Top 6 Tips on Staying Compliant When Working with Zero-Party Data

Annabel Pemberton
Annabel Pemberton

Browsers are taking the lead in changing how businesses interact to their customers through the internet, by creating consumer privacy features such as ITP (intelligent tracking prevention) and ease of use privacy features. However, the future for advertising and marketing does not need to be bleak. Companies may instead need to devise effective campaigns which, in exchange for their data, provide rewards to loyal customers. Zero party data therefore can still provide companies with the data they need to provide ever evolving, personalised experiences. 

However, it would be a mistake to think these experiences are exempt from Data Protection Laws. This would ignore the whole data lifecycle. 

Whether you are collecting first, second, third or zero party data, it is important to comply with Data Protection Laws in the processing, storage and security of the data. Even though zero party data does not rely on cookies and trackers, you should make sure you are designing your campaigns with privacy in mind. At the end of the day, whether you use a cookie or an interactive experience to collect data, you are still holding what could be personal data.

Watch this short video for an introduction to the three things companies need to do to respect privacy and data protection laws while collecting and working with zero party data.

Respecting Data Protection in a Zero Party Data Exchange 

Collecting zero party data best works when a customer trusts the brand and receives an incentive from providing data. We shared some examples in our guide to zero party data. 

Even if you establish a dialogue with the user which facilitates the flow of data, it is still important to keep data protection principles in mind.

1. COLLECTION: Be Honest

Just because the user has given you that data, it is important you are honest how the data will be used. This does not mean you need to provide lengthy policies, but you should indicate what data you will be storing, where it will be processed, and the reason for the processing. As more consumers become increasingly intentional about the data they share, zero party data provides a great opportunity to also attract more data-conscious customers, by providing more control to them.

Our weblayers at Bloomreach allow you to clearly collect answers while indicating to users how you are processing the data such as a link to your Privacy Policy.

2. HANDLING: Rights Under Data Protection Law may Still Apply

Remember that whatever data you may collect, your users may request for its deletion or access to it under GDPR, CCPA or a Data Protection Law. If you are processing data, you also need a legal base to do this. True zero party data collection will fall under legitimate interest as it is wholly expected by users that this data will be used to personalize their experience in this way. 

It is therefore important to keep your data in good order. Our single customer view with an option to download data for specific project roles, allows for easy fulfillment of this aspect, even if the data was not collected with a cookie.


People change. Even the greatest brands do not fit everyone, so it is important you always give an option to opt out, or for users to have their data be deleted. Without doing this, even zero party data could put you at risk of frustrated customers alerting data protection authorities. 

In addition to letting your users know how you will handle their data, inform them clearly how they can unsubscribe. You can even personalize your Bloomreach consent page to indicate to your users what they have opted into and out of.

4. ANALYZE: Be Fair

Whenever you collect data, remember to consider the context you are operating with. While collecting data as zero party will be mostly fair, other circumstances can present situations of imbalance of power. For example, keep an eye on contexts which strongly associate handing over sensitive data in exchange for a better service or treatment.

Even if your data has been collected ethically and processed with notice, you could still segment to produce unfair results. Therefore, you take responsibility for how you analyze and create campaigns based off of any data you collect.

5. RENEW: Be Creative

Data Protection Law is supposed to protect the free flow of data, not restrict it. The best way to collect data is by providing a relevant and engaging experience, which allows the user to fully engage with and feel connected to your brand. 

Some examples: 

Become a style advisor: If customers click on items and try different filters, you could recommend a quiz for them to find their favorite style. Through gamification, the customer begins to engage with your website in a new way, anticipating the answer from the quiz. For the brand, it is an opportunity to understand the granularity of the customer journey, without leveraging third party trackers. 

Help out a friend: Give your customer the chance to help out other customers by asking them to actively suggest what would look good with their recent purchase. Rather than suggesting to them what else they could buy, customers can be asked what other product would fit best with the item they are purchasing. This data can power community-driven recommendations and allow the customer to feel they are contributing to your brand. 

Value their opinion: Part of using zero party data is a value exchange of data for a reward. Some customers will appreciate having an active say in how the website is arranged, how they are shown items or why they didn’t buy an item. For example, if users delete an item from their basket, make it easy for them to tell you why they deleted that item.

6. VIGILANT: Keep It Secure

Finally, any personal data collected must also be stored securely and be guarded from data breaches and attacks.

Using a vendor like Bloomreach, who has a number of security features built directly into the application, allows you to collect data through zero party or third party methods. Some of these measures include password controls, Identity Access Management (IAM), DDoS protection, Firewall and Data encryption (SSL/TLS and AES).

The Takeaway

Zero party data will be used more in the light of cookies and third party trackers being phased out by popular browsers. Bloomreach has already observed that several browsers are now utilizing ITP and utilization of zero party data will certainly be a useful alternative. However, just because the customer gives the data freely does not mean data protection should be disposed of for the processing and storage of that data. All marketers should remember privacy and data protection principles when designing campaigns.


Annabel Pemberton

Deputy DPO

Annabel Pemberton is one of Bloomreach’s security experts. With her passion for consumer rights and privacy, a Law degree, and experience helping ecommerce companies become GDPR/CCPA compliant, Annabel knows how to turn security and data protection into business opportunities.

Share with Your Community

Recent Posts

Maintain an Edge With These New Posts


Subscribe to get our hot takes on ecommerce topics, trends and innovations delivered to straight your inbox.

Life With Bloomreach

Watch this video to learn what your life could look like when you use Bloomreach.