September 6, 2022 in Zero-Party Data
Why Your Zero-Party Data Policy Is Wrong and How to Fix It
Should your company have a zero-party data policy, and if so, how can you ensure compliance?
SHARE: PRINT ARTICLE:
https://doi.org/10.1287/LYTX.2022.05.08
Over the past few years, there has been some major change in the way companies are allowed to collect and leverage data about their current and potential customers. In 2020, most web browsers started blocking third-party cookies because of privacy concerns, and Apple responded to privacy concerns by eliminating the digital device IDs that advertisers had long relied on to collect device-specific data for marketing purposes. Google has also announced plans to no longer support third-party cookies, although the tech giant continues to postpone the execution of this decision.
These actions have caused many to reconsider the data sources they have depended upon in the past and explore new options for collecting customer data while simultaneously addressing privacy concerns. This led to the concept of zero-party data, as coined by Forrester Research. What exactly is zero-party data and how can your company ensure compliance and reap the full benefits of a zero-party data policy but avoid some of the pitfalls that data privacy issues have caused?
What is Zero-Party Data?
Zero-party data is defined by Forrester as data that is “freely and proactively given” by customers or users who have a direct relationship with the company collecting the data. In other words, your company must present an individual with a clear opt-in for the data that you wish to collect from them before you can collect zero-party data. Consumers must proactively and directly provide this data, and you must only collect the data that you have requested from them without collecting any additional information about the individuals or their devices. A survey on your website that asks which version of your software your clients prefer is just one example. Or think about the “happy face/sad face” button surveys that ask about customer satisfaction in some stores.
One benefit of zero-party data is that it tends to be highly reliable because the individuals providing the data give full consent and actively participate in giving you the information. Although there’s a chance that someone could lie when providing this information, for the most part, they have no reason to do so. Therefore, companies can generally trust that this data will help them better target their marketing.
For clarity, here’s some things that zero-party data isn’t. Zero-party data is not passively collected data, such as data that companies collect through browser cookies that glean a small amount of information about the user’s device and browsing behavior. Zero-party data is not data that automatically defaults to an opt-in, forcing users to deliberately opt out if they don’t want their data collected. For example, you’ve probably seen the default notices showing on many websites that say something like, “By continuing to use this page, you agree that we may collect certain information …” and so on. This is not zero-party data.
Problems may arise when a company claims to be gathering zero-party data in a completely transparent fashion when in reality, the business is collecting additional data about users that they did not consent to. This might include information about their location or device for the collecting company to match user data with other user data profiles that are available from third-party data providers. Does this scenario sound far-fetched? Well, recent history has shown otherwise.
Transparency and Control Matter
Recently, numerous companies have been subject to a slew of privacy-related fines and lawsuits. In 2019, privacy advocates leveled suits against Google, Apple, Facebook, Instagram, WhatsApp and Amazon. These suits resulted in millions of dollars lost in compliance fines and legal fees. The companies’ top mistake? Inadequate transparency regarding the types of data they were collecting, how the collected data would be used and the methods they were using to acquire consent.
Worse, the companies didn’t seem to learn much from the experience. In December 2021, Google had to pay 150 million euros in General Data Protection Regulation (GDPR) noncompliance fines because the company failed to allow an easy opt-out for cookies on YouTube. Facebook received similar complaints and fines in 2021. Meanwhile, lesser-known companies have been fined – including Clearview AI, which had to pay more than $20 million – for being unclear about what kinds of data they were collecting from consumers and what they were using the information for. Other businesses, such as Avast, took a huge hit to their stock price and consumer trust for lack of transparency.
Try not to follow in the footsteps of these unfortunate businesses. If your business claims to collect zero-party data, you need to ensure that your methods of data collection align with privacy regulations. In addition, businesses must go beyond disclosures and opt-out requirements, providing full control to individuals to decide whether they would like to provide the requested information. Companies should always be very clear about how they will use the collected data and hold themselves accountable.
Do’s and Don’ts of Zero-Party Data
So, how can companies develop their own zero-party data strategy or find reliable data partners that provide this type of data? Here are a few basic guidelines for a fully transparent zero-party data policy: 1) Err on the side of caution, 2) ensure that consumers know their data is being collected and how the data will be used, and 3) make privacy the default option.
Exercise caution. It’s easier than you think to fall afoul of GDPR and similar compliance standards. For example, Google included both “accept” and “reject” options for cookies, but because the “reject” option wasn’t immediately evident or easy to find, the company was fined millions of dollars. What can other companies learn from this? Always ensure it is clear that any user’s contribution to a survey or other method for collecting zero-party data is completely voluntary and not required in any way. Also verify that opt-outs are not buried in a settings page, which is what Google did. Instead, ensure that a clear opt-out button is on the front page to make it easy for a user to opt out during any visit to the site.
Fully disclose every aspect of how you plan to collect and use consumers’ data. In other words, there must be complete transparency about all the data that is being collected, not just some of it, and why the information is collected; for example, a dialogue box on a website that states, “this data will be used only for advertising purposes,” etc. Basically, there needs to be disclosure that informs the user whether data will be used only for analytics within the company or if the information will be shared with additional parties.
Also ensure that you are only collecting the data that you requested, and that the consumer proactively provided. Asking a consumer to share input via a survey questionnaire and then also passively tracking their online behavior to enhance their user profile with additional information is not within the guidelines of zero-party data collection, given that the behavioral data has not been proactively provided by the consumer. This type of data collection approach is not bad practice if you have disclosed to the consumer when they opted in that you would also be collecting behavioral data. It’s widely used by many data providers, but it is not zero-party data per the official definition. If you choose to leverage a data collection approach that incorporates passively collected data, be sure not to market it as zero-party data.
Privacy should be the default option for consumers. In other words, if consumers must untick a box to opt out, you may be treading on thin ice when it comes to GDPR compliance. Arguing that consumers could have just opted out may not protect you when it comes to fines. If a user deliberately and knowingly opts in by proactively providing you with information, then you’re collecting zero-party data the right way. But if you collect data without allowing a consumer to opt in or out (or work with a partner that does this), it is not zero-party data, and it may get you into trouble down the road for claiming that it is.
Key Takeaway
Consumer control and transparency matters. If your zero-party data policy does not align with these key fundamentals, you risk sparking controversy, losing client trust and getting hit by hefty fines for noncompliance. But if you take the time to think through your data policy and verify partners that are offering zero-party data to ensure they are aligned with these principles, you’ll not only avoid legal trouble and large fines but also help win over the trust of consumers when it comes to data collection and usage.
Timur Yarnall is CEO and cofounder of Neutronian, a SaaS company providing the industry’s most comprehensive independent data certification. Offering a quality and compliance “credit score” for data, Neutronian brings much-needed clarity and trust to the MarTech ecosystem; provides marketers and brands with the transparency they need to make data-driven marketing decisions; and rewards high-quality, privacy-compliant data providers for their efforts. Previously, Timur was SVP, Corporate Development at Comscore (SCOR) after serving as CEO/cofounder of MdotLabs, the bot detection and audience verification platform acquired by Comscore in 2014.