The definitions and differences, explained.
Since the introduction of the European Union’s General Data Protection Regulation (GDPR), there’s been a great deal of emphasis on how organisations handle customer data. It’s become increasingly important to understand the implications of working with first through to third party data. Now there’s the added complication of the recently-introduced concept of zero party data. Here we untangle the different data types and the necessary approach to each.
What is first party data?
First party data is personal data that you collect directly from people. Examples could be data collected from customers during the processing of their orders, data collected while providing customer support, or data collected from people filling out forms on your website. Under the rules of the GDPR (now incorporated into UK law as the UK GDPR), the data must be collected with their consent and:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Limited to what is necessary
- Accurate and, where necessary, kept up-to-date
- Kept in a form which permits identification of data subjects for no longer than is necessary
- Processed in a manner that ensures appropriate security of the data.
First party data is processed and used solely by the organisation that has collected it.
What is second party data?
Second party data is defined as data that is collected as first party data, and which is then made available for sale to a partner organisation. Rather than being sold in an open, multi-company marketplace, second party data is shared by two companies in a collaborative way, so the data is from a trusted source. The data hasn’t been collected directly by the buyer, but based on the consent settings used when the data was collected, the buyer can legally access it. An example could be a credit card company who shares certain data on their customers with an airline, enabling those customers to collect air miles.
The implementation of the GDPR has driven a rise in the popularity of second party data. Its users know that the data has been collected lawfully and in accordance with the principles outlined above.
What is third party data?
Third party data is personal data that has been collected by another organisation to your own – a third party – and then sold by a data aggregator. A set of third party data can be bought by any number of organisations. The data aggregator pulls data from multiple sources and integrates it into large data sets, which clients then search for particular demographics, behaviours or interests.
Under the GDPR, the purchaser of the third party data becomes the data controller, and the aggregator is the data processor (see our GDPR guide for more details). As a data controller, you are responsible for compliance in your handling of the data, but also equally responsible for your data processor’s compliance. It is therefore vital to ensure that the data aggregator is fully GDPR-compliant. In response to these requirements, many vendors have updated their data processing agreements to demonstrate GDPR compliance; some have also certified with Privacy Shield.
What is zero party data?
Zero party data is the most recent of the data classifications. Whereas first party data is generally data that a customer has to provide to receive a product or service, such as an address for deliveries or the location of their clicks on a website, zero party data is optional information provided by an individual. Often this is via personalised experiences, such as quizzes to generate gift guides or a short questionnaire to identify a person’s purpose in visiting a website. This provides direct, accurate information on an individual that can be rich in insight. As a contrast, first party data will generally just provide inferred insight into a person’s needs based on factors such as their purchasing behaviour or demographics.
Like first party data, a company with the right processes in place knows that the zero party data they’re collecting is accurate and compliant with the GDPR.
Looking to the future
The case of third party cookies is an interesting parallel. They are increasingly being phased out to comply with data protection regulations. Google announced in February 2020 that they would be phasing out third party cookies from their Chrome browser, and the company recently confirmed that they would not be building an alternative way of identifying users because “we don’t believe these solutions will meet rising consumer expectations for privacy, nor will they stand up to rapidly evolving regulatory restrictions, and therefore aren’t a sustainable long term investment”.
Third party data differs from third party cookies, as it is not necessarily generated from tracking customers across the internet. However, the decline of third party cookies indicates that third party data may also be increasingly seen as problematic. Focusing on the collection of zero party and first party data, and building meaningful partnerships via second party data, is likely to become increasingly relevant.