Capturing 1st Party Data

23 May 2021 » MSA

Last week, a reader left a comment in my post on Declared IDs, asking for ideas on how to capture more or better 1st party data. As the world inches towards a cookie-less web, this is a challenge I see with more customers. The problem is that not all websites are created equal.


In some verticals, there is a fundamental need for the end-user to provide personal information or log in:

  • Retail. Whenever you buy a product or a service, you have to identify yourself, to receive the purchase. Typically, the retailer needs your email address for confirmation and your home address to ship the products.
  • Banks. To do anything meaningful with a bank website, you must authenticate. I know, there is a marketing section that anybody can browse, but this tends to be a small fraction of the total users of the web services.
  • Travel. To book any flight ticket, you must provide photo identification and some personal details.
  • SaaS software vendors. Similarly to banking, users of SaaS software must authenticate to use the technology they have purchased.

In all the previous cases, getting 1st party data is almost trivial. The end-user has to provide some information to use the website. Companies in these industries are already hoarding huge amounts of data, probably more than what they can use.

However, other companies are struggling to get much data from their visitors:

  • B2B. In this case, the transaction happens usually offline. The website is just a brochure and only when the prospect is ready to talk to a sales representative, they identify themselves.
  • CPG. Most of the products you buy in supermarkets are manufactured by CPGs. However, you rarely interact with the manufacturer directly, unless it is to complain about a product. How many of you have visited the website of your favourite biscuit, chocolate, milk…? Exactly, nobody!

In these cases, the data these companies get from their website visitors is very limited. They are usually desperate to get any piece of data they can from their end customers. Marketers in this situation are those who will benefit the most from the ideas I will share in this post.

Technology solutions

With technology alone, you can still do something to increase the amount of 1st party data you can play with:

  • Hash emails. Whenever there is a form where the visitor can submit an email address, hash it and use it as a declared ID.
  • Profile merge rules (PMR). If you have Adobe Audience Manager (AAM), you can benefit from this unique functionality. In particular, you can configure the PMR to use “Last Authenticated Profile”. AAM will then remember the authenticated profile after a user logs out. Although you are not capturing additional information, you are actually extending the usage of 1st party data.
  • Match providers. You will also need AAM or another DMP to use these 3rd party data providers. I am not going to explain what they do, but, in essence, they deanonymise visitors to a certain degree, by using 3rd party cookies.

If you were expecting a magic trick to solve the issue, I am afraid I have none. Some of you may be thinking of using some obscure techniques to deanonymise a visitor, like fingerprinting. However, I do not recommend any of these techniques and I will not explain them.

Change in strategy

When I get asked the question from the beginning of this post, people want a technology solution. They would like to find a silver bullet, a solution that magically solves all the problems without disrupting the business. However, as we have seen, there is little we can do with technology only.

In this situation, we need to look one level above: business strategy. I know that nobody wants to hear that, but I see no other alternative.

I could talk for hours about Customer Experience Management, but I do not want to bore you now. In summary, you must put yourself in your customers/leads shoes. You must ask yourself: why would they want to give their precious, private, personal data?

If they see no benefit from doing it, they will not do it. You need to offer value for data. In other words, the website needs to offer them something that they feel is worth signing up for. Only then they will want to create an account, where you can start collecting precious 1st party data and they will be more inclined to log in to access that unique value that you offer behind closed doors.

Some ideas of what you could do:

  • Unique content. You could offer some basic information to the general public, but more quality content only for logged-in visitors. This content could be best practices, whitepapers, tips and tricks, code…
  • Special offers. People tend to be motivated by money. If they get a better price or a superior product just by signing up, they will do it.
  • Internal access. Sometimes, individuals find it very difficult and intimidating to get access to big companies. They would be very happy if they could meet the engineers, designers, evangelists… of the products they like.
  • Community. Offer a community of like-minded people or a place where they can ask others in a similar situation. Think of something like the Adobe Experience League Community.

Obviously, to do so, you need buy-in from the management to implement any of these suggestions. They have some consequences on how the business is run. However, from my experience, this is the only way to go. The days when you could do anything on the web are long gone.

Privacy implications

I have left this topic to the end, but that does not mean that it is less important. Anything you do, either technologically or strategically, has to be legal and great care has to be taken of the privacy implications. You do not want to be the target of some privacy concerned groups, like the EFF, because of your unethical behaviour. Or, worse, get a fine for breaching the law.

Option to log out

You should always offer the option to log out, a way to stop being identified as an individual and become anonymous.

For example, consider the following scenario. You have a submission form, where you request the email address. This is not a sign-up form. When someone submits the form, you capture the email address, hash it, store it in the browser’s LocalStorage and use it in a declared ID. Although this is technically possible, it actually means that the user is forcefully logged in with no option to log out. I do not recommend this solution. It is very creepy and, if the user finds out, you have lost him for good.

Instead, you could take one of the following approaches, much more privacy-friendly:

  • Move all submission forms and put them behind a login.
  • In B2B, capture only the domain of the email address, create a trait in AAM from it, and apply some account-based marketing based on it.
  • Do very mild personalisation based on personal data, so that the user does not feel like he is being watched.

Remember that you must always gather consent for regions where GDPR, CCPA or other similar laws govern the usage of personal data. This is becoming more the norm than the exception. In fact, I have worked with some companies, which have chosen to implement the most strict consent management configuration worldwide. I found it a very good solution, as this guarantees that they are always complying with the law and that all individuals are treated equally.

It goes without saying, that you must obey the users’ consent. It is not enough to just capture their permissions. Remember that, otherwise, hefty fines are waiting for you and the politicians will be very happy to increment their budget at your expense.

I would also like to comment on the suggestion I made earlier, of using PMR with “Last Authenticated Profile”. Many years ago, I suggested this feature to a German client. Their response was that it was against the law there.

In summary, you should always check with your legal department to confirm that it is OK to use personal data the way you intend to.

Final suggestions

I would like to finalise with a couple of suggestions regarding consent management and how to maximise the amount of 1st party data that you can collect.

In the first place, when requesting consent, many websites just show an overlay with the consent request form in a corner or at the bottom, while the website is still fully functional. The visitor can browse the website normally, ignoring that form. In fact, I am pretty sure many people do not even see it or do not understand it and ignore it. The consequence is that, while the visitor ignores the form, you are not collecting any behavioural data. In particular, the campaign information that can only be captured on the landing page (referrer, query string parameters…) is lost forever. Consequently, your attribution will be less accurate.

My suggestion is to use a modal overlay that covers most of the page and prevents the user from doing anything with the website. Only after the user accepts or declines the consent request, the website becomes usable. This solution guarantees that, if positive consent is given, this happens on the landing page and you can collect all campaign information.

In the second place, some consent management overlays offer 3 buttons: “accept all”, “decline all” or “custom configuration”. However, other overlay setups offer only 2 buttons: “accept all” or “custom configuration”. With the latter setup, visitors can still decline all, but they need to take some extra steps. Since we know that people are lazy, most will prefer to just click on “accept all” and continue browsing.


Photo by Vitaly Vlasov from Pexels

Related Posts