AI Summarize

Share

Zero-party data is a marketer's dream. Forget inferences and assumptions, zero-party data is personal information customers voluntarily share with your business. It can provide incredible insights into an individual's tastes, product preferences, and personal style, allowing you to enhance and personalize the customer experience.

However, just because a user voluntarily gives you their data does not mean your business can use it any way it likes. Regulators are keen to see it collected and used responsibly, and the rules vary widely depending on where you do business.

In this guide, we will walk you through the process of collecting zero-party data in a compliant manner across each major privacy regime.


Defining Zero-Party Data

Zero-party data refers to information a customer proactively and intentionally shares with a business. Some common examples include:

  • Survey and poll responses: Customers are actively solicited for information and provide personal data willingly.
  • Quiz results: Includes personal responses to quizzes like "Find your skincare routine."
  • Loyalty programs: Customers sign up and provide personal information about their preferences in order to enjoy personalized marketing, discounts, and promotions.
  • Preferences: Control and customization information collected via preference centers.
  • Product usage intent: Such as "Are you a side sleeper or back sleeper?" on a mattress website.

Zero-party data is information that the customer wants your organization to know about them. While the truthfulness of the information ultimately depends on the individual user, it can provide marketers with insights that are not easily obtained in other ways.

As seen in the example below from British mattress retailer Silentnight, the customer is told how the process of collecting zero-party data works and how it will be used:

Disclosure from Silentnight when inputting your data

Then, through a series of questions, it collects zero-party data and guides you to a personalized shopping result:

SilentNight: Form Step 2

In many contexts, zero-party data like this gives marketers far more helpful information than other forms. By contrast, first-party data is inferred from behavior or transactions, and can leave the business guessing at users' intentions. Third-party data, which is either purchased or collected elsewhere, may not directly align with the goals of your organization.

However, although customers provide this information willingly, that must not be confused with providing consent. Businesses must still comply with stringent data privacy law requirements around consent when collecting and using it.

This is because under most data privacy laws, consent must be explicit, informed, and purpose-specific. This can be seen below in the California Consumer Privacy Act of 2018 (CCPA), which requires consent to be "freely-given, specific, informed, and unambiguous."

CCPA Consent must be freely given

Merely submitting a form indicating a few personal preferences is unlikely to reach this high standard.

Simply put, collecting zero-party data legally still requires privacy legislation compliance. Let's break down what that looks like in practice across major international privacy frameworks.

Zero-Party Data Processing Under the GDPR

The General Data Protection Regulation (GDPR) applies to any organization that processes the personal data of EU citizens or residents, regardless of the company's location. The UK has also adopted the GDPR since leaving the European Union.

The GDPR is widely regarded as the most stringent data privacy law in the world and serves as the gold standard for consent-based data collection.

Here are its requirements for the lawful collection of zero-party data:

  • Lawful basis for processing: You must have a lawful basis – a legally sound reason – for collecting and using the personal data. Personalized marketing can be a lawful reason, but you must obtain explicit consent before collecting the data.
  • Informed and freely given: Consent must be accompanied by clear information about how the data will be used. It is not enough to have a general catch-all; your Privacy Policy must include all the ways the zero-party data could be used.
  • Granular consent: Consent must be obtained for one or more specific purposes. Users should be able to opt in or out of specific uses in a personalization center, or select "allow all." Pre-ticked boxes do not count as valid consent.
  • Documentation: You must record proof of consent (who consented, when, how, and to what).

Collecting zero-party data in compliance with the GDPR

Let's break down the example below from Boots, an online pharmacy that operates under the GDPR. All users must first select their cookie settings, which allows them to provide granular consent to information being collected about them.

Boots Cookie Notice Privacy Preferences Center screenshot

On the Boots site, there is a quiz feature called the "Healthier You Review." Users provide their first name, age, and gender assigned at birth, before selecting from several quiz-style questions about their health.

After this, users can choose to sign up to receive personalized offers and advice. This is the point when zero-party data becomes useful to marketers, as it can be tied to an individual.

The Privacy Notice at the bottom of the page explains:

  • How personal data is used (tailored services)
  • Whether your data will be shared (not shared with any third party)
  • How to learn more about how your data is handled (Privacy Policy link)

Here is the example:

Boots Quiz: Privacy Notice disclosure

This level of consent gathering is essential for complying with the GDPR when collecting zero-party data.

Checklist for GDPR-compliant zero-party data collection

The following checklist can help you collect zero-party data while complying with the GDPR's rigorous consent standards:

  • Use checkboxes that are unchecked by default
  • Provide separate consent for each processing purpose
  • Include a visible, easily-accessible link to your Privacy Policy explaining how zero-party data will be used

Collecting Zero-Party Data in California (CCPA/CPRA)

The California Consumer Privacy Act (CCPA), amended by the CPRA, doesn't require consent for all types of data collection. This is why you do not see consent banners on sites originating in California, unlike those on GDPR-compliant ones. However, it does require transparency and control, especially for sensitive personal information.

Key requirements of the CCPA/CPRA

The key principles of CCPA/CPRA compliance are as follows:

  • Notice at collection: At the point of collection, an organization must disclose what types of personal data are being collected and for what purposes.
  • Right to opt out: Customers must be given the option to opt out or refuse to allow their personal data to be sold to or shared with third parties.
  • Consent for sensitive data: The CPRA includes additional safeguards for sensitive personal information, including data related to race, location, and health status. Users may be required to give explicit consent and have the right to limit the use of such information. If data is going to be shared or sold, consent is also mandatory.

CCPA zero-party data collection in action

California-based visitors to Ulta Beauty can provide zero-party data through its foundation quiz. However, before users enter their preferences, the Cookie Banner below appears. It highlights the following:

  • The site uses cookies and other tracking technologies to personalize and improve the visitor experience
  • Going ahead means your information may be disclosed to third parties
  • Users have the right to opt out

Users are then presented with two options: "Do Not Sell or Share My Personal Info" or "I Understand."

Ulta Beauty: Cookie Consent has link to Do not sell my personal information

Selecting the first option displays a preference center, allowing users to make personalized privacy decisions.

Ulta Beauty: Cookie Consent Preferences Center

Design tips for CCPA/CPRA compliance

To keep your business compliant with the CCPA/CPRA when collecting data from California residents, implement the following:

  • Use a prominent notice, as seen above, at the moment of data collection (e.g., above or below a form collecting data or the first page of a quiz).
  • Include a "Do Not Sell or Share My Personal Information" link.
  • Do not bundle consent in with your terms and conditions, as this would likely make it invalid.

Collecting Zero-Party Data Compliantly in Brazil (LGPD)

As the third-largest market in the Americas, many companies cannot afford to ignore the potential of targeting Brazilian customers. If you choose to do so, though, you will need to comply with the Lei Geral de Proteção de Dados (LGPD).

Although it was modeled after the GDPR, there are some distinctions businesses and marketers need to consider when using zero-party data.

Key requirements of the LGPD

Ten key principles guide the LGPD, including purpose, necessity, and transparency in data collection. So, although the user freely provides personal information through the survey, quiz, or other methods, you cannot do what you like with it.

These principles impact the collection of zero-party data in the following ways:

  • Legal basis required: As it&'s not possible to argue that there is any other compelling reason for collecting zero-party marketing data (such as regulatory obligations), you must obtain user consent before data is collected.
  • Express and specific consent: Must be freely given, clear, informed, and limited to a specific purpose.
  • Revocability: Individuals can revoke consent at any time.
  • Portuguese-language notices: If you&'re operating in Brazil, documentation must be presented in clear Portuguese to fulfil the unambiguous requirement of the law.

What LGPD-compliant zero-party data collection looks like

Visit the Brazilian site of cosmetics company Boticario, and you will notice it uses quizzes that collect zero-party data. In this case, the quiz helps you find the perfect gift. Prominently displayed is a cookie banner in Portuguese that links to the Privacy Policy and a preference center.

Boticario Quiz and Cookie Consent have privacy disclosures

As with preference centers that comply with other data privacy laws, the LGPD-compliant example below outlines the necessary cookies and then gives users granular control over their preferences. This allows the company to collect zero-party data through quizzes, registration forms, and other methods while complying with the law.

Boticario Cookie Consent Preferences Center

Design tips for LGPD compliance

The following tips can help you comply with the law while maximizing opportunities in the growing Brazilian market:

  • Be transparent and upfront about the data you are collecting and why.
  • Provide opt-in check boxes (as seen above) in Portuguese that allow users to tailor consent according to their preferences.
  • Make it easy for customers to withdraw consent at any time through a preference center or by logging into their user account.

As with other data privacy laws, it's also important to maintain accurate consent logs and update them as soon as changes are requested. Data flows must also be documented so that you can respond to data subject (customer) requests to know how their data is being handled.

Other Jurisdictions: A Quick Guide

Let's take a quick look at other jurisdictions and how they handle zero-party data privacy:

  • Canada (PIPEDA): This law permits different types of consent (express or implied) based on the sensitivity of the data being collected. As zero-party data often includes personal preferences and other personally identifiable data, it is likely to require express consent. 
  • Australia (Privacy Act): Under APP 5 of the Privacy Act, companies that collect personal information must take "reasonable steps to notify or ensure awareness" before or at the time the data is being collected. You must also obtain consent before collecting any sensitive personal data, which would include most zero-party data.
  • Singapore (PDPA): In line with other data privacy laws, the PDPA requires transparency, notification of purpose, and explicit consent before obtaining zero-party data. Consent must be specific, informed, and freely given.

Best Practices for Global Compliance

Zero-party data can help drive sales, but you may expose your business to legal risks if you do not ensure compliance with data privacy laws. The following best practices can help protect your business while protecting you from significant fines and reputational damage.

Layered notices

Give a short summary of the key information customers need to know (first layer). Include a link to your Privacy Policy to provide more detailed information.

Rather than trying to sneak in consent for zero-party data collection along with other consent options, be specific about what you are asking your customers to consent to. This includes allowing customers to complete surveys, quizzes, and other potential zero-party data collection opportunities without requiring them to give consent to personalized marketing.

Preference management

Make it easy for customers to control exactly what information they share with you. Consent dashboards and preference centers are great ways to do this.

Localization

Do not take a one-size-fits-all approach to data privacy. Ensure that you comply with all relevant legislation wherever you conduct business. Ensure consent notices are in a language well understood in your target market. Consent is not valid if users don't fully understand it.

Retention limits

Data privacy laws set strict limits on data retention, which apply equally to zero-party data. Ensure that you do not store data for longer than permitted, and include retention limits in your Privacy Policy.

The specifics may vary between jurisdictions, but the following can help protect users' rights and your business:

  • Is there a clear explanation of how the data will be used?
  • Is consent actively given?
  • Is consent granular, allowing customers to define their preferences?
  • Is the user clear on who will receive their data and how it will be used?
  • Is there a way to opt out or withdraw consent later?
  • Is consent recorded and timestamped?

Harness the Power of Zero-Party Data Legally

Zero-party data could revolutionize the customer experience, building brand loyalty and boosting sales. But while the data is freely given, it is not a legal free-for-all. You must obtain proper consent in line with applicable data privacy laws before collecting zero-party data and putting it to work.

To stay compliant, take time to understand your legal obligations across all the jurisdictions in which you operate. Build consent directly into your UX, ensuring it is tailored in terms of language and requirements of the geographical location you are targeting. Document user choices and honor them.

Getting zero-party data collection right will build trust and help you avoid the risk of regulatory fines, while also enhancing your company's reputation.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy