• by Adam Cahill , Op-Ed Contributor, August 9, 2023

You can't have a point of view on data privacy in marketing without first having a point of view on data itself.

The challenge is that the common ways we have to describe data make thinking about data privacy and data ethics unnecessarily complicated. Rather than help marketers clarify their obligations to treat people fairly, the definitions we often use end up adding nuance that actually makes it easier to avoid responsibility.

Sometimes data is described in terms of where it is sourced. First-party data is gathered on your own website. Zero-party data is like first-party data, except given willingly. Second-party data is someone else's first-party data. Third-party data comes from… well, no one really knows where third-party data comes from.

Data is most often described in terms of its relationship to a specific identity. We talk about personal data, personally identifiable data, and sensitive data. Or we talk about data that has been made less identifiable: anonymized, de-identified, tokenized, and so on.

When we think about data privacy as a concept that is primarily about identity, there is a tendency to take liberties with data that are not in line with the expectations of real people. The implication is that as long as data is not personally identifiable, it is okay for marketers to use as they see fit.  

Identity is far too narrow a framing for data privacy, and certainly for marketing data ethics. Rather than think about data in terms of where it was sourced or how identifiable it is, marketers should think about data in terms of how it was created. 

This is a much simpler way to think about it, because all of the data marketers use is created in exactly the same way. The data is created when people live their lives, online or off, and their actions are tracked and recorded (usually without their knowledge or consent).

The data is always personal, whether or not it is identifiable.

When you think about data as something that is always created by real people living their real lives, it becomes possible to think of data privacy as a concept that is really about agency (not identity). If people create data, and the data is about their lives, then it follows that they should get to decide how it is used, if at all. 

To use data clean rooms as an example, the most important issue is not whether someone's data can be shared in a way that hides personally identifiable information. The real issue is whether that person had the opportunity to decide if their data would be shared in the first place.

Marketers can enact a philosophy led by data agency in two ways. 

First, in their direct interactions with people. This is as simple as being open with people about what data you propose to collect, and making it easy for them to control how their data is used. Sleight of hand and burying the details in a privacy policy would no longer be part of the playbook.

Second, marketers can choose to partner only with data providers that can demonstrate that they source data in ways that allow for agency. Most (if not all) third-party data sources would not meet this standard, but that would encourage brands to further invest in strategies for sourcing legitimate, consented first-party data, which is a path to future competitive advantage. 

The upside to a data strategy organized around the concept of agency is clear. Brands that adopt this approach will build trust and preference with their audiences, because they are demonstrating respect for the people they interact with, which I wrote about here.

There is also an important operational benefit: brands that are guided by data agency will greatly reduce the complexity of complying with data-privacy regulation, which is incredibly time-consuming.

When data agency is the operating principle, brands will find that many of their activities are in a sense compliant-by-default.

That makes for much faster, and much easier, conversations about regulatory risk.