Unlocking the Customer with Third-Party Data - What Do You Need to Consider?
13 Sep 2021
When we talk about data, we tend to go to binary 1s and 0s, but in fact, the data we hold on to customers is a representation of their story. By using your own first-party transactional data, you can understand buying patterns and behaviours, create contact strategies to head off lapsing, upselling or just encouraging engagement with you.
However, it’s also often helpful to see beyond the ‘transaction’ by using third-party data – e.g., where else they shop, their household composition and income, reading habits, online behaviours, social media interactions, hobbies, and geographic descriptions to name a few. Adding this richness to what you already know unlocks a whole host of uses beyond your brand’s owned boundary walls.
How do we define third-party data in relation to the other “parties”?
- Zero-party: data the customer freely gives you (e.g., Survey responses)
- First-party: Data businesses collect as a by-product of doing business with you (transactions, products purchases)
- Second-party: Data shared between organisations in order to provide a service (think airports and airport parking)
- Third-party: Data purchased through an independent company – be that new individuals or new information about individuals you already hold
Why would you want it?
- Add flavour, depth and enhance your own first-party data, or just fill some gaps
- Give greater context to why your customers are behaving in certain ways e.g., life events, reactions to market events
- Use to understand your existing customer characteristics and then find more like them in audiences you don’t necessarily know
- Inject efficiency to your campaigns – no point throwing ad spend at audiences that have no relation to the sort of people that buy your products
- Improve acquisition targeting through the use of bought lists
- Enhance any segmentation that you may have to support more personalised communications
- For smaller businesses that don’t have their own first-party data, having a description of their audience allows them to grow
- Finally, and most importantly, this knowledge makes your messaging relevant to the individual you’re talking to if used appropriately, and surely that’s a good thing
Why do consumers worry about businesses using third-party data?
The worry is not necessarily about what you’ve got, it’s about what you do with it, and also, where you got it from. Do you have the right to have this knowledge, would the customer reasonably expect you to have it, and is the collection of the data transparent?
No consumer wants to be chased around the internet by brands overtly showing intimate knowledge of their browsing history. But they also don’t want to be bombarded with entirely irrelevant products. It’s worth noting that third-party data is as often as not used to suppress marketing activity from those for whom it would not be relevant as it is to target those for whom it would.
In addition, it is important to say that not all third-party data is personal. It can be at a broader geographic level that gives you clues about an individual rather than professing to be an actual fact. In that way you don’t need to use data explicitly, you can be subtle – sizes and type of houses, access to certain services, sector-level browsing, proximity to high streets or transport, all of these things give clues to your target market in a way that allows you to gain helpful, but not intrusive knowledge, be that at a personal or a business level – and they are all third-party data.
N.B. When non-Personal Data is combined with existing Personal Data all the information becomes Personal Data.
Where do companies selling it get it from and what do they do with it?
- From public data sets, e.g., the edited version of the Electoral Register (EER), ONS geographical stats, open-source govt lists
- direct from consumers, particularly for marketing purposes, often referred to as "lifestyle lists/surveys", “prospect files” or “lead generation lists”
- from subscription files from publishers (names and addresses of subscribers to various publications, publisher sites, and money saving / offer websites.)
- from pooled databases of consumer names and addresses (e.g., a data cooperative where a group of companies share the names and addresses of their customers with appropriate permissions, such as a mail order cooperative)
The Marketing services companies then combine these sources, across different channels, to generate new insights. They both do that within the third-party data itself, but very often in combination with the client’s data in order to generate insights bespoke to that client’s customer base.
This allows them to create target audiences, i.e. segments of customers within the database that show similar characteristics or likelihood to buy the same products. It’s these types of audiences that are uploaded into the social media channels to find target audience look-a-likes. Social media channels rarely allow their data to be purchased and appended to your base, so businesses use their own data together with third-party data available to identify the target audience, and then upload those target audiences into the social media platform for them to identify lookalike audiences.
Myths and misconceptions surrounding third-party data
Can I buy and use third-party data for marketing purposes under the GDPR?
Yes. GDPR does not prevent third-party data use for marketing. It just insists on transparency and accountability on the part of the businesses collecting and using the data. Their customers must understand what is happening to their personal data.
Businesses must communicate that to their customers, include it in their privacy policies, and have their own legal basis for processing. This is as true of third-party data providers as it is of client organisations, so check they have them in place. Be sure they can demonstrate due diligence on their own data suppliers and that they have undertaken the Article 14 – or customer notification – obligations. I.e. they’ve made it clear to the customer how their data is being used.
Find more detailed guidance on using third-party data under GDPR here.
Is consent the only lawful basis on which I can use this data?
No. Under GDPR there are 6 lawful bases for using personal data and they hold equal legal weight. The most commonly used purposes for marketing are Legitimate Interest and Consent.
How to choose which? If you can’t demonstrate that the customer has real choice and control over how their data is being used you will not be able to use consent, so explore Legitimate Interest.
Don’t forget your PECR obligations though – for e-marketing you are likely to require consent for marketing calls, email messages, website cookies, installing apps unless you have an exemption under PECR.
(See Elizabeth Denham (ICO) blog “Consent is not the silver bullet for GDPR compliance” August 2017 for further detail.)
Can Legitimate interests (LI) be used as the basis when using third-party personal data for marketing purposes?
Yes. Recital 47 specifically calls out “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
However, take it seriously, LI is not a tick box exercise. It is important to balance the fundamental rights, as one doesn’t outweigh the other. Make sure the third-party data you are using is considered properly in a Legitimate Interest Assessment (LIA) – read and properly consider the guidance in this area before undertaking the 3 elements
- You really do have a legitimate reason to use it
- There are no alternative means of achieving the same goal
- The customers’ rights, interests and freedoms have been properly considered
Find more detailed guidance in the DMA GDPR guidance: Consent and Legitimate Interests.
Does the GDPR make it hard to use third-party data for profiling, segmentation, and enrichment for marketing purposes?
No. GDPR does not ban profiling, segmentation, or enrichment – it focuses on the outcome, not the processing itself. You can use LI as a basis for profiling using third-party data – article 22 makes it clear that explicit consent is only required for automated purposes, and where there is a significant impact on the individual.
So be able to demonstrate that you are not automating your processes and that you are not having a significant impact on the individual. And include this use in your privacy notifications.
To summarise what should we all be focusing on when looking to use third-party data?
From a legal perspective, transparency, confirmation that customer has been informed how their data is being used, that the legitimacy of the use has been adequately stress-tested, that onward use by other parties has been properly considered.
And in fact, that’s not just from a legal perspective, if you want an individual to buy from you it’s a wise idea not to upset them by ensuring what you know about them is reasonable to know, accurate, recent, non-intrusive and fairly captured. They will notice if it’s not before you do.
If you would like to get involved in the discussion or have a question for the council, please get in touch at email@example.com.