First-Party Identity vs. Universal IDs: Which Should Publishers Prioritize?

For publishers choosing between first-party identity and universal IDs, the answer is not one or the other: it is both, with a clear priority order. First-party identity, built on registered and consented users, delivers higher and more durable revenue through direct deals, private marketplaces, and exclusive audience segments that no competitor can replicate. Universal IDs (such as Unified ID 2.0, RampID, and ID5) serve a different purpose: recovering CPM from the unauthenticated majority who will never register. They are best treated as a supplement rather than a strategy. For publishers below 100,000 monthly active users, first-party identity investment should come first. At scale above 1 million, it is a commercial necessity. The regulatory environment in the EU and UK adds further weight to first-party approaches, as the legal standing of the IAB's Transparency and Consent Framework has been substantially challenged in EU courts through 2025. What follows is a detailed comparison of how each approach works, where each performs, and what building first-party identity actually requires in practice.

Safari and Firefox blocked third-party cookies years ago. Chrome reversed its deprecation plan in mid-2024, but the alternative ID ecosystem that emerged from the industry's multi-year preparation is now established enough to evaluate on its own terms. The two approaches are often discussed as though they are alternatives to the same problem. They are not. They have different cost structures, different revenue ceilings, and different levels of exposure to decisions made by companies that are not you.

What First-Party Identity Actually Is

First-party identity means recognising a user based on data they gave you directly. In publishing, that almost always starts with a registered account: an email address, a social login, or any authenticated access that ties a visitor to a persistent record you hold.

Once a user is logged in, you know who they are across sessions and across devices without relying on browser cookies or platform cooperation. You can frequency cap against their actual impressions, suppress against advertiser CRM lists, build declared interest segments from their reading behaviour, and target based on what they have told you they care about. None of this requires guessing. It works because the user is known.

The infrastructure this requires is not technically complicated, but it takes time to build. A registration gate, an authentication layer, a consent capture mechanism tied to the registration flow, and a data store that connects the user record to engagement signals. The hard part is not the technology. It is acquiring enough registered users, at high enough consent rates, that the audience is commercially meaningful. Publishers who have done this seriously have typically spent years on it.

There is also a pairing requirement that often gets overlooked. A registered user who has not given data consent is authenticated but not commercially activatable for targeted advertising. Registration and consent rate optimisation have to be designed together.

What Universal IDs Actually Are

Universal IDs are shared identity infrastructure run by third parties. The core mechanism is straightforward: a user authenticates somewhere, their hashed email is matched against a shared ID graph, they receive an identifier, and that identifier can be passed in bid requests. Buyers who have access to the same graph can recognise and target that user across any publisher inventory that carries the ID.

The main solutions in active use are The Trade Desk's Unified ID 2.0, LiveRamp's RampID, ID5, and Prebid.org's open-source SharedID. UID2 and RampID are the dominant solutions in the US market by DSP integration and buyer prioritisation; ID5 has a larger footprint in Europe. Each runs a version of the same model: hashed email as the authentication signal, with some probabilistic extension to unauthenticated users.

The appeal for publishers is obvious. You do not need to build a registered user base first. Any publisher who can collect email addresses with reasonable frequency can start passing IDs. The identifier is consistent across buyers who have adopted the solution, which at least in theory enables frequency capping and audience targeting at scale without requiring login.

In practice, the results depend almost entirely on match rates.

Revenue: Where the Gap Actually Comes From

Publishers with a substantial base of registered, consented users can achieve CPM premiums significantly above open auction rates for that inventory. In direct deals and private marketplaces where buyers are paying for data specificity, uplifts of 2 to 3 times the open auction rate are reported in premium verticals, though results vary considerably by publisher, category, and how the audience data is packaged and sold. The mechanism is not complicated: you can build exclusive audience segments that no other publisher holds, run programmatic guaranteed and private marketplace deals where buyers are paying specifically for your data, and offer frequency management across an advertiser's full campaign. None of that is available in open auction, and none of it can be replicated by a universal ID.

Universal IDs do lift CPMs above contextual-only inventory. Published figures vary widely depending on the environment and what the baseline is: in fully cookieless contexts such as Safari, uplift figures of 40 to 50 percent or higher have been reported by publishers integrating deterministic IDs. Where cookies remain available as a baseline, the marginal lift from an additional identifier is smaller. In all cases the outcome is heavily contingent on match rates, which is the variable publishers have the most control over. A publisher with strong email collection and a well-adopted ID solution might achieve match rates of 50 to 70 percent against premium demand. A publisher with patchy email capture and a less widely adopted ID might be at 20 to 30 percent, which means the revenue benefit only applies to a fraction of total impressions.

The structural difference is what each approach lets you sell. Universal IDs let buyers reach audiences they have already defined, using your inventory as a delivery vehicle. First-party identity lets you create audiences that belong to you and sell access to them. Those are very different commercial positions. Publishers who understand that distinction invest in first-party identity; publishers who miss it end up dependent on someone else's graph indefinitely.

Control, and What Happens When You Lose It

When your user data sits in your own infrastructure, the risk profile is relatively clean. No third party can deprecate your audience. No platform can change its policies and cut your match rates in half overnight. You can take first-party segments to any DSP or direct buyer using whatever translation the buyer needs.

Universal IDs do not work that way. UID2 is governed by The Trade Desk. RampID is governed by LiveRamp. If a solution loses buy-side adoption, changes its terms, or faces regulatory action in a market you care about, your addressable inventory shrinks with it. The publisher has no leverage over any of those outcomes.

The history of third-party identity infrastructure in digital advertising is not a great advertisement for longevity. Third-party cookies ran for two decades before Safari and Firefox blocked them, and the multi-year saga of Chrome's attempted deprecation, ultimate reversal, and subsequent restructuring consumed significant industry resources without producing a clean successor. The alternative ID ecosystem that emerged from that period remains fragmented: six or seven competing solutions with uneven buy-side adoption and no single standard. Publishers who are now building dependency on universal IDs without a first-party foundation are in a structurally similar position to where they were in 2019: reliant on infrastructure they do not own or control, with limited ability to influence decisions that could change its commercial value.

There is one more consideration worth flagging. Universal ID networks aggregate identity signals across large numbers of publishers by design. Participating involves sharing hashed user data with the ID operator. Publishers should read carefully what rights they are granting when they sign up, and whether those rights are consistent with the consent they have collected from users.

Regulatory Exposure in the EU and UK

The consent question is not abstract for EU and UK publishers. It is a direct commercial variable.

Most universal ID solutions, when used for targeted advertising in the EU or UK, require user consent under GDPR and PECR. A generic consent to personalised advertising does not automatically cover participation in a cross-publisher identity network or the processing of hashed email for tracking outside the publisher's own environment.

The IAB Europe Transparency and Consent Framework (TCF) is the standard mechanism for passing consent signals in the programmatic ecosystem, but its legal standing has been significantly undermined. The Belgian DPA fined IAB Europe in 2022. In March 2024, the CJEU ruled that TC Strings may constitute personal data and that IAB Europe could be treated as a joint data controller. In May 2025, the Brussels Court of Appeal upheld the core findings and confirmed that TCF versions 1.0 and 2.0 failed to establish a valid legal basis under GDPR. The current version, TCF 2.2, was not directly reviewed in those proceedings, but publishers relying on TCF consent alone for universal ID activation in Germany, France, or the Netherlands are carrying regulatory exposure that is not theoretical. Enforcement in those markets is active.

First-party identity, collected through a proper registration and consent flow, sits in a cleaner position. The user has a direct relationship with your publication. The consent context is clear. The data stays within your environment. That is broadly the structure regulators have said they prefer, and it is meaningfully easier to defend than cross-publisher identity sharing built on downstream consent.

For publishers with significant EU or UK audiences, this is not a minor footnote. Consent rate and consent defensibility have direct revenue consequences.

Which to Prioritise, and When

Scale changes the answer.

Below around 100,000 monthly active users, universal IDs are unlikely to move the revenue needle much. Match rates on small inventory pools are low, and the buyers running audience-targeted campaigns at that precision level are not spending significant budget there. At this stage, the time spent integrating and maintaining universal ID solutions is better spent on the registration programme. Get the registration wall right, get the value exchange right, and build the audience that will actually generate premium CPMs two years from now. Universal IDs can be included as a low-effort baseline, but they should not be the priority.

Between 100,000 and 1 million monthly active users, both approaches deserve attention. Universal IDs can generate real incremental revenue from the portion of inventory with good match rates. At the same time, this is the scale at which a first-party data programme starts to support genuine segment development and direct advertiser conversations. Publishers in this range who have delayed first-party identity investment typically find they are underperforming the revenue their audience should generate, because they cannot offer buyers anything exclusive.

Above 1 million monthly active users, first-party identity is not optional. At that scale, the difference between a publisher with a functioning data programme and one without shows up directly in the P&L. Direct deals, private marketplaces, and data-enhanced programmatic are where the revenue concentration is. Universal IDs still have a role covering unauthenticated traffic, but they are not a substitute for what first-party identity makes possible.

Running Both Without Confusing Them

The publishers generating the most from their audience tend to run both, but they are clear about what each one is for.

First-party identity covers the registered, consented user base. It underpins direct deals, segment sales, premium programmatic, and subscription conversion. It is the commercial asset that gets more valuable as the registered user base grows.

Universal IDs cover the unauthenticated majority: the traffic that arrives from search and social, reads one article, and leaves. That audience is not reachable through first-party identity. Contextual targeting alone leaves CPM on the table. Universal IDs recover some of it, subject to match rates and consent.

Where publishers go wrong is treating universal IDs as a replacement for the registration programme. If you plug in UID2 and stop investing in registration because the revenue numbers look reasonable, you have capped your potential. Match rates on an unauthenticated audience stay wherever they are. The data programme never matures. You remain dependent on third-party infrastructure without the underlying asset that would give you options if that infrastructure changes.

The goal is a registered user base that grows as a proportion of monthly active users, with universal IDs handling the remainder, and with a consistent programme converting anonymous visitors into registered ones.

What Building First-Party Identity Actually Takes

Registration growth does not happen passively. Publishers who have built meaningful registered user bases have nearly all done a few things consistently.

Give users a specific reason to register. Vague prompts asking visitors to "create an account" convert at low single digits regardless of placement. Newsletter access, saved reading history, personalised recommendations, early content access, and event booking tied to registration all work. The offer has to be real and delivered immediately. Anything that requires the user to trust a future benefit converts poorly.

Capture consent inside the registration flow, not after it. Treating registration and consent as separate steps creates friction and misses the moment when user intent is highest. A well-designed registration flow that incorporates consent as a natural part of the process produces better consent rates and more commercially complete user records than a two-step approach.

Use email as the first step, not full registration. For many publishers, newsletter subscription converts more easily than account creation. Users who subscribe to a newsletter are signalling sustained interest in the publication. Converting those subscribers to registered users, with a clear benefit offered at the point of conversion, is more efficient than cold prompts to first-time visitors who have no established relationship with the site.

Track the right indicators. Total monthly unique visitors is the wrong headline metric for a publisher trying to build first-party identity. Return visit rate, registered user growth, and consent rate among registered users are what matters. Publishers who optimise for total MAU can grow traffic while the registered user base stagnates, and the problem does not surface until revenue per user has already deteriorated.

Where Universal IDs Come Up Short

The gap between the theoretical promise of universal IDs and what they deliver in practice is mostly explained by match rates.

A publisher with a small email list and an ID solution with limited buy-side adoption might generate identifiers on 15 to 25 percent of impressions. A publisher with strong email collection and UID2 integration might reach 60 percent or above. The revenue difference between those two outcomes is significant, and it means the published claims about universal ID uplifts do not necessarily apply to your specific situation.

Buy-side fragmentation makes it worse. There is no single universal ID. UID2, RampID, and ID5 have different levels of DSP support and buyer adoption. A publisher integrating one solution is not automatically addressable by all buyers. Getting meaningful coverage across demand sources requires multiple integrations, each with its own consent and data sharing implications.

A common misconception is that Safari's Intelligent Tracking Prevention blocks hashed email-based IDs. It does not. ITP restricts third-party cookies; it has no effect on email-authenticated identifiers, which are specifically designed to function in cookieless environments. Publishers have reported meaningful CPM uplifts from IDs like UID2 in Safari precisely because there is no cookie signal to compete with, making the authenticated identifier relatively more valuable. The actual constraint is simpler: these IDs require the user to be authenticated on your site. No login, no hashed email, no ID. That applies across every browser and every device. Publishers with low registration or email capture rates will have low match rates everywhere, not because of browser restrictions but because authentication rates are low. The environment question and the authentication question are separate, and conflating them leads to misdiagnosing where match rate problems come from.

How UniSignIn Supports First-Party Identity

UniSignIn handles the registration and identity infrastructure that first-party data programmes are built on: social sign-in, passwordless authentication, single sign-on across multiple publisher properties, and progressive registration flows configurable by content type and audience segment. Consent capture is built into the registration journey so publishers collect data permissions at the point of highest user intent.

Registration walls and consent-or-pay gates can be configured to different levels of friction depending on where a publisher is in its registration programme. Publishers starting from a low registered user base can begin with soft prompts and increase gate pressure progressively as the audience grows.

First-party user data from UniSignIn is available for advertising activation, subscription conversion targeting, and personalisation without requiring additional identity translation for buyers using standard first-party data integrations.

If you are working through what a first-party identity strategy should look like for your audience, talk to the UniSignIn team.