CONSENT FOR DATA IS LIKE MILK
As concerns about data privacy have risen, vendors have propagated the misconception that first-party data is the key to privacy-first marketing. Of course first-party data is information that a business collects directly from the customer, while the much maligned third-party data is typically aggregated from a number of sources and does not involve a direct company-to-consumer relationship.
But the emphasis on first-party data is the wrong way to think about data privacy. Instead of focusing on the differences among first-, second-, and third-party data, marketers should be asking themselves whether the consumer data they are using was collected with clear and affirmative consent. That includes when consent was obtained, whether it is still valid, and precisely what the consumer has consented for businesses to do with their information.
Let’s consider an example. If Juan consents for the New York Times to collect data on his reading habits or for a data purveyor to collect information on his age and share it with Adidas, it is perfectly fine for the sneaker brand to use his data, even though Adidas does not have a direct relationship with Juan. If Adidas knows when the data was sourced and that Juan has consented for the businesses collecting his information to share it with others, Adidas knows it is using consensual, timely, quality consumer data.
The fact that, in Adidas’ hands, Juan’s information is second- or third-party data is irrelevant to the data’s quality, security, and respect for privacy. The data meets industry-leading privacy standards as long as Juan has explicitly consented for Adidas to use it to market to him.
By contrast, let’s say Juan purchased sneakers from Adidas in 2016 and filled out a digital form providing his email address. This is first-party data, stemming from the direct relationship between Adidas and its customer. But let’s say Adidas then turns around and sells or shares Juan’s email address with other parties or that Adidas is still using the email address five years later, despite all the messages to that address bouncing. In either event, the use of Juan’s data is non-consensual and ineffective. Juan has not necessarily consented for his data to be shared, nor used in perpetuity. Like milk, his data has spoiled, and through Adidas’ use of that data, it is engaging in both inefficient and unethical business.
Juan’s case demonstrates that what matters for companies aiming to respect consumer data privacy is not first-party data; it is consent, no matter where data originates.
It is understandable why the consumer data industry has developed an obsession with first-party data as a stand-in for consent: an unmediated relationship between a company and a consumer offers the company control over how its data is sourced and the opportunity to ask the consumer how much data they will hand over and how it can be used. But it is counter-productive and risky to center a data strategy on first-party relationships, as opposed to clear and affirmative consent, for a few reasons.
For one, the first-party obsession risks lulling marketers into a false sense of security about the ethical and legal standing of their data collection practices. The fact that your data comes directly from one of your customers and that you ask for it once is not enough. You need to be specific and clear about how much data you’re asking for, what you’ll do with it, and how long the consumer’s consent lasts. Assuming that any amount of data and any of use of it is fair game is unethical, even though this remains the standard practice. Increasingly, treating data in that manner could even land companies in legal trouble as codified privacy standards strengthen in the US and abroad.
Secondly, equating first-party data with the gold standard in data-driven business obscures the reality that there is plenty of quality data out there to be obtained via second- or third-party providers. In fact, data ecosystems built on consent may do a better job at obtaining consumer consent than individual consumer-facing brands because consumer data is their primary business. While many data vendors fall short on privacy metrics, consent-first data companies should actually be experts at obtaining and continually verifying granular consent for consumer data.
Thirdly, first-party data is not necessarily quality data. As the example of Juan’s email address illustrates, data may be initially collected with consent, and first-party data may be easiest to collect with consent, but consent does not last forever, and data accuracy expires. Therefore, ethical and effective data management is not just about consent at the time of collection; it is about renewing that consent and verifying the accuracy of the data with the consumer on a recurring basis.
Focus on consent to stay on the right side of privacy legislation and to be an ethical and shrewd steward of consumer data. Whether you’re collecting the data directly or acquiring it from another party, make sure you have a strategy or solution in place that looks into the details of consumer data. When was it sourced? By whom? To what exactly did the consumer consent? Can you use the data for advertising? Sell it? And for how long is the data valid?
Consumer-facing brands should bake these questions into their own processes of customer data collection. Fortunately, the data privacy crisis striking adtech has led a whole class of privacy-oriented data companies to emerge, empowering brands to source ethical data, verify its timeliness, and determine what the consumer has consented for advertisers to do with it. Some brands will have the talent to manage the data privacy supply chain in house, but most will turn to these vendors to verify the ethics and quality of the information on which their business runs.
The same goes for businesses buying or borrowing data from other entities. In the rush to amass audience profiles at scale, data purveyors, analytics platforms, and adtech firms have been too lax about verifying the consent and accuracy of consumer data. But companies can reverse the trend now by focusing on consent. Anything less, and you risk churning out products baked with spoiled milk.
