and the types of news stories users read on Apple News.’ This is quite a lot of data from quite a wide range of sources.3
Apple neatly squares this circle by offering its own unique definition of the word tracking, which it says ‘refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes. Tracking also refers to sharing user or device data with data brokers.’4
By this definition, it is correct to say that Apple isn’t tracking its users, because it is collecting the data from within apps it owns and operates (although one might suggest the use of in-app purchase data from third-party apps would be questionable in this context). Although there is no definition in law of tracking to refer to, the views of W3C (a leading web standards body) and the ICO should carry significant weight. Neither of these bodies’ definitions of tracking make any distinction between first and third-party data or corporate ownership, referring instead to tracking across different contexts rather than companies.
The final report of the CMA’s Mobile Ecosystems market study emphasised that the UK’s competition and data protection authorities are in lockstep on this point, stating that ‘the CMA and ICO consider that Apple is conducting processing activities that can be characterised as tracking.’ 5
The CMA also highlighted the surprising lack of testing conducted by Apple, stating ‘we are concerned by the apparent lack of research and user testing conducted by Apple either prior to or following the implementation of both prompt screens – this type of testing is important in assessing user understanding of these prompts and their design and making sure they are optimised for their comprehension.’ The CMA and the ICO were in alignment that ‘testing in future by Apple on the ATT prompt and its personalised advertising prompt could reveal whether the current choice architecture is optimised.’
To my knowledge, Apple has not yet announced plans for any such research, but it will no doubt be pleased to hear that Gener8 has stepped in.
We asked our users which types of data it would be OK for Apple to be using for ad targeting, given their interpretation of Apple’s statement that it does not track you. The full results for this question are below.
|Options (respondents could select multiple)
|Proportion of users that selected
|Apps downloaded from the App Store
|Search queries and pages you viewed in the App Store
|None of the above
|Content downloaded from Apple Music
|Content downloaded from Apple TV
|Information about the apps you are downloading
|Content downloaded from Apple Books
|News stories read on Apple News and Apple Stocks
|Purchases made within apps not owned by Apple
There seems to be some room for improvement here regarding user comprehension of Apple’s data processing practices. One third of respondents felt that Apple ought not to be using any of the data, while only around a fifth thought it was OK for it to be using data from Apple News and Apple Stocks, and fewer than one in ten said it would be OK to use data about purchases made within apps not owned by Apple. There is little variation in these results when we look at Apple users only.
These stats suggest Apple’s firm commitment not to track may be causing a material proportion of its users to underestimate the extent of its data processing should they opt in to personalised ads.
I feel that ChatGPT hit the nail on the head with this balanced assessment: ‘Yes, Apple does track its users for serving personalized ads in the App Store. However, it’s important to note that Apple takes user privacy seriously and has implemented measures to protect user data.’
I agree with these balanced sentiments. Apple is doing what few of its contemporaries are doing, and actually asking for consent to process first-party data for ad targeting. This is what we would expect of a company that believes privacy is a fundamental human right, and holds privacy as one of its core values, and it is important to recognise the good just as loudly as the bad.
All I would ask is, why spoil it?
If people have a gun to their heads and are made to choose between one or the other, then they are likely to have a preference for first-party over third-party tracking.
But that is a false choice, and it supports a harmful narrative. What people really care about is giving (or withholding) their explicit and informed consent for things – only so-called zero-party data can be sustainable in this context.
So the message from Bullet Tooth Tony when held at gunpoint in the Drowning Trout pub was as relevant to Vinny, Sol and Tyrone (pictured above) as it is to Google, Apple, and Meta today: ‘you’ve got your parties muddled up’!6
Get in touch
1. Information Commissioner’s Opinion: Data protection and privacy expectations for online advertising proposals, Nov 2021.
3. CMA market study into mobile ecosystems, Appendix J.
4.Apple’s guide to user privacy and data use.
5. CMA’s market study into mobile ecosystems, final report.