Move Over Third-Party Data: Rising First-Party Data Collection Looks To Impact Business and Data Privacy Laws

By: Rebecca L. Rakoski, Esquire
       Patrick D. Isbill, Esquire

A growing number of today’s global businesses use some form of data collection. Data analytics is often added to the equation to process these collections in order to read or predict market trends. The term analytics is familiar to many because it partly serves, for now at least, as a guide to business decision-making and can shape the directional outlook of any company by driving revenue projections. Data is after all valuable. But it is the how, where, and by whom this data is collected and shared that dictates the interpretation of data privacy laws and reach of regulatory compliance.

First vs. Second vs. Third-Party Data Collection

To better understand the technical language of data privacy laws, it is necessary to classify and distinguish the type of individual or entity collecting data. Terminology is therefore important. Third-party data collection is often heard when discussing privacy laws and assignment of responsibility and liability. Data is not collected from proprietary sources but instead by a third-party individual or entity who will then sell or give it to a company. The purchasing or receiving company can then use the data for what some legal ethicists worry are endless and indeterminable reasons. Other analysts contend data is simply a means to a definite end and used to achieve a relatively benign business or marketing purpose or even just a means for research and development.

First-party data collection in turn precipitates a company acquiring data directly from a source, usually its customers. This type of collection is effective mostly due to its reliability and can minimize both interpretation and categorical error. Up until recently, companies may have collected data but relied on third-parties, due in part to cost efficiency as a result of mutual benefit but also broader analytical possibilities and logistical governance. Generally, the information gathered is the same as a third-party data collection.

Second-party data collection, on the other hand, is somewhere in between. While far from being termed the best of both worlds, it is characterized however by a deliberately sharper focus. It is data obtained from a trusted partner where factors such as quality and relevancy are to a greater degree higher. Data customization is a term sometimes attached to this type of collection, mostly because companies can use discrete data sets for specific transactional purposes.

Businesses Looking More Toward First-Party Data Collection

The trend of who exactly does the collection may also influence the direction and interpretation of current and future data privacy laws. Market research has led some analysts to forecast for a while now a sharp decrease in the use and impact of third-party data collectors. A primary explanation is typically accuracy in the information collected or captured by third-parties. Another one is trust – specifically consumer trust. A valued commodity nearly every company not only vigorously attempts to cultivate but exceedingly covets in the perpetual race to obtain an edge over the competition. Rising consumer awareness over the value of privacy and increasing questions over the degree to which their data is being shared, or even sold, has garnered the attention of business leaders and worldwide government legislators.

Businesses are taking the hint too and adapting their methodologies, maintaining their own internal demands for analytical data and shifting the way they are supplied information by being aware of outside market demands. Spanning multiple industries, a surging range of businesses, like Walmart, Amazon, and Marriott International Inc., are exploring new avenues to reach consumers. This could be the beginning of companies who favor first-party data over third-party sources, or data resulting from direct interactions with their customers to achieve market goals and advertising. Through construction of in-house media networks that use their own customer data, companies are challenging traditional thinking by essentially causing advertisers and marketers to come to them with regulatory adaptation undoubtedly not far behind.

Companies like Marriott will essentially supply relevant ads from brands and advertisers by utilizing anonymized customer data that has been collected from Marriott’s digital channels like booking and/or past searches. Marriott stresses it does not share its data with advertisers but will rely on Yahoo instead to run its media network where advertisers can then shop for media space. Drawing itself into the business of media networks could have far-reaching consequences on revenue related to digital retail media. Costs associated with assembling these networks however could price many smaller companies out of the market. Notwithstanding, this concentration of data, perhaps moving more toward first-party collection, and what value it ultimately has under the law must still signal caution when it comes to data security as it geographically narrows the surface area for cyber criminals, aside from any discussion involving data privacy.

Statutory Consequences Using First-Party Data

One of the main concerns organizations have when addressing data privacy and cybersecurity is liability. Under regulations like the European Union’s General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act (“CCPA”), and the California Privacy Rights Act (“CPRA”), organizations that share data must enter into contracts with any third-party. This does not however obviate the controller or business organization’s liability. In fact, under the GDPR, a controller cannot cede its responsibilities toward the data subject and transfer its liability to data processors. There is somewhat of a shared responsibility model as between data controllers and data processors. The legal drawback? When organizations only use first-party data, and therefore forego utilization of third-parties, i.e., processors or service providers, it assumes all of the risk and liability.

But it is not all bad news. Control and transparency over data is a significant factor to regulatory compliance, especially when it comes to often discussed issues such as consent. Under Article 7(1) (Conditions for Consent) of the GDPR, it states that “[w]here processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” In fact, consent is one of the six (6) lawful bases for the collection and processing of data under the GDPR. Pursuant to Article 6(1)(a) (Lawfulness of Processing) of the GDPR, “[p]rocessing shall be lawful only if and to the extent that at least one of the following applies: the data subject has given consent to the processing of his or her personal data for one or more specific purposes[.]”

Generally, domestic state privacy laws set forth that consumers can limit the processing of personal information through a right to opt-out, and where controllers are not allowed to process personal data without obtaining consent from the consumer relating to diverging purposes. According to California Civil Code Section 1798.120(a) (California Privacy Rights Act), “[a] consumer shall have the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information. This right may be referred to as the right to opt-out of sale or sharing.” Under Virginia’s Consumer Data Protection Act (CDPA) under § 59.1-578(A)(2), “[a] controller shall: Except as otherwise provided in this chapter, not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent[.]”

Keep in mind that when the basis of collection is consent, it can also be withdrawn by the data subject at any time. Consent is by far the most discussed to be sure but comparatively not the preferred legal basis for the collection and processing of data. Using another basis for the collection may be more advantageous because it cannot be withdrawn. Moreover, this type of unpredictability is generally not favored when trying to protect a legally defensible position. In other words, a key litigation point. Another consideration is that when obtaining consent, the processing of that data can be limited to the basis for obtaining that consent pursuant to the applicable statute. For example, if you collect data to sell an item online to a data subject and that is the basis for obtaining content, the organization cannot then easily turn around and use the data for marketing or another purpose.

Bottom line is that first-party day collection has its advantages but legal issues need to be sorted out too. This type of collection assumes control over that data. Organizations therefore do not need to enter into contracts with third-parties in and around data processing activities. This can provide an organization with a sense of security and transparency as to how its data is being processed. Nevertheless, it also means the organization stands alone on a sharp ledge in the event of an issue involving liability.

Most data processing agreements typically include indemnification provisions to at least widen the ledge a bit. So while the controller cannot avoid liability to the data subject or the regulatory authority, it can recoup some of those costs through an indemnification with its processor/service provider. If that data is not shared though in a first-party collection setup, the controller is then solely responsible for all actions, inactions, or issues regarding the data. Thus, like all issues around data privacy and cybersecurity, it is a balancing test that must weigh the legal costs and strategic benefits of using, or bypassing, third-parties.


As with most points of intersection confronting any organization in the fast-paced digital economy, it must make a business decision (present) to reflect emerging technology (future) with laws and regulations that typically need to evolve (past) before either can be applied to the moment. On the surface, first-party data collections for businesses that are considering building their own media networks could achieve greater control and transparency, satisfying consumer demand while also strategically decreasing regulatory exposure regarding data. The trade off will be the incursion of greater exposure to legal liability which could be mitigated with technology upgrades necessary to strengthen cybersecurity and data protection.

All in, the financial incentives and available technology when it comes to first-party data collection may be too much to pass up. Data privacy regulations are needless to say being positioned to ensure companies meet their compliance and ethical responsibilities to ensure accountability in handling data to fulfill the growing chorus for privacy from consumers. In the final analysis, a commitment to privacy is part of a larger calculated business equation. And one that cannot add up to trust without it.

Reprinted with permission from the October 6, 2022, issue of the New Jersey Law Journal. Further duplication without permission is prohibited. All rights reserved. © 2022 ALM Media Properties, LLC.

This article does not constitute legal advice or create an attorney-client relationship. The information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Cybersecurity, Data Privacy, GDPR Compliance


Follow XPAN Law Partners