In the first edition of the Samhub Signal, I unpacked what News Corp Australia told the INMA World Congress about the three things publishers need to do to survive the next decade. 

The first of those three was building a complete first-party data stack, and the more I have rolled that thought around in my head since Berlin, the more convinced I am that it deserves a deep dive of its own.

So this second edition is about exactly that: the importance of first-party data for publishers. 

Not just as a buzzword. Not as a compliance project. 

But as the only durable foundation a media organisation has to stand on once third-party cookies, mobile identifiers, and frictionless cross-site tracking are gone.

There is a number from INMA that I cannot stop thinking about. 

Google itself has predicted a potential 52% decrease in advertising revenue for publishers once third-party cookies are fully removed from Chrome. 

Let that sink in. Half of your programmatic revenue is sitting on a timer that the platforms control.

If that does not move first-party data from “interesting project” to “boardroom priority,” nothing probably will.

In this article I want to focus on the three strategic aspects of first-party data that I believe matter most for publishers and media right now:

1. First-party data is your revenue moat, the only thing that protects you from platform dependency.

2. Consent and identification are the engine, and they need to be designed as infrastructure, not as a banner.

3. Alliances and interoperability are how you scale, because owning your own data is necessary, but not sufficient.

Let’s get into it.

1. First-party data is your revenue moat

The temptation, when discussing first-party data, is to talk about it in technical terms, CDPs, DMPs, identity graphs, schema, taxonomies. That is the how. 

The why is much simpler, and much more uncomfortable: without first-party data, a publisher is selling someone else’s audience through someone else’s pipes, on someone else’s terms.

For two decades that worked, because the open web behaved like a single addressable market. A media buyer could buy a 35-year-old SUV intender on a fashion magazine and assume the cookie would follow. The publisher was, in effect, a passive landlord of someone else’s targeting infrastructure.

That world is ending. INMA’s reporting on the topic is blunt about it: the shift to first-party data is “not merely a technical change but a fundamental business necessity.” Three threads run through their analysis, and they all point in the same direction.

Revenue protection. As mentioned above, Google’s own modelling points to a potential 52% drop in ad revenue when third-party cookies are gone. INMA’s framing is that first-party data is how publishers “reclaim their audience” and protect the revenue line.

Proprietary audience building. A first-party stack lets publishers position themselves as the most effective route for advertisers to reach specific demographics. 

INMA describes this as moving the media house away from a reliance on the “third-party empire” and toward high-resolution, first-party audience segments. In plain language: you stop being a landlord and start being a destination.

Marketing attribution. This is the part that I think is most underestimated. In a post-cookie world, attribution flows through the parties who actually own the data, and that has to include the publisher. 

INMA’s view is that future marketing attribution will require publishers to analyse their own data to prove value to advertisers, rather than leaning on external programmatic tracking. If you cannot prove your audience moved the needle, the budget will find someone who can.

The managing director of News Corp put this very cleanly at INMA in Berlin: in a sophisticated advertising market, there is zero market for non-targeted ads. If publishers do not have a mapped, addressable audience, media buyers will simply not come to them.

That is the moat. First-party data is what stops you from being a commodity supplier of impressions to an open exchange. It is the asset that gives you pricing power, that gives sales teams something proprietary to pitch, and that gives editors a reason to fight for registration as much as for traffic.

Here in Sweden and the wider EU, GDPR makes the path harder than it is in Australia or the US, but the destination is the same. 

The publishers who treat this as an existential question are already pulling away from the ones who treat it as an IT project.

2. Consent and identification are the engine, design them as infrastructure

If first-party data is the moat, identification and consent are the engine that fills it. And this is where most publishers I talk to are over-investing in tools and under-investing in design.

Let me unpack that in two parts.

Identification, and the value exchange that earns it

INMA’s research on subscription and registration leaders is consistent on one point: identification is a growth driver, not just a data-collection exercise. Knowing who your readers are improves addressability, deepens audience knowledge, and starts a flywheel, better products, more revenue, higher levels of audience advocacy.

But identification is not free. Readers do not log in because publishers want them to. I saw it first-hand when I managed 5 different news sites as a webmaster in the early 2000’s, nobody logged in because the value to do so was too low.

Users log in because they get something they value in return. INMA’s phrasing for this is the value exchange, and the best subscription publishers have been very disciplined about it:

- The content is the currency. High-quality journalism is the primary driver of log-ins. If users perceive the content as valuable, they are more likely to register and share their data. If your journalism cannot stand up on its own, no clever registration wall will save you.

- The flow must be frictionless. INMA’s data on top subscription leaders shows that most collect an e-mail address up front and delay asking for more intrusive details, gender, location, household composition, until later in the user journey. The point is to make the first identification step feel weightless, and then earn the right to ask for more.

- Identification is staged, not binary. A user who hands over an email is more valuable than an anonymous cookie. A user who hands over a postcode is more valuable than just an email. A logged-in, segmented subscriber is the most valuable of all. Each step has to be designed, instrumented, and earned.

This is also why I keep telling publishers in markets like ours that you cannot wait for a perfect login wall before starting. 

Most EU publishers will never reach the logged-in share of a paywalled US national broadsheet. That is fine. 

What you need is a stack that combines logged-in identity (CDP) with high-quality anonymous signals (DMP) so that you can address the long tail of your audience as well as the registered core, and build out user identity with any signal you can get.

Consent, the layer that makes everything else legal and operational

Here is where the IAB Tech Lab’s perspective dovetails neatly with the INMA strategic view. In their recent member perspective “First-party Data Begins with Consent”, iubenda’s Andreea Mandeal makes a point that I think the publisher industry has consistently underrated: consent is not a legal formality bolted on at the end of the funnel, it is the data infrastructure.

A few statistics from that piece are worth marking, because they reframe consent as a revenue lever rather than a cost centre. 

Citing Deloitte Digital, the article reports that 82% of marketing leaders are prioritising first-party data, and that businesses investing in tailored, data-driven experiences see roughly an 18% reduction in acquisition costs, a 27% increase in conversion rate, a 20% increase in spend per customer, and a 23% increase in customer satisfaction. Those numbers are not free. They require data that is “valid at the moment of collection”, and that is what a working consent layer delivers.

The IAB Tech Lab framing is that successful first-party data strategies rely on three things working together:

- Transparency around what is collected and why
- Centralised permission management
- Easy preference updates and opt-outs

This really aligns with how I think about privacy and publishers' role in our society. I believe transparency and being able to explain what is done and why in layman terms is key to win and sustain trust in an era colored by distrust.

Operationally, that means consent decides which cookies and identifiers can be set, when tracking begins, which vendors can receive data, and whether data can be reused for analytics, advertising, or personalisation. 

As iubenda puts it in the same article, “the consent layer matures first, the activation tooling matures on top. Reverse the order and the whole stack inherits the fragility.”

This is also why the IAB’s standards matter so much. IAB Europe’s Transparency and Consent Framework (TCF) and IAB Tech Lab’s Global Privacy Platform (GPP) exist precisely so that a user’s consent signal can travel across the supply chain in a machine-readable, region-appropriate way. 

For publishers, that translates to fewer broken audiences, cleaner attribution, and audit-ready compliance instead of a patchwork of regional hacks. The broader IAB Guidelines hub is worth bookmarking for any media organisation that wants to align internal practice with industry standards rather than reinvent them.

My practical advice, and this is the part I would write on a whiteboard in any publisher’s executive offsite, is this: design your consent architecture before you design your activation strategy. If you flip that order, every audience you build will inherit cracks you cannot see until measurement fails or a regulator calls.

3. Alliances and interoperability, owning your data is necessary, but not sufficient

The third strategic aspect is the one most publishers wake up to last, and it is the one that most clearly separates winners from losers in markets the size of ours.

Even a strong individual first-party stack is geographically and demographically limited. A regional title in Sweden, the Netherlands, or Norway may have very deep first-party data on its own readers, but it is selling against Meta and Google, which have first-party data on roughly everyone. 

INMA’s reporting on the Nordic market is one of the cleanest case studies in the world on this question. In Norway, publishers like Amedia and Aller Media established Diar, a joint venture that creates an advertising marketplace built on combined first-party data. 

The result, per INMA, is that advertisers can target across a combined reach that ranges from 15% to as much as 80% of those publishers’ readers, accurate, sustainable, cost-effective targeting at a scale that no single publisher could offer alone.

That is the alliance argument in one sentence: when premium publishers act together on a shared first-party data foundation, they become the “third center of gravity” alongside Google and Meta that Pippa Leary referenced at INMA. Acting alone, they become a price-taker. Acting together, they become a category.

But alliances only work if the underlying data plumbing is interoperable. This is where the IAB Tech Lab’s work on Privacy Enhancing Technologies (PETs) becomes critical reading for any publisher CEO or CDO. 

In the article “PAIR Up With First Party Data: Unlock Secure, Private and Scalable Targeting”, IAB Tech Lab announced that the industry will converge on a single, unified standard for matching advertiser and publisher first-party data: IAB Tech Lab PAIR, which brings together the design goals of Google’s PAIR protocol and IAB Tech Lab’s earlier OPJA (Open Private Join and Activation) work. 

On a side note this is what I have personally been working towards by creating a methodology to apply the same data on both sides of the ecosystem in the same way to be able to match sellside data with buyside data instead of 3rd party cookie tracking. And seeing the industry at large adopting this is really exciting.

Back to the topic at hand: The reason this matters for publishers is not the cryptography. It is the design goals. IAB Tech Lab PAIR is built around four explicit promises, summarised from their article:

- Security of PII, personal information is protected by cryptography end-to-end; no single participant can access cleartext sensitive data alone.

- Privacy of user identity, neither side learns the identity of users that are not in their own input set.

- Privacy of audience membership, neither side can tell which of their users ended up in the matched overlap.

- Privacy of user context, what was learned about a user in one context cannot leak into another.

In plain language: PAIR allows a publisher and an advertiser to match audiences and activate them programmatically without either side handing over its first-party data. That is the missing primitive that makes publisher alliances, retail media partnerships, and direct advertiser deals viable on top of a privacy-first foundation.

The strategic implication for media houses is large. It means that the right answer to “how do we compete with the walled gardens” is no longer “build our own walled garden.” 

It is: own your first-party data, run it through a consented, standards-based stack, and join (or build) a network where that data can be matched with advertiser first-party data through privacy-safe technology. The reach problem and the privacy problem solve each other.

This is exactly the thinking behind how we have built our unified taxonomy approach, using both anonymous and identified signals to enrich advertiser traffic and publisher inventory in a unified way, on standardised IAB-aligned taxonomies, so that the buy side and the sell side speak the same data language at the point of activation.

A simple maturity check for your first-party data strategy

If you want a quick, honest gut-check of where your organisation actually sits, the matrix INMA implicitly uses to discuss this work is a good place to start. I have adapted it slightly here:

A useful exercise: rate yourself from 1 to 5 on each row. The publishers I see pulling ahead are not those scoring 5/5, they are the ones who are honest about where they are 2/5 and have a plan to get to 4/5 over the next 18 months.

Final words

I have spent the best part of a decade arguing that first-party data is the single most important asset a publisher owns. What is different about 2026 is that the industry has finally stopped treating that argument as controversial.

INMA has put the strategic case in plain commercial language. The IAB and IAB Tech Lab have spent the last few years quietly building the standards and the privacy-safe matching protocols that turn that strategic case into something actually shippable. PAIR, OPJA, TCF, GPP, these are not acronyms to memorise. 

They are the rails on which the post-cookie publisher economy will run.

The publishers who will win over the next five years are, in my view, the ones who do three things at the same time:

- Treat first-party data as a revenue moat, not a side project, including in how you compensate sales teams and how you measure success.

- Design consent and identification as infrastructure that earns trust and survives audit, not as a banner that survives a privacy review.

- Plug into alliances and interoperable matching standards so that your moat actually scales to compete with the walled gardens.

If you do those three things, the 52% revenue gap that Google warned about stops being a threat and starts being an opportunity, because it is going to be redistributed, and there is no rule that says it has to flow back to the platforms.