Note: This was originally posted on the Center for Democracy & Technology blog.
There’s a lot of talk in the online privacy world about first parties and third parties. Generally speaking, when you surf to abc.com, that site is considered to be a first party during the time that you’re on the site. If abc.com contains ads, content, scripts, or other stuff being delivered by xyz.com, then xyz.com is considered a third party.
The distinction matters because privacy norms and rules usually apply differently for first parties than for third parties. Consumers are likely to have relationships with first parties, or at the very least they know that when they visit abc.com, they’re interacting with abc.com. That’s not always so clear for third parties – consumers may have no idea which third parties are active on a particular site. Because of this difference, first parties don’t always have the same privacy obligations as third parties. For example, the guidelines for behavioral advertising self-regulation that the FTC put out earlier this year apply only to third-party behavioral advertising, not to first parties doing the same thing.
But given market dynamics on the Internet these days, it’s quite possible that a single company may own or control lots of Web sites. We now have no shortage of media and digital business conglomerates: through acquisition or diversification, a single company comes to own a whole variety of web properties that, to consumers at least, show no signs of being related. Should a collection of Web sites owned by a single company all be considered a single first party, such that data collected on one site can be used on another site without either site being considered a third party? This would obviously be advantageous for companies that own lots of affiliated sites, because they could share data between the sites without needing to meet the higher privacy standards usually thrust upon third parties.
A group of researchers at UC-Berkeley’s School of Information took an in-depth look at corporate structures and produced a useful visualization of just how large these conglomerates can get. With some companies having thousands of subsidiaries, it’s hard to imagine that a consumer would understand them all to be a single entity for data collection purposes. The visualization is not limited to online companies, but many of the biggest conglomerates featured own some of the most popular sites on the Web.
CDT discussed this issue to some extent in developing the Threshold Analysis, a tool for advertising businesses to help calibrate their privacy practices. We ended up with three categories of companies: first party, third party, and "other site/application whose data collection and use for ad targeting is in some way controlled by the first party." But because the Threshold Analysis is an assessment tool, we didn’t draw firm distinctions about where conglomerate companies fall within those three options. The Berkeley researchers produced a number of other interesting findings, all available on the KnowPrivacy web site. We’ll be highlighting a few others over the next couple of weeks.