I’m not trying to teach anyone how to suck eggs here. Perish the thought.

But let’s face it: some of you probably just smile and nod when somebody starts going on about the merits of ‘second-party data’. 

Sure, everyone knows what these terms mean in principle, but in this post I’m going to break down three key types of data – first-party, second-party and third-party – and explain what they all mean, where the different data sets come from and the pros and cons of each.


This is the most powerful data of all, because it’s the stuff you collect directly from your customers and it’s therefore the most relevant and accurate. 

Think of it like this: if I ask one of my actual customers about themselves directly, I’m likely to get a much more accurate picture of my target audience than if I bought some data that was ‘representative’ of that audience but taken from people who largely aren’t my customers at all.

Not only that, but I am the only one to own that unique data set (unless I choose to sell it), which makes it all the more valuable. 

In a recent Econsultancy report titled The Promise of First-Party Data, almost three-quarters of marketers we surveyed said first-party data provides the greatest insight into their customers. 

Of those surveyed who manage to produce strong return on investment (ROI) from data, 81% say they use first-party data regularly, compared to 77% who use second-party data regularly and only 61% for third-party. 

Q: Which categories of data does your organisation use regularly?

types of data brands use

The above chart illustrates not only the power of first-party data when it comes to achieving actual business results, but also the fact that those brands who’ve struggled to produce data ROI are perhaps putting too much focus on third-party over second or first-party data.  

Where it comes from

In our survey, the most frequently cited source for collecting first-party data was a brand’s website (70% for those with strong data ROI), while 63% collect it at the point of sale and 61% via email or SMS.

Q: What sources does your organisation use for collecting first-party data?

first-party data collection sources


  • Belongs to your brand.
  • Unique.
  • Less regulated. 


  • May be limitations in terms of depth and scale. 


This is a relatively new form of data collection, and it is essentially another company’s first-party data that is collected and sold to you by that brand. 

In theory it enables brands to exchange data with each other in situations where it benefits both parties. 

One example might be a hotel chain working with an airline to mutually benefit from each other’s data sets. 

In a recent post about creativity in programmatic, TUI’s Head of Media, Sammy Austin, said of second-party data:

Being able to access another data set directly from another source is extremely valuable, and where there is no competition between brands I think these types of relationships will bring huge benefits.

Where it comes from

Most often from other brands whose data sets might compliment yours and vice versa, as mentioned above, and usually under a pre-determined and defined agreement.  


  • Can add depth and further meaning to existing first-party data.


  • Potential integration issues. 
  • Can be limited in availability compared to first-party data. 
  • Data partnerships can sometimes bring complications with them.


This is your bog-standard, bargain basement data. The stuff you can buy pre-collected from an external source. 

If you receive an email from some company you’ve never heard of, it’s very likely your data has been sold to them. Perhaps that email is relevant to you, but compared to first and second-party data the likelihood is lower. 

Because these data sets are sold ‘off the shelf’, they are by definition not unique, which of course diminishes their value and means competitors could easily access the same insight. 

Where it comes from

This type of data can be purchased either from a company specialising in data collection or any other business that has valuable data sets. 

If you are going to use third-party data to target people, I strongly recommend you read up on the new EU data regulation laws first to avoid getting into trouble.  


  • Readily available.
  • Wide-reaching


  • Quality can vary wildly. 
  • Not unique.
  • Can be costly. 
  • Higher risk of breaching data regulations.  

Download The Promise of First-Party Data today for lots more insight around different types of data. 

Jack Simpson

Published 24 March, 2016 by Jack Simpson

Jack Simpson is a Writer at Econsultancy. You can follow him on Twitter or connect via LinkedIn.

252 more posts from this author

You might be interested in

Comments (2)

Steve Henderson

Steve Henderson, Compliance Officer at Communicator

No. Dangerous advice.
What you have there is:
1 - first party data
2 - third-party data which may potentially be legal if you have given the individuals who supplied their details sufficient information and choice and control over the sharing of the data and how it is used
3 - almost certainly illegal third-party data.
(above based on EU PECR and data protection laws and recent UK case law, ICO guidance and the 2014 DCMS review into cold calling which identified the data industry as being at fault, leading to a change in magistrates courts, ICO funding and UK laws to tackle the collection and trade and usage of third party data without sufficient consent)

over 2 years ago

Steve Henderson

Steve Henderson, Compliance Officer at Communicator

A few more legal details (https://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf)

Indirect (third party) consent
74. We use the term ‘indirect consent’ here to cover situations where a person tells one organisation that they consent to receiving marketing from other organisations. This is also sometimes known as ‘third party consent’ or ‘third party optin’.

75. This will be relevant to any organisation using a bought-in marketing list. It will not have had any contact with those customers before, so they cannot have told the organisation directly that they consent to its marketing. But the list broker or other third party source might claim that the customers have consented to receiving marketing from other organisations.

76. Although there is a well-established trade in third party opt-in lists for traditional forms of marketing, organisations need to be aware that indirect consent might not be enough for texts, emails or automated calls. This is because the rules on electronic marketing are stricter, to reflect the more intrusive nature of electronic messages. PECR specifically requires that the customer has notified the sender that they consent to messages from them: see the definition of consent above. On a strict interpretation, indirect consent would not meet this test – as the customer did not directly notify the sender, they notified someone else. Therefore it is best practice for an organisation to only send marketing texts and emails, or make automated calls to individuals, if it obtained consent directly from that person.


In practice:

Firms, directors and senior managers are now at higher risk of fines for breaches of advertising and data laws

As of March 12th 2015, magistrates now have the power to impose unlimited fines for breaches of key "public laws".
Previously, companies and individuals found guilty of committing an offence under the Data Protection Act in the Magistrates Court could only receive a fine of up to £5,000.
Now companies and individuals who act in senior decision-making roles (who can be shown to have been neglectful or consented to the offence) are at risk of unlimited fines.


"substantial damage or distress" thresholds scrapped, making it easier to fine companies who break the law

Coming out of the Nuisance Calls and Texts task force, the ICO now no longer have to prove substantial damage or distress in order to issue fines of up to £500,000 against telephone, text and email marketers who break the Privacy and Electronic Communications Regulations (PECR).
Previously it was only viable for the regulators to pursue the very worst offenders in the industry. Now, ordinary marketing firms must realise that fines are now a very real risk if they fail to comply with ICO guidelines, although minor breaches and technicalities will not be the ICO's focus.


6 month cap on permission for third party data

Also coming out of the Nuisance Calls and Texts task force (http://www.which.co.uk/documents/pdf/nuisance-calls-task-force-recommendations-388317.pdf), it was stated that marketers who rely on third party data must take steps to ensure that they can show that the consent was not obtained from the consumer more than six months beforehand. Firms are also told to view ICO guidance on direct marketing using third-party data and make sure they are compliant


Third party data chain unsubscribe process

Another massive statement to come out of the Nuisance Calls and Texts task force:
When a consumer wants to opt out of all marketing, if the marketing list came from a third-party vendor, all of the companies in the “data chain” (a phrase to acknowledge that data vendors often buy, sell and swap data between each other) must be informed of and adhere to this unsubscribe request.
This has been ICO guidance for some time, but often ignored by marketers and data vendors alike. With this new focus on consumers and third-party data abuse, it should be a priority of all marketers who currently use, or are planning to obtain third party data, to ensure their vendors allow a means of unsubscribing not just from their list, but from the underlying list controlled by their vendor and the other companies in the “data chain”


More responsibility and accountability for board members

My last point coming from the Nuisance Calls and Texts task force findings:
Businesses should treat compliance with the law on consumer consent to direct marketing as a board-level issue. The point being made here is that, on occasion it may be the decision-makers who need to be directly held to account. ICO powers are being assessed to determine whether they need additional powers to target those managers and directors (or those who act in that capacity) who deliberately choose to ignore the law.


Daily mail expose of the data industry used by marketing firms

If you have somehow missed this, I suggest you pause what you are doing and read this and watch the videos:
The response to this was immediate and dramatic with an ICO investigation and police involvement. This was the beginning of a complete and much-needed shake-up of the data industry and a wake-up call to those marketing companies who blithely and blindly use data which is clearly in breach of the Data Protection act and PECR.


ICO actively hunting firms who supply personal data to the third party data industry

The ICO’s Enforcement Group have launched an operation to identify those companies supplying and using consumer data in breach of the PECR. They will be performing a “mystery shopping” exercise, which I can imagine will include signing up to those websites and firms suspected of illegally supplying the data industry with personal information.
This is the first exercise of this type I’ve seen in the UK and is clearly a result of the Nuisance Calls and Texts task force recommendations (which identified the data industry as the source of the nuisance call issue); and the Daily Mail exposé of the third party data industry (which alleges that the data industry is fuelled by data illegally collected and sold by big brand companies and websites used and trusted by consumers).

Also in direct response to the Daily Mail claims, the ICO has already launched an investigation into allegations about firms breaching PECR and sharing illegally sensitive personal data


Competition and Markets Authority (CMA) Commercial use of Consumer Data

During the Nuisance Calls and Texts task force discussions it became clear very quickly that the cold calls and spam texts were only possible because someone was supplying these companies with data. Instead of making a rash decision the government raised a further consultation, specifically into the legitimate commercial use of consumer data. The information gathered is now being reviewed and the results and findings will be published this summer.
When an industry fails to effectively self-regulate and the government is forced to issue new regulations, that resulting regulation can be excessive, especially when fuelled by consumer opinion and coverage in the popular press.
Because of this I expect the findings and recommendations of this consultation will be much harsher as a result of the Daily Mail investigation.

To help prevent excessive or obstructive legislation I believe that industry bodies and leading organisations must come out and condemn this type of data use and marketing behaviour. If they don't then resulting legislation could be quite damaging.

over 2 years ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.