Every day, it feels like there’s a new data privacy regulation update; six states in the US now have comprehensive privacy laws (and many more with bills in the works), adding to the already crowded global regulatory landscape. Because third-party cookies are also finally going away in 2024 (for now), organizations need to find a way to get relevant data about their customers without using third-party trackers to get it. 

This shift is going to bring about a new era of corporate responsibility, with organizations being more transparent than ever before about exactly how and why they’re processing data and demonstrating the value that collecting this data brings to their customer’s user experience. 

In the recent Marketer’s Masterclass webinar series, OneTrust privacy experts covered many topics on consent and preferences, including first-party data, zero-party data, and how US state privacy laws define Sensitive Personal Information (SPI). Let’s take a look at some of the common questions across the series that were asked around first-party data.

Different categories of data require different types of consent

When collecting first-party data or zero-party data, your marketing organization needs to be aware of the categories of data that it’s collecting. While obtaining data such as website activity and purchase data require opt-out consent from the user to obtain, more sensitive categories of data not only require a separate consent form but an additional notice as well that explains why these categories of data are required for your organization and how you plan on processing it. These categories of data are referred to as Sensitive Personal Information (SPI) and have slight differences across the US privacy landscape. 

SPI can be considered first-party or zero-party data when it’s collected directly from the consumer and not via any third-party data trackers. In these cases, you still need to ensure that the appropriate consent mechanisms are in place when collecting this data. 

You need to guarantee that your marketing teams are aware of the different consent requirements and mechanisms in place for the categories of data that it’s looking to obtain from users. 

What are the differences regarding sensitive personal information (SPI) consent for different states?  

Different laws in the US deal with SPI in different ways. 

First off – what is it? Different states define SPI slightly differently, however, all states currently have the following items classified as SPI:

• Racial or ethnic origin
• Religious beliefs
• Health data
• Sexual orientation
• Citizenship status

Apart from these, there are certain categories of data that some states consider as SPI and others don’t. For example, California considers union membership, government ID, financial information, and private communications to be SPI while no other state does. Certain states include other categories such as biometric information, children’s data, and geolocation, in their SPI definition while others leave them out. Precise geolocation data is one category that is considered SPI by every state except for Colorado and is currently one of the main topics of discussion in privacy. 

Refer to the table below for a full breakdown of SPI categories across US state privacy laws.

Under the Virginia Consumer Data Protection Act (CDPA), Colorado Privacy Act (CPA), and Connecticut Data Privacy Act (CTDPA), companies are required to get an opt-in from customers before processing their SPI, whereas the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and the Utah Consumer Protection Act (UCPA) operate on an opt-out model – although the CCPA does require companies to have a “clear, conspicuous” link on their website that reads “Limit my use of Sensitive Personal Information” that customers can click to opt-out of the use of their SPI. 

Make sure your organization has the right data policies in place to process consent appropriately for each jurisdiction, along with notices and disclosures on your site to ensure transparency with your customers on how and why their data is being processed.

How will the deprecation of third-party cookies impact data collection?

With third-party cookies going away in 2024, companies need to establish methods of collecting data that don’t rely on third-party trackers. Companies can collect first-party data by playing detective on their own website or app. By using tools like Google Analytics or Adobe Analytics, companies can track customer behavior, see what they're clicking on, and find out what they're buying. It's like being Sherlock Holmes, but for marketing! 

The deprecation of third-party cookies doesn’t mean the end of CMPs by any means, the onus of collecting data for various purposes and the consent required for each purpose now falls solely on your organization. 

Another way companies can collect first-party data is by taking advantage of preference centers. The more you know what your customers prefer when it comes to their taste in products and preferred mode of communication, the easier it becomes to reach out in a non-intrusive way that adds value.  

Companies can also collect first-party data through email marketing campaigns. By asking customers to sign up for newsletters or loyalty programs, companies can get a treasure trove of valuable data, like email addresses, demographics, and preferences.

What’s the difference between zero-party and first-party data?

Zero-party and first-party data are two types of data companies use to gain insights about their customers. Both types of data combine to form “earned data,” which is important for marketing and customer engagement, but they differ in their origin and level of customer involvement.

While both first-party and zero-party data are valuable for customer engagement, first-party data is data that a company collects directly from its customers through interactions, while zero-party data is data that customers willingly share with companies. Both types of data are essential for creating personalized experiences and driving business growth. Just like how a good friend knows all your likes and dislikes, companies can use this data to make sure their customers are getting exactly what they want.

First-party data is what companies can learn by tracking customer interactions on their website, purchase history, and social media activity. Think of it as things you would learn about a friend from interacting with them, noting their behavior in different situations. Companies can use this information to create ads and marketing campaigns more tailored to their customers' likes and wants. First-party data is typically used for personalized marketing, retargeting, and improving customer experience. This type of data requires an opt-out mechanism for users in the US privacy landscape – your organization must clearly mention that their data can be used for the purposes of targeted advertising, profiling, and personalization while giving users the choice to opt-out of sharing their data for these purposes as well. 

Zero-party data is when customers voluntarily give companies their preferences and opinions through things like surveys, polls, and feedback forms. Think of this as what your friend willingly tells you after you ask them what they think about a certain issue or topic. Companies can use this data to create even more personalized experiences for their customers, making them feel like they're truly understood. Zero-party data allows companies to create personalized experiences that directly align with customer needs, which helps build trust and loyalty.

To learn more about how your organization can stay on top of consent requirements, build trust with your customers, and deliver personalized experiences while honoring user privacy, watch the Marketer’s Masterclass for Privacy and Personalization on-demand.