The Value of First-Party Compliance

To meet GDPR and CCPA regulations, more enterprise organizations are turning to first-party compliance. Our VP of Engineering discusses why.

Share with others

One of our core tenets is creating a customer data ecosystem that collects all data in a first-party context. There are several key ways organizations benefit from this, but we sat down with Michael Yeager, our VP of Engineering, to talk about how that impacts compliance.

Why is first-party compliance control a growing concern for companies?

The trend, from a user perspective, is for organizations to be more transparent about managing this data. It goes back to GDPR getting passed in 2016. On the heels of that came CCPA. In general, there’s a thoughtfulness behind these and incoming laws. They all kind of have a different flavor with their constraints, but they focus on two things: (1) giving people a full understanding about where their data is going and (2) the user’s right to that transparency.

So it’s more important than ever not to let your customer data get into the wrong hands, but it’s also more difficult than ever. The average enterprise marketing team uses 120 third-party martech tools, which means your users’ information might be disseminated to—even collected by—more than one 100 third parties. 

It’s not necessarily that these third parties are doing anything nefarious, but if one of them allows data to fall into the wrong hands, the responsibility ultimately lies on the first party organization. 

There’s a research project from the University of Washington that provides a comprehensive analysis of third-party tracking from 1996 to 2016. In it, they show a person's entire day being tracked using ad tech tools—and the researchers identified exactly where the person was at all times. The tools examined weren’t built for geolocation purposes, but it's the byproduct of having a really rich data set. The ecosystem of third-party data—and our ability to leverage it—has only grown since the study was released.

This trend makes it critical for companies to maintain control of their data, which can only happen if they have full governance.

How are regulations like GDPR and CCPA impacting the way organizations handle data? 

Consumer privacy laws attempt to ensure data privacy. That’s why you always hear the term security and compliance hand in hand: they need to be thought of in that same light. It's not just about transparency to the users; it’s about an organization’s responsibility to protect the data from getting into the wrong hands.

GDPR has been very proactive about lawsuits and suing companies that are not abiding.

CCPA hasn’t yet, but that will likely change in the near future, especially for enterprises. The bigger the yard, the larger the target. 

Many companies are beginning to look at protecting data from a risk mitigation standpoint. Making sure you have a transparent and auditable way to track how data is going through your system and where/how it's being delivered to a third party is going to be critical over the next few years.

What is the benefit of owning data in a first-party context?

First and foremost, compliance actually fits in with identity because you have to be compliant even if you don't know who a user is. If you have logged-in users, you can administer compliance almost at your account level. It’s easy to say, “This user is using our platform” and then, within a database, configure how you want to share their data. I think we'll start to see more and more database-level compliance moduling. 

But how do you address the anonymous side of things? How do you track when someone just comes and lands on your website? How do you address anonymous browsing behavior, and then eventually tie that to the same user when it becomes a logged-in session? What if they clear their cookies? 

When we were building our platform, the biggest concern we had to solve for is anonymous browsing. That was where the immediate pain point was. 

There are a couple of worlds to compliance. The first is when somebody wants to opt-out. That's easy, because you just opt them out and, in our completely server-side ecosystem, you really can protect them from any third-party access. That's what we solve for. 

The other world is when someone says, “I'm opting out, and, by the way, I request that you go back and you delete everything you've sent to all the other clients.” GDPR, for example, specifies that a user can go in and say, "Hey, anything you've ever sent to Facebook, on behalf of me as an anonymous user? I would like you to remove that and purge it from your system." 

That's still fuzzy and still evolving. One thing that's really powerful about MetaRouter is we don't actually collect anything in-house. Everything that gets passed through us just dies. 

Are there any benefits to first-party compliance beyond risk mitigation?  

It’s actually a lot more valuable than that. Because we are essentially the filter of first-party data into the third-party ecosystem, we can also offer fine-grained control that gives enterprises some freedom while still protecting users. 

Let's say you have an s3 bucket that you save all your events to—and you have some sort of internal analytics team that uses that data to help drive product decisions. Technically, CPPA, and GDPR rules don't apply to internal data. If you're never shipping it out to anyone, you can still collect that data. 

A lot of the instrumentation we built is all about the idea that there may be times where you still want to power the data science team and so you'll create this internal ecosystem with a data warehouse or data lake that teams can go pull data from and make their decisions. Compliance isn’t jeopardized because it all stays internal. And the users’ data stays secure and accounted for. 

MetaRouter is built on the belief that first-party compliance is not only better for users, but also better for business. 

Photo by Johannes Plenio on Unsplash