What does Google do with your first and third party data?  

At sign-in, Google obtains end user consent for a number of uses, including advertising. Consumers’ Chrome, Youtube, and location data is collected and processed in order to target interest-based ads. Whether users meaningfully consent to each specific use, or even read the terms and conditions, is questionable. The data underpinning these processes is referred to as “first-party”, i.e., according to Google1, generated by way of a direct interaction between the user (not a party) and the service provider (the first party to interact with the user). 

Google also collects data through its business-facing relationships. For instance, Google’s software development kit, Firebase SDK, which it offers to all app developers, automatically sends user interactions on third-party apps2, including in-app browsing history, directly to Google. This would be considered third-party data because the direct exchange of data occurs between the user and the given third-party app.  

Google combines first and third-party data sets to build its own customer profiles. However, it also states that it is concerned about the practice of third-party access to data and the use of third-party cookies. Its concern is one that is loosely labelled “privacy”.  The persistent line peddled by Google and other large platforms is that first party data handling is inherently safe from a privacy perspective, in contrast to third-party data handling which carries additional risk. 

The merits of “first-party = safe”, “third-party = unsafe” 

What is the legal position?  

The ICO has stated that ‘data protection law does not inherently favour the concept of a first party over that of a third party within the meanings web standards bodies or data categorisations give to those terms’.3 

This has been followed in a joint statement CMA-ICO joint statement on competition and data protection law, which emphasised the risk of data protection law being misinterpreted by vertically integrated platforms to favours themselves over smaller, non-integrated firms. 

Data protection law applies to each company and as a law that depends on what each company does, it is for each company to determine their individual compliance. It is not the responsibility of a large platform to take on a pro bono program or charitable activity to ensure other companies comply with their own devised rules.  

The first-party/third-party division is evidently not recognised by data protection authorities or law. More critically still, the argument that does not stand up to even the most cursory logical interrogation. The idea that the processing of personal data derived from transactions between users and Google’s products is somehow inherently less privacy sensitive than de-identified information used by third parties is difficult to square. Indeed, when Bill Taylor in Ruislip books a flight to Paris on his Android phone, it is only Google who can access his email, phone number and other identity-specific information; third-party advertisers process de-identified data. Bill is now user 123456789, who might be interested in a number of ads for museum passes or hotels. If Bill was at all guarded about his privacy and had all the facts to hand, he might indeed conclude first-party data processing was more invasive than third-party processing. Both may also be useful to Bill.  

Google’s dogmatic division of third-party and first-party evidently does not accord with its own practice, but it also does not make any sense when tested against the so-called risks to privacy.  

If anyone were to be set up as a guardian of the public interest, Google lacks credentials for the job. Space limits our providing a full list of breaches but it is worth recalling that Google recently paid nearly 400 million dollars in a settlement with 40 US states for tracking location against its users’ express wishes.4  

Allowing trillion-dollar companies with dubious privacy track records to oversee compliance is not the way forward. An interoperable model based on open standards is the only way to preserve competition. And the law is the only way to implement and enforce privacy protections.  

[1] See Google definition of first party data in its Marketers’ Playbook: Marketing playbook on privacy and performance – Think with Google APAC.

[2] See the pleadings: Rodriguez v. Google (scu.edu).

[3] Information Commissioner’s Opinion: opinion-on-data-protection-and-privacy-expectations-for-online-advertising-proposals.pdf (ico.org.uk), Nov 2021.

[4] The Drum | Google’s $400m Penalty And Impact Of The 5 Heftiest Data Privacy Fines On 2023 Ad Plans.