Contrary To Popular Belief, There Are Restrictions On First-Party Data

garykibel"Data-Driven Thinking" is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Gary Kibel, a partner in the digital media, technology and privacy practice group at Davis & Gilbert.

Companies often proclaim that they “own” certain data because they are the first party that initially collected it, therefore giving them broad rights to use and exploit such data. The intuitive reaction is that it is much easier to use and exploit first-party data than third-party data, which has been licensed from another party and is subject to restrictions under that license.

However, the preoccupation with “owned vs. licensed” and “first-party vs. third-party” data is sometimes misplaced. The focus should instead be on the actual rights and restrictions that attach to all data sets and the permissible uses of the data in compliance with those rights and restrictions.

First-party data may not be as easy to use as believed.

Follow The Code

Much like a person, when data is first generated, it is born with certain attributes – a genetic code, if you will. These attributes attach to the data and follow it throughout its life. These attributes are created through the privacy policies, statements and other disclosures that were made at the time the data was initially generated. Once data has been collected under a set of disclosures, it must strictly live by those disclosures. The data cannot be used differently, unless a new set of disclosures are made in a legally compliant manner. Therefore, disclosing narrow uses results in limited use cases for the data.

However, overly broad disclosures can be vague and potentially run afoul of applicable law. Whether the data is in the possession of the original data owner or subsequent licensees, all uses must be consistent with those initial disclosures. So a first party must look into the future and ensure that its first bite at the apple includes all disclosures necessary for their current and future business needs. A third party receiving the data must query the first party to ensure that its intended uses of the data are permissible under those initial disclosures.

As a result, with poor initial disclosures, it is entirely possible that a first party may not be entitled to use its own data as desired. For example, if a first party wanted to use its own data with a matching service, such as Facebook Custom Audiences, it should not automatically assume that it can do so simply because it owns the data. The data owner needs to consider the rights that attached to such data when it was first collected. If the disclosures did not permit sharing personal information with third parties for matching purposes, then the fact that the data is first-party data and is owned by a party will do no good. The party can’t use its own data as it chooses because the data’s attributes omit such rights.

Old Data, New Services

As new services come to market and provide data owners with additional ways to exploit old data, the data owner or licensee must go back to the initial disclosures to determine if the old data can be used with the new services in a manner consistent with those past disclosures.

Data owners and licensees should carefully categorize their own first-party and licensed third-party data to ensure that they are always aware of the applicable attributes and the limitations on use. There should be a data audit trail to support any rights that accompany first-party data. And third parties should ask more questions.

Keep in mind that when it comes to data, ownership is not a blank check that entitles a party to use, disclose, share and otherwise exploit it for any purpose. One must always look back at the data’s genetic code.

Follow Gary Kibel (@GaryKibel_law), Davis & Gilbert LLP (@dglaw) and AdExchanger (@adexchanger) on Twitter.

 

Add a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>