First-Party Data

Privacy and the Dawn

This morning I received one of those boring Terms of Service or Privacy Policy updates from one of the many services that my employer uses to achieve day-to-day tasks.

Well, I’ve been receiving a lot of them recently – much like I did when GDPR was first coming into effect. This wave of privacy policy updates is primarily concerned with the upcoming California Consumer Privacy Act (otherwise known as the CCPA or California’s GDPR).

Now, California is famous for putting laws into effect that later affect the rest of the country and, often, the rest of the world. In fact, in the United States, there is a common saying: As California goes, so goes the country. 

Sometimes, this pioneering Californian attitude can lead to (sort of) hilarious situations. California’s Proposition 65, for example, led to gas lawnmowers and other internal combustion machines having to prominently display a sticker saying that the emissions released by the machine “were known to the State of California to cause cancer and birth defects or other reproductive harm.” 

Unless these stickers were prominently displayed, a manufacturer could not sell the product in California. And, seeing as California’s GDP in 2018 was a whopping 2.8 trillion USD (that is to say, bigger than every economy in the world excepting Japan, China, and Germany), manufacturers almost universally complied. 

Of course, that this critical knowledge seemed to be confined solely to the enlightened beings of Southern California made good fodder for comedy over the years. 

Nevertheless, it had a profound effect on the entire industry. One very large state insisted on the change, and the entire country followed suit. 

The same thing appears to be happening with California’s CCPA, which will go into effect on January 1, 2020. 

In a rush? Skip to the tl;dr here


The privacy awakening
Application of penalties
The decline of the cookie
How the industry is changing
First-party data

The privacy awakening

Over the last few years, consumers have become increasingly concerned with their own privacy. Whereas in the past they were more than willing to give Facebook huge amounts of personal information (from their hometown to birthdate to what kind of ice cream they like), today things have changed.

People are still willing to let go of their data, but they want significantly more control – or at least to have the option to control their data even if very few ever avail themselves of the power.

To underline just how important and significant this change has been, just check out the percentage of internet users who are concerned about their privacy.

According to Statistica, that number is at 83% in the United States and 73% worldwide.

And GDPR and CCPA are direct responses to voters’ growing concern.


The General Data Protection Regulation, or GDPR, is probably something about which everyone in Digital Advertising is simply getting sick of hearing. 

It’s been such a long-running headache and damaged so many different, already established and entrenched practices, that no one wants to talk about it anymore. 

For businesses that didn’t absolutely have to work with European-based customers, banning all traffic from EU nations was an easier solution than conforming to the new rules. For example, many smaller news sites and local businesses in the United States are no longer accessible with a European IP address. 

GDPR has been discussed ad nauseam in digital advertising circles, so we’ll spare you your Nth rundown of GDPR, what it is, and why it matters – because you almost certainly know all the above. 

So let’s move on to CCPA 

If you want to brush up on GDPR or just love reading about it, check out an exhaustive introduction here.


So, the California Consumer Privacy Act – what is it? 

Voted into law by the California State Congress on June 28, 2018, this sweeping data protection law will likely change the way data is handled throughout the United States. You might recall that GDPR came into effect in May 2018.

So the Californians followed very quickly in the footsteps of these European data protection pioneers. 

In short, it’s the American GDPR. 

It’s goals, according to wikipedia, are the following:

Know what personal data is being collected about them.

Know whether their personal data is sold or disclosed and to whom.

Say no to the sale of personal data.

Access their personal data.

Request a business to delete any personal information about a consumer collected from that consumer.[9]

Not be discriminated against for exercising their privacy rights.

It seems pretty similar to GDPR, no? 

Well, there are some very important differences. The most important of these differences is the much higher minimums required before these data laws apply to a business. 

CCPA, on the other hand, will only apply to businesses that meet the following criteria: 

To be subject to CCPA, a company must operate or be based in California and meet one of the following criteria

  1. Have annual gross revenues of over 25 million USD
  2. Buy or sell the data of 100,000 persons or household
  3. Earn over half of the business’s annual income by selling personal data

As you can see, the floor, as it were, for CCPA is significantly higher than GDPR. While a smalltime blogger might find himself subject to GDPR laws in Europe, he is unlikely to have to worry about CCPA. 

CCPA is clearly concerned with large (or at least larger) corporations and what they are getting up to with consumers’ data. It doesn’t seem like they want to place an undue burden on small businesses and entrepreneurs.

This move makes sense, given that California is such a powerful economy due precisely to small businesses and entrepreneurs!

Application of penalties

An important thing to mention regarding CCPA is that it doesn’t just affect data starting from January 1, 2020, onwards, but also all data from the 12 months prior to its coming into effect. 

Lastly, let’s look at the different penalties to which a company can be subject, should it be found that they are in breach of the law. 

First, let’s look at the penalties attached to GDPR

Businesses that violate GDPR can be subject to fines of up to 20,000,000 EUR or 4% of their total annual revenue from the year prior, whichever is greater. 

Now that’s the maximum penalty. In terms of actual applications of the law, one can see that the penalties that are actually handed out are significantly more modest

But they’re not always small! Did you know that the German regulatory authorities recently meted out one of the most significant GDPR fines yet? 1&1 Telecom will have to pay almost 10 million EUR in penalties for incompletely complying with GDPR laws.

Now, here are the penalties that can be imposed by CCPA.

Intentional violations of the law can result in fines of up to $7,500 per violation. Unintentional violations can cost up to $2,500 per violation. 

Regarding data breaches, companies could be liable to pay from $100 to $750 per California resident affected.  

If you want a solid, in-depth introduction to CCPA and its ramifications 

These laws have resulted in a lot of changes. Of them, however, perhaps one of the most significant is the way that cookie use has had to adapt. 

Now you have to ask for consent, the user needs to be able to be informed about what data is being collected and how it will be used, and, further, they need to be able to opt-out and remove everything after the fact. 

Naturally, this has led to a massive reordering in an industry that had previously been very cookie-dependent. The need to be able to show a user where and how his data is being used and give him control over it, made industry-standard practices like cookie-syncing significantly more complicated. 

Essentially, everything involving cookies went from “simple and effective” to the exact opposite. 

As GDPR’s effects become the new normal and CCPA threatens to make these new norms almost unavoidable, the cookie is falling out of favor and the industry is searching for a replacement. 

How the industry is changing

These new laws and general market trends aren’t leading the industry in a totally new direction, but rather the industry is retreading a well-traveled path.

The industry is now reorienting itself back to its First-Party roots.

First-party data

What does it mean? Well like many things in this industry (such as Ad Network or Tier) there isn’t an exact definition of first-party data.

In general, however, it means data that you have collected on your audience or customers on your own. That is to say that it wasn’t bought (third-party) or collected by a partner (second-party).

First-party is generally considered the most important, relevant, and useful data that one can have regarding his own audience.

With second-party but especially third-party data, you don’t have any control over how the data was collected and no assurance that everything was done properly.

Further, the data could have been shared with other companies, other competitors, etc.

With first-party data, you know how it was gathered, who gathered, when, and how. Which is all great because you need to know those things to be compliant with GDPR. You need to also make sure that the data was collected with proper consent given.

Further, users need to be able to revoke that consent. This is especially complicated when it comes to third-party data that may have changed hands multiple times before it got to you.

Want to learn more about First-Party Data? Check out our in-depth introduction here

Despite first-party data generally being the best, it is often difficult and/or expensive to gather. For this reason, many companies routinely utilize third-party data to supplement their own first-party data.

However, with the new privacy concerns, supplementing first-party data with third-party entails a lot of extra work. And many companies just aren’t willing or simply can’t do it, and are going to be relying on first-party data even more.


First-party data has always been the most important, valued, and qualified data that a company could have. It’s information that they managed to gather on their own customers and prospective customers, after all. They know the source, where it was collected, and how the data fits into their own users’ product journey, so to speak. 

For these reasons, First-Party Data has always been extremely important. 

But as the handling of bought or sold data (i.e. Third-Party Data) becomes increasingly fraught with regulation and legal concerns, businesses may just want to expand their First-Party Data gathering and utilization. 

Naturally, they still need to get consent from the user whose data is being collected. But by not using Third-Party Data they greatly simplify 


As privacy laws tighten the screws on what data is allowed to be collected, how it can be collected, who has to know, and what can be done with it, the industry is facing major changes. GDPR and now CCPA and driving digital advertising companies to put more effort into their 

Mobinner is a High-Performance Ad Network and Demand-Side Platform. Since 2017, we’ve been helping customers build brands, drive conversions, and acquire users. See how Mobinner can help you reach your goals today!

Leave a Reply

Your email address will not be published. Required fields are marked *

Share via
Copy link
Powered by Social Snap