Companies are increasingly pursuing first-party data approaches to move away from third parties that collect and process personal data on their behalf. Instead, they rely on personal data collected themselves, in particular to pursue personalized marketing activities. Naturally, this comes with a number of privacy challenges – most importantly, obtaining valid consent that meets transparency requirements.

Characteristics of a first-party data approach

Reasons for shifting toward first-party data include cost-efficiency considerations, a perceived greater independence from powerful data brokers or an expected shift to a cookieless environment.

First-party data projects typically cover the marketing and legal strategy on how to achieve the same, or greater, level of insight previously provided through third-party tools. These data projects create individual user profiles that enable personalized marketing activities. Such profiles are usually fed from a multitude of sources and may provide specific insights on a personal level. Data collection will therefore cover a variety of personal data — potentially even sensitive personal data — across different channels and platforms. This can include newsletters, websites, forms, apps, social media and online shops. Often multiple different technologies are used for user tracking and identification, like device fingerprinting, unique user IDs or single sign-on solutions.

Additional considerations may include migrating legacy data to new technologies, repurposing existing data for big data analyses or customer segmentation, as well as any number of processing activities that were not considered when the data was initially collected.

What legal basis applies?

As always, companies must identify the appropriate legal basis for the related processing activities. Given the expected depth of individual user profiles, legitimate interest will often not be viable. As the recent enforcement action against Meta by Ireland's Data Protection Commission has made clear, companies should avoid approaches where they qualify profiling and marketing to be necessary for contractual needs. Therefore, consent often remains the only reasonable option.

Legitimate interest

Legitimate interest may generally support profiling and personalized marketing activities. However, it only allows rather generic and broad profiling that, for most companies, will not provide a sufficient level of granularity.

The European Data Protection Board has long since clarified "it would be difficult for controllers to justify using legitimate interest as a lawful basis for intrusive profiling and tracking practices for marketing or advertising purposes, for example those that involve tracking individuals across multiple websites, locations, devices, services or data-brokering." This essentially echoes the view already taken under Directive 95/46/EC. It therefore seems likely any new guidance on legitimate interest by the EDPB will reiterate its predecessor’s view on "intrusive profiling and tracking practices."

Also, regulatory trends seek to reign in digital marketing activities rather than further facilitate them, as demonstrated in a European Commission study on the impact of recent developments in digital advertising on privacy, publishers and advertisers.

However, even if supervisory authorities took a less restrictive stance in this regard, legitimate interest would still not apply where special categories of personal data are processed, which could significantly alter its value in certain scenarios.

Consent

However, obtaining valid consent comes with its own challenges, mostly because of the level of transparency required for informed consent. The importance of the relationship between valid consent and transparency has been stressed on several occasions by the Article 29 Working Party, the EDPB and other supervisory authorities. In theory, companies would only have to consult the available guidance to draft consent language allowing them to pursue any number of data processing activities. In practice, any consent for complex data processing activities will likely be haggled over various times by marketing and legal teams, and eventually trimmed down to a risk-based approach.

While the result may seem unsatisfactory from both a marketing perspective and a legal perspective, it is often virtually impossible to implement all of the supervisory authorities’ transparency requirements to the letter. Even simple newsletter consents can quickly become unintelligible, long and complex if all purposes of each processing activity, every type of data collected and how the data is used were spelled out in detail. The more sophisticated the intended processing, the harder it becomes to draft a consent notice that meets transparency requirements, while still easily digestible and intelligible. Companies will have to strike a compromise between both.

Best practices to ensure compliance requirements

Since consent will often be the cornerstone for a number of processing activities in first-party data scenarios, companies are well advised not to underestimate the importance of a seamless layer of intertwining valid consents. Otherwise, they may ultimately risk the long-term success of the overall project, as any data collected without the necessary consent may have to be deleted. Any data processing based on invalid consent may be deemed unlawful.

To avoid such a situation, in an early stage companies should:

• Carry out full fact analyses to understand the business goals they seek to achieve, determine what data is necessary to achieve these goals and agree on what will be done with the data.
• Determine the appropriate legal basis for intended processing activities in light of their scope and intrusiveness from the data subject’s perspective and understand the specific requirements of the legal frameworks they are subject to.
• Ensure all relevant transparency requirements can be met and that meaningful and conclusive information is provided to data subjects in a transparent way at the right time.
• Implement sufficient technical safeguards that adequately protect data against loss and unlawful access or disclosure.
• Consider data subject rights such as access and deletion rights, and ensure consent withdrawal and opt-outs can be properly honored.
• Stay flexible and monitor supervisory authority guidance and enforcement practices to adjust individual approaches where necessary.

The shift to first-party data should not be rushed, and companies should be aware of the legal implications that come with the benefits of this approach. Ultimately, greater control of data comes with the greater responsibilities of safeguarding it and meeting applicable compliance requirements. Without a clear roadmap, robust privacy framework or data governance framework, companies risk both the success of any such project and legal exposure in an area that is increasingly becoming the target of strict privacy enforcement and regulation.