Your website or business likely regularly collects data from users, at many different levels of specificity and quality. Different types of data that you collect can be used for a variety of purposes, and may be subject to different rules for user consent.
These data types are often described as zero-, first-, second-, or third-party data types. Some of them are more directly collected from users, while others are more distant.
This article will cover what these different user data types are, with examples of each, as well as how you should deal with consent when collecting user data. This article will also compare the data types, so you can see the key differences.
Let's get started.
- 1. What are Different User Data Types?
- 1.1. What is Zero-Party Data?
- 1.2. What is First-Party Data?
- 1.3. What is Second-Party Data?
- 1.4. What is Third-Party Data?
- 2. For Which Data Types Do You Need Consent, and When?
- 2.1. Consent for Zero-Party Data
- 2.2. Consent for First-Party Data
- 2.3. Consent for Second-Party Data
- 2.4. Consent for Third-Party Data
- 3. What are the Similarities and Differences Between Data Types?
- 4. Summary
What are Different User Data Types?
The four different user data types that businesses and websites deal with are called zero-party, first-party, second-party, and third-party data.
Most of these types of data will be personal data, or personally identifiable information.
The General Data Protection Regulation (GDPR) defines personal data as "any information relating to an identified or identifiable natural person" and includes identifiers such as:
- Name or username
- Address or email address
- Phone number
- Social security number
- IP address
- Religious affiliation
- Sex or gender
- Preferences, beliefs, or interests
- Cookies or user profiles
Other types of data that can be combined to identify a person are also personal data. This means that you will need to obtain consent to collect and process most types of data that you collect from website users.
Now let's take a look at each of the different data types in more detail.
What is Zero-Party Data?
Zero-party data is data that you collect directly from your users or customers about their preferences, interests, habits, or product wishes. All of this is personal information, because it can be either directly or indirectly connected with a user.
You can collect zero-party data through processes in which users provide relevant information to you. This could include:
- Surveys
- Quizzes
- Forms
- Interactive tools
- Ratings and reviews
- Social media
Here's an example of a quiz from Outfittery, showing outfit options and choices so that a personalised clothing package can be offered to customers.
Here's another example from Cerave, showing a skincare routine quiz to help customers receive the right kind of products:
This shoe finding tool from Road Runner Sports shows another example of how zero-party data is collected through a quiz or survey tool:
In this example you can see that information is provided directly from the user to the website, but information can also be inferred. For example, the user has said they are looking for women's shoes. This can inform marketing and advertising efforts. The company can then also infer that most likely, the user is a woman. Further women's clothing or footwear may then also be offered in advertising or marketing efforts.
Zero-party data is the most accurate data type, as users have provided it directly to you.
Zero-party data is also becoming more important. This is because laws like the GDPR are increasingly prohibiting third-party data collection behaviour. Companies like Google are changing their practices such as reducing the use of third-party cookies.
In addition, users are becoming more aware of privacy issues. This will make zero-, first-, and second-party data more important for businesses and marketing companies.
Now let's take a look at the other types of data.
What is First-Party Data?
First-party data is collected by your own website or business from users, but doesn't tell you as much about them as zero-party data. For example, first-party data includes data collected through online purchase records, mobile app usage data, email marketing analysis data, or social media data.
Here's one example from The Guardian of how an email address is collected through a form for a newsletter:
You could collect a customer's email address as first party data, as well as information about their location or sex. From this, you could infer what products they might like, for example marketing German products to a customer in Germany.
From this data, you can infer things about your users that they have not told you directly. You could also look at, for instance, a customer's order history to then infer what they might like to purchase next.
Here's one example of Google Play Order History, which shows several language learning app purchases. Google can then infer that this user might be interested in products to do with this topic, and may advertise in this way.
First-party data is not as direct as zero-party data, in which users tell you explicitly what products they like, how they rate your offerings, or what products they are interested in next.
You need to ask for consent from your users to collect this type of data from them, and explain your data collection approach in your Privacy Policy.
What is Second-Party Data?
Second-party data is first-party data that has been collected by another business from their users, and then sold or otherwise provided to you.
This could include, for example, data shared between a hotel company like Booking.com, and an airline, like Easyjet. When a user books a flight, their trip information could be shared with Booking.com, so that Booking.com can provide an offer of hotels.
You can see in the example below that the two companies partner together. Often, when you book a flight, a pop-up will appear to connect you with a hotel company. This is because second-party data is being shared.
This cooperation between businesses is done between trusted partners. The Privacy Policy of the company that has collected this data, should disclose that they are sharing it with a partner (you).
Your own Privacy Policy should disclose if you share any zero-party or first-party data you have collected, with other trusted partners.
What is Third-Party Data?
Third-party data is data that has been collected by an external company. This data is purchased from multiple different sources, and then aggregated. This means that the data may show broad patterns, but is not necessarily accurate to any individual user or customer.
You do not need to get consent from users to purchase aggregate data that is not personally identifiable. However, there are significant privacy issues in this data, as most users do not know that their data has been sold, aggregated, and re-sold in these ways. However, users are becoming increasingly aware.
Data protection laws are also increasingly preventing the use of data in such ways.
Now let's take a look at how you can get consent for different data types, and when you need to get consent.
For Which Data Types Do You Need Consent, and When?
You need consent to collect personal data, whether directly as zero-party data, or indirectly as first-party data. You also need to get your users' consent if you will share data with other companies, which will become second-party data.
The General Data Protection Regulation (GDPR) requires that consent to data collection must be freely given, informed, explicit, and unambiguous.
This means that it needs to be clear your user has consented to you collecting their data. You need to be able to prove that the consent you have obtained meets the requirements for validity.
Consent for Zero-Party Data
Consent for zero-party data is generally not needed, as the user provides this information to you directly, knowing that it is used for providing them with a service or product.
However, you should still disclose in your Privacy Policy how you process and store this data, as well as how the user can withdraw consent or have their data deleted.
Here's an example from Google's Privacy Policy that explains which user data can be collected, and provides links for users to delete data or their whole account:
Consent for First-Party Data
Consent to first-party data is required, as users may not know you are collecting information through your website or other mechanisms about them.
You can see in this example from PWC, that the Privacy Policy outlines which types of data are collected directly through the use of the website.
It also outlines which data is collected when a person makes a request to use PWC's services. This is also first-party data that is then used by the company to provide its services to the customer.
You need to make sure you have obtained valid consent if you are using cookies or other tracking technologies on your website.
Now let's take a look at second-party data.
Consent for Second-Party Data
For second-party data, here's an example from IMG's Privacy Policy that discloses how users' data is shared with other companies:
You can see that data is shared with business partners, suppliers, advertisers, advertising networks, social networks, and analytics and search engine providers. Some of this is for service-provision purposes, but some of it is for promotions, offers, and advertising.
This is not second-party data that IMG is collecting, but rather will become second-party data used by the other companies and partners that the data is shared with. If you are going to share user data with another party, you need to disclose this in your Privacy Policy.
In Europe, you need to be particularly careful not to fall afoul of the GDPR or the Digital Markets Act (DMA). The DMA has requirements in line with the GDPR about obtaining explicit, obvious, clear consent, and particularly applies in digital marketing and advertising circumstances.
Consent for Third-Party Data
For third party data it is hard to get consent, because most of the data is aggregated, and the sources are unclear.
If you sell user data to another company that then aggregates it, this data could be sold further without the user's knowledge.
Advertisers have used third-party data for a long time, through the use of cookies and other tracking technologies. However, browsers like Google Chrome are increasingly applying cookie-restricting technologies and Privacy Sandbox approaches, to reduce the ability of user data to be used and shared without consent.
What are the Similarities and Differences Between Data Types?
Many of the data types have a number of similarities. For example, all types except zero-party data are collected passively from users. In addition, much of this information is useful in aggregate form, rather than in individual form.
However, there are a few key differences which you should note. For example, zero- and first-party data are reliable and accurate, while second- and third-party data are not. In addition, zero- and first-party data have few privacy concerns, while second- and third-party data are more concerning and potentially infringing.
In the table below you can clearly see the differences and similarities between the types.
| Feature | Zero-Party | First-Party | Second-Party | Third-Party |
| Type of customer relationship | Direct | Direct | Indirect | Indirect |
| Shared by users passively or actively | Actively | Actively | Passively | Passively |
| Needs consent? | Yes | Yes | Usually yes, depending on agreements between companies | No |
| Individual or aggregate | Individual | Individual, but most useful in aggregate | Aggregate | Aggregate |
| Reliability and accuracy | High reliability, high accuracy | High reliability, medium accuracy | Low accuracy and reliability | Low accuracy and reliability |
| Sharing | Not shared with others | Shared between trusted partners | Shared between companies | Purchased and shared widely |
| Privacy | Privacy protected, as users disclose this information directly and actively | Privacy protected, as companies disclose collection in Privacy Policies | Often privacy concerns, as users may only sometimes know their data is shared | High privacy concerns, as users don't often know their data is being shared |
| Examples | Marketing data collected directly from users through surveys, reviews, quizzes, or forms. | General data collected through website forms or interactions on your own website, such as email address or order history. | Data shared with you by a trusted partner you work with, such as a hotel company sharing information with a travel company. | Data purchased and collated by a data aggregating company, who then sells it to other companies for marketing or advertising. |
As you can see, you need to take care when using second- and third-party data, and for zero- and first-party data you need to make sure you have clear consent. The most accurate, reliable, and privacy-respectful type of data is zero-party data. This is why it is becoming increasingly valuable for businesses in our new privacy-aware world.
Summary
Each of these different data types is widely used in marketing and advertising around the world. However, some types of data are more accurate and reliable, while others are more general and can potentially be inaccurate. In addition, third-party data is becoming less viable to obtain, as data protection laws try to prevent its use. As a result, zero-party data is becoming more valuable and more favoured by businesses.
For zero-party and first-party data that you collect directly from users, you need their consent. The company that is providing you with second-party data should have asked their users for consent to share it with you. Make sure that your Privacy Policy is clear about what data you collect, who you share data with, and whether you sell data to aggregators.
The first step to compliance: A Privacy Policy.
Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.
