GDPR, CCPA, CPRA, and nearly every other privacy-related regulation is the product of consumer backlash. You can almost hear the chorus: “Stop collecting and selling our data so marketers can deploy it against us in algorithms. We want our privacy back.” 

The principles that underpin these laws are clear. The consumer should own its data. If we want to collect and use it for any marketing purpose, we must explain how we will do so – and obtain consent and permissions. 

But to get that agreement, the consumer must understand the trade-off. They need to understand what’s happening with their data. 

We need to stop tricking ourselves first with clever words. Perhaps we’d rather stay one step ahead of the regulator than stop and embrace the consumer. Does it all go back to our love affair with our own soundbites? 

Marketers constantly tell brands to consider the data generated by user activity on their domains as their own “first-party data.” The thinking goes a little like this: Because the brand collected the data, it owns it. Right? If that logic holds, it follows that the brand has the implicit authority to use that first-party data at its discretion because they own it. 

Let’s look at this through the consumer lens: 

If I visit your site and make a purchase, I’m consenting with the understanding that you need my data to uphold your end of the bargain, by which I mean: charge the correct price, send the right product to the right place and resolve any issues that may arise. 

However: That data is not “your” first-party data. The customer is the first party in this transaction – you, as the marketer, are the second party. It is the only logical party-numbering scheme if we “put the consumer first.” 

Still, the industry overlooks its logical misconception and self-delusion. It invents new language manipulation, such as calling customer data “zero-party data.”  

But I’m not a zero; zero isn’t even an actual number – it’s an integer. I am a real person and have legal sovereignty over my data. 

Tell yourself my data is your asset, but it’s increasingly becoming a liability. The law is pretty straightforward: The consumer is the actual first party. 

Brands must obtain permission from the first party to use their data for marketing purposes—clear and explicit consent. 

One of the most opaque – and ignored – terms in consumer data and privacy is “purposes.” Once regulators start investigating permissions, it’s only a matter of time before they get to “breaches of purpose.” 

The path of least resistance is accepting that “privacy-first” means “user-first.” 

Buttress that with informed consent, unbundling permissions, and empowering consumers to keep sovereign control over the what, when, where, how, and why, not just the who. 

It really is that simple. Just stop snooping.