First-party data has become the dominant talking point in digital advertising. The numbers are striking. Budgets are shifting. Strategies are being rewritten. Yet a substantial share of first-party data initiatives stall or fail to deliver expected returns - and the reason, according to a perspective published on the IAB Tech Lab website and research commissioned by Meta from Deloitte Digital in July 2023, is not the data itself. It is what sits before the data: consent.

The IAB Tech Lab piece, written by Andreea Mandeal, Chief Marketing Officer at iubenda, frames the problem plainly. According to the article, "first-party data is only usable if it is collected and governed through valid consent." That single condition determines whether data collected through websites, mobile apps, subscription flows, e-commerce transactions, and customer service interactions can actually be activated downstream - in analytics systems, advertising platforms, customer data platforms, or personalisation tooling.

What first-party data actually depends on

First-party data is generally seen as more reliable and privacy-respecting than the third-party cookie-based alternatives it is replacing. Safari and Firefox block third-party cookies by default. Apple's App Tracking Transparency has reduced mobile signal availability substantially. Privacy regulations continue expanding - from GDPR and the ePrivacy Directive in Europe to the California Privacy Rights Act and a growing list of US state laws. The landscape is not getting simpler.

But reliability is conditional. According to the IAB Tech Lab article, the value of first-party data "depends on whether it can be lawfully collected, consistently activated, and safely reused. Consent determines each of those three."

What makes this a practical infrastructure problem rather than a legal abstraction is the complexity of the systems through which first-party data moves. In a typical organisation, data flows through analytics tools, ad platforms, CDPs (customer data platforms), CRM systems, server-side tracking setups, and personalisation engines. When consent is fragmented - collected inconsistently, not passed to downstream systems, or not updated when users change their preferences - the data entering those systems cannot be safely used. Audience segments become unreliable. Attribution models lose their defensibility. Compliance risk accumulates.

The scale of what is at stake financially makes this a live concern for marketing organisations, not an abstract governance exercise. According to Deloitte research commissioned by Meta and published in July 2023, businesses that invest in tailored, data-driven experiences based on first-party data see an 18% reduction in acquisition costs, a 27% increase in conversion rate, a 20% increase in spend per customer, and a 23% increase in customer satisfaction. Those outcomes depend entirely on data being usable across systems. Fragmented consent breaks that chain at the collection point, before any activation takes place.

The IAB Tech Lab article argues that consent management has moved well beyond cookie banners and regulatory checklists. According to Mandeal, successful first-party data strategies rely on three foundational elements: "transparency around data collection and usage, centralised permission management, and easy preference updates and opt-outs." That architecture - consent as infrastructure rather than compliance - determines which cookies and identifiers can be set, when tracking begins, which vendors can receive data, and whether data can be reused across analytics, advertising, and personalisation functions.

Mandeal describes what she calls the "gatekeeper role" in first-party data collection: a control layer that sits before activation and decides whether data should exist in a given system at all. Working with marketing teams at iubenda, she writes, the pattern is consistent: "the consent layer matures first, the activation tooling matures on top. Reverse the order and the whole stack inherits the fragility."

In technical terms, this means blocking cookies, pixels, and SDKs until valid consent is confirmed. It means applying region-specific rules across GDPR, the ePrivacy Directive, the California Privacy Rights Act, and equivalent regulations. It means passing consent signals to downstream systems through machine-readable frameworks - specifically IAB Europe's Transparency and Consent Framework (TCF) and IAB Tech Lab's Global Privacy Platform (GPP) - and maintaining an auditable record of user choices.

Those frameworks matter precisely because they are machine-readable and interoperable. The GPP was developed by IAB Tech Lab to provide a standardised transport layer for consent and preference signals across the digital supply chain, covering both European users through the TCF and US users through state-specific national strings. TCF v2.3, whose technical specifications were opened for public comment in April 2025, adds a mandatory disclosed vendors segment to every TC string, addressing a persistent ambiguity in how vendors were disclosed to users under earlier versions. Google mandated the transition to TCF v2.3 by March 1, 2026; publishers who failed that deadline now face ad requests defaulting to limited ads or being dropped entirely.

The Deloitte research published in July 2023 provides specific numbers on why measurement quality is tied to data quality at collection. According to that research, measurement front-runners are 44% more likely to beat revenue goals. Customers are 69% more likely to purchase from a brand that provides a personalised, frictionless experience throughout their purchase journey. Advanced use cases - server-side tracking, marketing mix modelling, personalisation at scale - all rely on deterministic, high-quality first-party data. Deterministic means confirmed identity matches. That confirmation requires valid consent at the point of collection.

The IAB Tech Lab article is direct about the cost of fixing this problem after the fact: "Fixing consent issues later, once data has entered analytics systems or advertising platforms, is expensive and often incomplete." When consent is enforced upstream, according to Mandeal, "analytics data is cleaner, audiences are more stable, attribution models are more defensible, and personalisation aligns with user expectations."

This is not a minor operational point. The Deloitte maturity model, developed through interviews with marketing leaders across verticals, shows that the most mature organisations - those classified as "best-in-class" - have centralised permissions and aligned privacy, marketing, and technical teams. At the nascent end of the curve, data is collected and stored in silos, with no knowledge sharing between privacy and marketing teams. The gap between those two states is not primarily a technology gap. It is a governance gap, and consent management sits at its centre.

The Deloitte maturity curve in practice

According to the July 2023 Deloitte Digital report, commissioned by Meta, 82% of marketing leaders are already prioritising first-party data to create immediate value for customers. That figure says something important about where the industry is directionally. It does not say that all of those organisations have the consent infrastructure to make their data usable. The maturity model describes four stages: nascentemergingoptimised, and best-in-class.

Nascent organisations have low awareness of first-party data strategy and limited actions underway. Emerging organisations are beginning to build strategy around business cases while educating internal teams. Optimised organisations have cross-functional collaboration across marketing, IT, privacy, and agency partners in place. Best-in-class organisations have established first-party data strategy across all ad platforms, with omnichannel coordination, clear ownership in operational processes, and server-to-server connections established by key teams for data collection.

That last stage - server-to-server connections - is where consent management becomes most technically complex. Server-side tracking, specifically through tools like Meta's Conversions API, moves event data directly from the advertiser's server to the platform's server, bypassing browser-level restrictions. But it also bypasses browser-level consent signals. According to a recent ruling from the Dresden Higher Regional Court, confirmed on April 13, 2026, Meta's Business Tools - including the Conversions API and Meta Pixel - violated GDPR when operated without a valid legal basis for data processing. The court awarded €1,500 in non-material damages to the plaintiff under Article 82 GDPR. The ruling explicitly found that even when users refuse cookies on third-party sites, data transmission to Meta can still occur through the Conversions API because the API operates server-side and is technically invisible to the user.

That ruling is not a reason to avoid server-side tracking. It is a reason to ensure that the consent infrastructure supporting server-side tracking is correctly implemented. The Conversions API, as the Deloitte report describes it, remains foundational to first-party data activation on Meta: it creates a direct connection between marketing data - web, app, and offline events - and the platform's machine learning systems. The data quality improvement from using Conversions API alongside the Meta Pixel is substantial. According to Meta's own testing data, advertisers that set up the Conversions API together with the Pixel experienced, on average, a 13% decrease in cost per result. The incremental value from improving Event Match Quality scores is similarly significant: an external meta-analysis referenced in the Deloitte playbook found that increasing EMQ score from 5.0 to 7.0 resulted in a 33% share of incremental purchase events and an 82% share of incremental subscribe events.

The Deloitte research identifies three key areas for first-party data strategy: ad targetingpersonalisation, and measurement and optimisation. Each has specific use cases, and each depends on consent in different ways.

For ad targeting, the Deloitte report highlights audience exclusions, deterministic customer segmentation, and model-based targeting as the three primary use cases. Brands that get ad targeting right with first-party data, according to the research, have seen 8x the return on investment on marketing spend and lift sales by 10% or more. Deterministic customer segmentation - targeting audiences based on known behaviours and past purchases - requires sharing hashed personally identifiable information with advertising platforms. That sharing requires valid consent and a lawful basis under applicable regulations.

For personalisation, the research is equally specific. First-party data powers dynamic creative optimisation, omnichannel personalisation, and custom product recommendations. The 69% personalisation purchase likelihood figure cited in the report comes from Martech Series research. Two in five customers say they have purchased more from a brand as a direct result of personalisation. Loyalty programs are described as a particularly effective mechanism for building first-party data repositories for personalisation - partly because they create an explicit value exchange that supports a clearer consent basis.

For measurement and optimisation, the use cases include server-to-server connections, granular marketing mix modelling, and cloud environments for data collaboration. An Accenture paper cited in the Deloitte playbook found that additional granularity and AI/ML in marketing mix modelling was able to reveal a 14% to 38% increase in revenue and ROI impact across a subset of Meta advertisers and verticals. Granular marketing mix modelling requires first-party transactional data combined with media spend and external factors. The accuracy of that modelling depends directly on the completeness and reliability of the first-party data feeding it.

IAB Tech Lab has been building standardised protocols for the consent and identity layer underlying all three of these functions. The PAIR protocol, launched in September 2024 and updated to version 1.1 in July 2025, enables advertisers and publishers to match first-party audiences using commutative encryption - allowing secure audience reconciliation without exposing personal information. Version 1.1 introduced the Open PAIR prebid module and clearer technical definitions, specifically addressing implementation confusion from the original release. Publishers participating in PAIR must maintain legally required consent for submitted personal information and ensure prompt data refreshing when individuals exercise privacy rights.

The IAB Tech Lab Accountability Platform, finalised in November 2024, addresses a different layer of the same problem: verifying that privacy preference signals - GPP strings and TCF strings - are accurately transmitted throughout the digital supply chain. Rowena Lam, Sr Director of Privacy and Data at IAB Tech Lab, described the platform as focused on "ensuring the accurate transmission of user preference signals, such as the Global Privacy Platform (GPP) string and Transparency and Consent Framework (TCF) string, throughout the digital supply chain." That monitoring function matters because consent signals that are collected but not passed downstream accurately produce the same outcome as no consent signal at all.

The industry context: signal loss and the limits of workarounds

The broader industry backdrop for this discussion is well-documented. Apple's App Tracking Transparency framework, which began rolling out in 2021, reduced the availability of mobile advertising identifiers substantially. Safari and Firefox block third-party cookies by default. Google's own progress on cookie deprecation has been slower than originally planned, but the direction has not changed. Privacy regulations continue expanding at both national and state levels.

Signal loss has direct performance consequences. The Deloitte report acknowledges that the evolving ecosystem means "there is less granular data available, making it more difficult to have a complete picture of the customer journey." That is precisely what makes first-party data collection - and, by extension, the consent infrastructure supporting it - strategically important rather than merely operationally necessary.

IAB Tech Lab's ID-Less Solutions guidance, published in final form in July 2025, addresses advertising approaches that do not rely on traditional user identifiers. The guidance notes that US publishers face potential losses of $10 billion due to reduced personalisation capabilities and challenges activating authenticated audiences. Solutions based on first-party cohort data and on-device processing represent one path forward - but they still require first-party data, which still requires consent.

The La Redoute case study included in the Deloitte playbook illustrates the long-term returns from a well-constructed first-party data and CRM strategy. The France-based apparel and furniture company partnered with Meta in 2018 and developed a retargeting strategy for Facebook and Instagram using CRM data. According to Amelie Poisson, CMO at La Redoute: "Over the years, Facebook became one of La Redoute's main media partners with regards to developing a winning CRM strategy, gaining a larger share in our media mix. We've managed together to increase FB contribution in customer retention and acquisition strategies, while reducing overall costs." The company saw a 21% decrease in cost per acquisition between 2018 and 2019, followed by an additional 17% decrease in H1 2020 compared to 2019.

What this means for the marketing community

The argument being made by IAB Tech Lab and supported by the Deloitte research is, at its core, an infrastructure argument. Consent is not the end goal of a first-party data strategy. It is the prerequisite. An organisation that collects large volumes of first-party data but manages consent poorly will find that data becoming progressively less usable - not all at once, but through gradual erosion of audience completeness, measurement defensibility, and compliance confidence.

The ECAPI 1.0 specification, finalised by IAB Tech Lab on May 3, 2026, creates a standardised server-to-server API for transmitting marketing events from advertisers to advertising platforms. The specification, backed by Meta, Google, Walmart, TikTok, Roku, NBCUniversal, and others, addresses the fragmentation problem that has made server-side tracking operationally complex for many advertisers. Two-thirds of advertisers improved return on ad spend after implementing conversion APIs, according to IAB Tech Lab research cited in connection with the specification. But ECAPI standardises the transmission of data. It does not standardise the consent basis under which that data is collected. That remains the responsibility of each organisation's consent management infrastructure.

Deloitte's first-party data research identifies a clear action sequence for organisations at any maturity level: establish a robust permissions foundation and legal basis for data collection, sharing, and use; centralise customer data via a customer data platform; establish server-to-server connections for resilient conversion data collection; and pilot cloud environments for data collaboration. The permissions foundation comes first. Not because it is the most technically complex step - it often is not - but because every subsequent step inherits whatever quality or fragility exists at that layer.

Timeline

Summary

Who: The IAB Tech Lab, iubenda (through CMO Andreea Mandeal), Deloitte Digital, and Meta are the principal organisations behind the research and position pieces examined in this article. The findings are addressed to marketing leaders, advertising technology teams, and privacy practitioners across the digital advertising industry.

What: A position piece published on the IAB Tech Lab website argues that consent management is the foundational infrastructure layer for first-party data strategies, not a downstream compliance function. The argument is supported by Deloitte Digital research commissioned by Meta in July 2023 showing measurable performance outcomes - including 27% conversion rate increases and 18% acquisition cost reductions - depend on data being usable across systems, which requires valid consent at the point of collection. The IAB Tech Lab's own technical standards work, including TCF, GPP, PAIR, and the Accountability Platform, represents the industry's effort to build the interoperable consent signal infrastructure that makes this possible at scale.

When: The Deloitte Digital research was published in July 2023. The IAB Tech Lab article by Mandeal appears on the IAB Tech Lab website in 2026. The regulatory and standards developments cited span from 2017 to May 2026.

Where: The IAB Tech Lab article is published on the IAB Tech Lab website. The Deloitte research was commissioned by Meta and published on Meta for Business. The regulatory enforcement referenced occurred in German courts. The technical standards are maintained by IAB Tech Lab and IAB Europe as open specifications available globally.

Why: The shift away from third-party cookies, combined with mobile signal loss from App Tracking Transparency and expanding privacy regulation in both Europe and the United States, has made first-party data the primary available signal for digital advertising targeting and measurement. The performance gap between organisations that manage consent well and those that do not is widening: the consent layer determines not only compliance risk but also the completeness and usability of the data feeding every downstream advertising function.

Share this article
The link has been copied!