Please note, we are not a law firm. Please view this as informational, not legal advice.
As you build your own ad platform, you’ll likely debate whether to enable first-party data targeting, whereby advertisers could target specific segments (based on user data you've collected, like past actions, demographics, interests, etc.).
Such targeting drives better performance for advertisers and can differentiate your offering — and yet, many publishers shy away from it. Why?
Sometimes this is due to limited engineering resources; or not having enough traffic to justify segmentation; or having limited access to first-party data (such as any digital-out-of-home screen).
The good news is, it’s possible to incorporate first-party data targeting while complying with international laws. This article explores how exactly to do that.
First-party data refers to information that a company has collected directly about its customers or users. This data could include past user actions, demographics, and more, all tied to Personally Identifiable Information (PII) like IP address, a cookie ID, email address, and more.
LinkedIn, for example, ties a trove of data to each user — including job title, current company, college, etc. Amazon, meanwhile, knows past purchase history, and Facebook tracks what topics people interact with.
These brands monetize this data by allowing advertisers to create highly-specific segments to target. Salesforce will gladly pay premiums to target (1) anyone who is a ‘VP of Sales’ on LinkedIn and (2) those with “sales” as an interest on Facebook.
Indeed, first-party data targeting is the main reason that walled ad gardens continue to see quarter-over-quarter growth, and it’s a feature you’ll eventually need to scale and differentiate your ad product.
We won’t go into each law here (we already have breakdowns of GDPR, CCPA, PDPA, and LGPD). At a high-level, these laws give citizens more control over how sites and apps use their PII. No longer does a website have free reign to track your IP address and then sell that info to a data broker; instead, they must now ask for permission before doing so.
[Source: Secuvy](https://secuvy.ai/2020/05/02/global-privacy-laws/)
These laws are not everywhere, but they are growing in number. Here’s a visual breakdown of what countries currently have such regulations.
Yes. These laws don’t ban using first-party data entirely; they ban doing so without the individual’s consent. If you tell them how you will use their data — and they consent to it — you can engage in ad personalization using first-party data.
One point of clarification is that the above refers to “opt-in” privacy laws, which are the bulk of global regulations. Some laws, on the other hand, are “opt-out”, in that you can use first-party data by default, but need to allow users a way to opt-out (such as an Opt-Out Button on your site’s footer).
This means you effectively have three buckets of global users:
In other words, should you treat everyone as #1? Asking for consent from all users simplifies the process (no need for country breakdowns) and future-proofs the system for new laws.
That said, the opposing argument is this limits your pool of first-party data (and potential revenue) without a legal requirement to do so.
Ultimately, the decision whether to prompt consent from everyone is up to you and your legal team.
Much has been written on this, such as this guide. From a technical perspective, you’ll use a consent management platform (CMP), which will be either homegrown or a third-party tool.
These consent prompts usually happen when a user registers or upon page/app load (such as the common “Accept Cookies” banner).
To date, opt-in rates are higher than one might expect, with Quantcast claiming 90% and Purch at 70%.
Fortunately, as privacy laws have existed for years, you probably have some CMP in place already. Working with your marketing/legal teams to understand where/how consent is tracked is an important first step. That said, you cannot use past consent for new use cases: once you launch the ad platform, you will need to prompt consent for ad targeting, even if they previously provided consent.
Consent is not a blanket “yes” or “no”. You’ll need consent toggles for each data use case. As you incorporate personalized ad targeting, you’ll need to update your CMP to reflect this usage. Below is how Etsy’s CMP asks for ad personalization consent:
There is no “one-size-fits-all” approach here. Ad platforms employ different messaging based on their reading of the laws. Below is another example, this one from Google:
Your CMP should operate like this:
If you don’t collect consent already, you’ll have to implement a CMP. This will increase project scope, but third-party tools like OneTrust make it relatively simple to add one.
Your company likely has an opt-out link on your site already (such as a "Do Not Sell" button). If the person updates their CMP settings or submits a manual request, you’ll need to exclude them from future ad personalization.
Yes. If you use cookies/PII in a new way, you’ll need to update your cookie and privacy policies.
For reference, here are the cookie policies of the major ad platforms: Google, Facebook, Twitter, eBay, Etsy, Spotify, Amazon, LinkedIn.
And here are their privacy policies: Google, Facebook, Twitter, eBay, Etsy, Spotify, Amazon, LinkedIn.
We recommend speaking with your legal team to understand exactly what changes are needed.
If the person provides consent to do so, then you can share their user-level data with a third-party. That said, your proprietary data is valuable — why give that away? Moreover, nothing highlights your commitment to user privacy like never sharing or selling PII.
Most sites and apps employ personalization of some type, such as:
While these cases technically involve first-party data, they are not “ads” in the traditional sense (we refer to them as internal promotions). As such, is consent needed for this use case?
Many companies argue such non-ad personalization falls under “legitimate interest”, a concept in most privacy laws. The idea here is that when users expect your product to be personalized, then you don’t need consent.
A TikTok user, for example, may be upset if they repeatedly like cooking videos, but then their feed never contains any cooking content. Fortunately, TikTok does indeed track behavior and tailors content as needed.
By personalizing feeds based on past actions (aka first-party data), TikTok is delivering the tailored experience their users are expecting. This use of data, then, likely falls under the legitimate interest clause.
Compare this instead to TikTok selling that person’s mobile ID to AllRecipes, who may be interested in retargeting this home chef across the web. In no situation could one argue such data usage benefits the customer.
Ultimately, the decision whether to ask for consent for non-ad personalization falls upon you and your legal team.
Apple’s App Tracking Transparency (ATT) is a privacy protection framework that makes it easier for iOS users to protect how their data gets used by app developers.
“Tracking” here refers to linking user data with a third-party for the purpose of advertising, such as retargeting, data selling, and attribution.
If you plan on doing any of the above, you have to request opt-in consent via a prompt upon app load (see below). This ATT consent box has no relation with your CMP prompt; consent from one cannot be applied to the other.
If your ad platform neither shares nor ingests third-party data, then Apple’s documentation indicates you do not need ATT consent. This is true even if you use first-party data for ad personalization.
You will need consent, however, if you do any of the following:
An important question when building any new ad feature is, “Will this be profitable?”
With first-party data targeting, you may look at the work involved and conclude any incremental revenue is not worth the effort. This may be true, but, more likely, it has the potential to scale and differentiate your platform.
It’s possible to verify that statement, though, with less effort than you may think. Rather than launching a global test, you could first focus on a specific country without a privacy law.
By targeting just these users (based on IP address), you could easily spin up a test without implementing a CMP, allowing you to validate hypotheses like:
Here’s a breakdown of privacy laws by country to identify what location could work for you. One to look into is the United States, which has no country-wide opt-out law. That said, multiple states do have opt-out privacy laws, so you’d just want to exclude these states (or comply with them).
After this test, if you identify there is indeed a revenue potential, you could then invest the resources to build an ad platform that complies with all international privacy laws.
If you’re looking to integrate first-party data into your ad platform, we’d love to chat.
Companies around the world (such as Edmunds, Motley Fool Global, and Slickdeals) have used Kevel’s ad APIs to launch ad programs that honor consent while also monetizing their highly-valuable first-party data.
We’ll talk you through what’s allowed, what best practices are, and how to get going in just weeks.
