In 2020, Forrester coined a new buzzword: zero-party data. On the surface, the concept is simple. Zero-party data fraud is the natural result of a world where customers freely and willingly provide data through surveys, quizzes, or feedback to the company. Essentially, you ask people to give you data, and they comply because they trust your organization or they feel compelled to help you make your product/service better.
The zero-party data concept comes at a time when data privacy is very much top of mind for most companies. Right now, a lot of the old forms of gathering data are getting harder to do. Browsers like Firefox and Brave have announced that they plan to actively block third-party tracking. Apple expanded privacy protections by forcing apps that operate on its devices to ask for permission from users to track them, rather than requiring users to opt out of tracking.
It’s no surprise that a lot of companies were thrown by these changes. After all, Wired has called data the “oil of the 21st century.” Many marketers saw the demise of third-party data as an inevitable loss, leading to both lower revenues and slower growth.
Zero-party data has become a much-discussed alternative to help companies continue to use data while respecting the privacy of consumers and new legal restrictions. In the years since the term was coined, zero-party data has gained popularity with companies, representing a promising alternative for consumers, data companies, and the companies that buy and use all that data.
What is zero-party data?
The classic example of zero-party data is the green smiley, yellow flat-mouthed emoji, and red frown-face bathroom survey buttons. This data is freely given, with no compensation expected or given to those that reply. Of course, there’s no way to track the person after the engagement but that is a trade off made in order to facilitate this free exchange of data that meets the needs of the data collector (i.e., they want to track bathroom user experience satisfaction) and the person providing the data (i.e., quick and easy to provide feedback without having to worry about additional, unnecessary data collection or follow-up).
Let’s look at first-party data in contrast. An example of first-party data is when someone agrees to respond to a survey in exchange for some type of reward (ex. points, gift cards, product discounts, to be able to visit a premium section of a website, etc.). In this instance, the value exchange is made clear up front and used to encourage an individual to provide their feedback.
First-party data also arises when someone registers on a publisher’s site or company page to create a profile or make a purchase. In this instance the individual provides information in exchange for use of the application, access to content or to receive a discount on a purchase. In addition to the details that the individual directly provides, the company or publisher will usually also passively collect information about what that user does while visiting the site but there is no intermediary or off-site tracking.
Second-party data is like first-party data that is collected through a direct value exchange or transaction with the individual but the data is collected by a partner who then shares it with you. For example, if a credit card company sells transaction data to a brand, the credit card company’s first-party data becomes second-party data to the brand.
Third-party data is data that is collected by a company that does not have a direct relationship with the individual. An example of this might be a company that uses crawler technology or cookies to observe behaviors across the web and then aggregates, analyzes and sells that data to other companies. For example, a third-party data provider might be able to tell a potential customer, “Hey, we observed userxyz123 do this on sites similar to yours”, providing them with incremental insights that they would not be able to garner from their first-party data alone.
Enter zero-party data fraud
Unfortunately, some companies are now labeling themselves “zero-party data” companies when they are in fact anything but. Think of it as first or third party data fraud, designed to give a false sense of assurance on compliance. Companies that have collected zero-party data sell it to a data broker, even though in some cases their user agreements say that they will keep this data to themselves or keep it fully anonymous. The data brokers then sell the data off to other companies. In addition to being a violation of user privacy, this can end up with large lawsuits and reputational loss to the companies involved. For example, Sephora was clearly marketing their data as “this is data that is okay for us to sell” but the California AG disagreed, citing Sephora for not disclosing to users that their data was being marketed to outside parties.
“Fraud” may seem like a strong word to use, but it’s nonetheless appropriate. Just take the fact that zero-party data is being sold at all. By definition, this is data that a company gets directly from its customers. Selling it to a broker automatically nullifies the zero-party benefit and makes it at minimum first party but often third-party data. And yet many “zero-party data brokers” exist, despite the fact that this is an inherent contradiction in terms. Many of these data brokers believe that, because the data was zero-party when it was originally gathered, it should still count as zero-party data when it’s sold. This, of course, is patently false.
There are even more egregious examples. For example, one survey platform was marketing its survey data as zero-party when they were paying users to take surveys. To qualify as “zero-party data,” data must be freely given. If a data broker paid for a customer to take a survey, then by definition that data was not freely given. Calling that data zero-party is fraudulent marketing.
Another potential misuse of the term “zero-party data” concerns data that the government has legally defined as sensitive, or health care data, which is subject to HIPAA. Imagine a person walking on the street is asked by a survey taker whether they’ve been to an abortion clinic recently. The person answers honestly. That information, despite being freely given and with full consent, is still protected under health and sensitive data laws. It cannot be zero-party data because the government is a party to its regulation. That kind of data would fall under a first-party data category.
To avoid zero-party data fraud, data companies must make it crystal clear how the data was gathered from customers and what consent was given for its use. Data companies must also ensure that the data does not fall under governmentally-defined sensitive data.
The repercussions of zero-party data fraud
When an individual trusts a company with precious personal data and then finds out that trust was misplaced, the consequences for companies can be severe. To illustrate the dangers, let’s look at a case study. In 2020, an explosive Vice report revealed that Microsoft, Google, Home Depot, and McKinsey, along with dozens of others, purchased data from Jumpshot, a subsidiary of popular antivirus plugin company Avast.
Avast, through Jumpstart, was tracking consumers without their knowledge or consent and selling the data to some of the best-known brands in the world. Jumpstart’s marketing material claimed that it was able to capture “Every search. Every click. Every buy. On every site.”
When users downloaded the antivirus plugin, Avast did ask users to opt in, but did not provide any information about what that data would be used for. Furthermore, the company promised the data would be de-identified, yet experts say the granularity of the data provided – including timestamps of how users acted on websites down to the millisecond – meant that it was impossible to fully de-identify.
Jumpstart knew consumers would not be happy about being tracked like this. “Employees are instructed not to talk publicly about Jumpshot’s relationships with these companies,” wrote the Vice report’s author, Joseph Cox.
When the report was released, the fallout was brutal and immediate. Brands named in the report suffered reputational damage, and investors in AVG, the parent company of Avast, watched the stock price dive. Clearly, zero-party data fraud has serious repercussions.
Effective zero-party data practices
The problem that zero-party data was supposed to fix still exists. Companies are used to freely using data to reach customers and grow revenue, but there are already growing restrictions on that use. There’s bipartisan support in Congress for additional data regulation, and consumers are growing more aware of concerns about data privacy.
But instead of thinking of zero-party data as a burdensome necessity to avoid running afoul of regulations, it’s more accurate to view it as an opportunity for companies to not only stay compliant but also build relationships with customers. Plus, zero-party data is typically more accurate than third-party data because the data is given freely by customers with full knowledge and consent of how that data will be used.
In the rush to take advantage of the benefits that zero-party data has to offer, companies must be careful about how they acquire zero-party data and how it is used. Here’s how.
Be upfront with users
This was Jumpstart’s cardinal sin. Instead of sharing that they were selling customer data, they obfuscated the truth with marketing jargon in their opt-in form. To institute an effective zero-party data policy, companies need to tell users exactly how they plan to use their data, in simple and clear terms that anyone can understand.
Avoid problematic data
As mentioned above, some types of data will never fall under zero-party data collection since it’s just too sensitive. For instance, collecting a combination of health data and real-time location data could genuinely put users at risk in a post-Roe world. Data that the government has defined as sensitive or data that falls under HIPAA is also off-limits.
Whereas, data like purchase intentions, personal contexts, and data on how an individual wants to be recognized by the brand can safely be considered zero-party data if provided freely and with informed consent on how that data will be used.
Verify and verify again
Today, data companies can face both reputational and regulatory consequences for zero-party data fraud. Both may get worse in the future. The FTC is not shy about protecting consumers’ right to privacy. They have brought hundreds of cases to protect the security and privacy of consumers’ personal information. Some of those cases have resulted in serious civil penalties.
To ensure that your company is appropriately handling customer data, ask your legal and compliance team to review the language you use in data collection notices and forms.
Final thoughts on zero-party data fraud
Data privacy, like GDPR regulations and others, is a swiftly shifting landscape for both consumers and companies. To avoid accidental zero-party data fraud, companies should err on the side of caution. By intentionally building an ethical zero-party data strategy, companies can ensure they build trust, avoid reputational damages, and avoid future legal troubles.
Ultimately, it may be difficult for zero-party data to ever be anything more than a ploy for some data providers to recast their existing data in a more positive light. By throwing a new descriptor on their existing data that in many cases stretches the original Forrester definition to fit their needs, they are essentially putting lipstick on a pig.
Instead of coming up with new data types with more and more confusing names, companies should just get better at collecting, labeling, and using the data that they already have.
This article was contributed by Timur Yarnall. Timur is the founder and CEO of Neutronian, a SaaS company that provides data privacy and compliance verification services. Neutronian also developed the Data Privacy Scores, a standard for data privacy verification that provides this transparency and allows organizations to evaluate partners more effectively.