Zero-party data and the future of personalization

If you’ve ever strolled the streets of Amsterdam, you probably noticed the city’s unique architecture. Houses are narrow, tightly stacked in rows, and almost entirely fronted with windows. And if your walk happened to take place at night, you might also have peeped into living rooms and kitchens belonging to numerous Dutch families. Why? Because never closing the curtains or blinds is common in Dutch culture, and many people don’t even have them.

This “nothing to hide” attitude has historical roots in one-time religious beliefs about honesty and trustworthiness, as well as the fact that uncovered windows let light — and a sense of spaciousness — into the city’s tiny dwellings. But it also makes it so that passersby can see the interiors of others’ homes.

In many other cultures, these spaces would be considered private. Not by the Dutch. 

What’s considered private — and what’s public — differs across nations and ethnicities, across generations, and among different socioeconomic groups. And it’s subject to change as people learn more and refine their thinking. 

This is the case in the Netherlands, where younger residents and immigrants are more likely to install curtains

And it’s true for popular attitudes about data privacy, which continue to evolve as consumer awareness about the value of personal data — and how it’s being used by companies — grows. 

Cultural differences help explain why different countries and regions have different regulations. It will be increasingly important for digital leaders and marketers to keep these differences in mind as they seek to optimize customer experiences for a future in which they’ll no longer be able to rely on third-party cookies.



The birth of the privacy era

Cookies have been around since the dawn of the World Wide Web. They were first introduced in the Netscape browser back in 1994, where they made it possible for online shoppers to keep items in their carts without buying them right away. 

This technology, in which snippets of code were stored by end users’ browsers, transformed the internet from a mostly anonymous place to one where clicks left a lingering footprint, and where, as a New York Times article put it, “records of one’s transactions, movements and even desires could be stored, sorted, mined and sold.”

Initially, cookies were collected by default, with no opt-out mechanism offered. Users weren’t even notified of their existence. 

When cookies were just beginning to be harnessed for advertising purposes — and shared between third parties — early concerns were already being voiced about the privacy implications of this emerging technology. And the first directive to block the collection of third-party cookies was issued by the Internet Engineering Task Force in 1997. Both Netscape and the creators of the then-new Internet Explorer browser ignored the IETF’s recommendation.

This dance—between technology companies that rose to become the world’s most profitable organizations, regulators, and consumer privacy advocates—would continue over the next two decades.  

While the ePrivacy Directive was implemented across Europe and led to changes for cookies regionally, in the USA, the U.S. Federal Trade Commission (FTC) led the charge with its ‘Do Not Track’ initiative with widespread changes in how companies disclosed details that were not immediately visible to the consumer. But because efforts appeared to fizzle in the face of resistance from the online ad industry, and the group tasked with defining how ‘Do Not Track’ would work ultimately failed to create  a standard.  It wasn’t until 2016, with the adoption of the General Data Protection Regulation (GDPR) in Europe, that regulations became a major deterrent. The GDPR marked a sea of change in personal data privacy law, not only extending broad and comprehensive protections across sectors, but also outlining significant penalties for non-compliance, including fines of up to four percent of a company’s annual global revenues. 

From widely-publicized accounts of the Cambridge Analytica scandal to impassioned critiques of surveillance capitalism, the years since the GDPR’s adoption have seen mainstream media outlets publish a growing number of warnings about the dangers associated with extracting, manipulating and selling consumers’ personal data. 

Popular attitudes have shifted as well. By 2021, as many as 72% of Americans reported being worried that what they say and do online is being tracked by companies.

Meanwhile, Apple has sought to position itself as the most privacy-focused consumer technology company, and its successes reveal the benefits of leveraging privacy as a brand differentiator. 

On the mobile marketing side, Apple eliminated default sharing of a user’s Identifier for Advertisers (IDFA) in 2021, transforming how mobile advertisers track the success of their campaigns (a move they’re still trying to come to terms with) and introduced new privacy features protecting users’ email addresses. 

These protections weren’t welcomed — or even noticed — by all consumers. But with multiple U.S. states passing or proposing consumer data privacy laws in 2021 and 2022, with growing numbers of countries joining the E.U. in adopting data privacy standards, and with levels of awareness of these issues higher than ever, it’s clear that digital leaders and marketers must take both shifting consumer preferences and changing regulatory standards into account as they prepare to operate in a post-cookie world.

The new paradigm for digital marketing: trust and transparency

Google first announced that it planned to make third-party cookies obsolete in 2020. While the deadline to end support for cookies has since been pushed back several times, there’s little doubt that these delays are temporary. Still, as many as 75% of marketers report that they still rely “heavily” on third-party tracking cookies.

The need for new strategies — ones that respect emerging consumer preferences and regulatory trends — is obvious. 

But the shift should entail more than just finding new ways to gather and correlate the data necessary to keep offering customers the same personalized experiences in the same ways you did before. 

Instead, it should involve placing trust and transparency at the heart of your relationships with customers, asking their permission before gathering data. You should try to truly understand their preferences, and respect them.

A recent survey by McKinsey and Co. reveals that 71% of today’s consumers expect personalization from brands they engage with online. And 78% of them are more likely to make repeat purchases from companies that personalize. But you’ll notice that neither of these ratios is 100%. 

How can you make the 29% of consumers who don’t expect personalization happy along with the 71% that do? 

The answer is delivering frictionless online experiences always, asking for consent, and empowering your customers to manage their own data.

“Today’s marketers can meet consumer expectations and regulators’ requirements by being transparent, having clear opt-in policies, and giving customers control over their own data,” says Matt Duench, Senior Director of Product Marketing at Okta. “Make sure that you’re being open about what data you’re collecting, how you’re collecting it, and what you’re using it for. Make sure that your customer is aware that you’re asking for—and obtaining—their consent. And give them visibility into their own data, as well as the ability to go in and manage it themselves.”

The merits of Zero Party Data

Are there more open and transparent ways to collect the data that will allow you to deliver the personalized experiences that the majority of consumers — even those that are more sensitive to privacy issues — still want? Of course there are! 

Zero Party Data, defined by Forrester Research as “data that a customer intentionally and proactively shares with a brand,” can include “purchase intentions, personal context, and how the individual wants the brand to recognize her.” This is information that customers choose to share with brands, often in exchange for more personalized experiences, more streamlined interactions, or another form of value.

For instance, if you let the crowdsourced review site Yelp know that you are a vegetarian, it will stop recommending steakhouses to you and instead offer up vegetarian-friendly restaurant recommendations. 

Leveraging Zero Party Data (ZPD) ensures that the experiences you deliver will always be welcome, always be relevant, and may help you comply with regulatory requirements — because using ZPD adheres to the spirit as well as the letter of the law.

ZPD can be gathered through product finder quizzes, conversational opt-ins or surveys. Or you can simply ask users to input their preferences into a user profile, as Yelp does. 

The key is that data collection is done in a manner that’s secure, transparent, and under the user’s control. Customers that don’t want to share their data — preferring, for instance, to see the full assortment of restaurant reviews from Yelp, and to screen out those that are irrelevant themselves — can simply opt out.

Brands can combine insights from ZPD with first-party data — the data that users generate as they interact with your site, including search history, session metadata and analytics — to better understand their users’ preferences and tendencies. First-party data is often anonymous, which can make it difficult to integrate the two data types. 

And the principle of transparency still applies. Brands should be clear about the types of first-party data they are collecting, publishing privacy policies that are visible, easy to understand, and respectful of consumers’ wishes. 

How to personalize digital experiences — while staying compliant and respecting privacy

1. First of all, understand that not every consumer wants their experiences to be personalized. 

Treating your customers with respect means offering a variety of options. 

Guest checkout, for example, will meet the needs of those who want a low-touch purchase experience that’s quick and easy. Other shoppers may prefer to create an account right away, while still others may prefer to share additional information about their preferences over time, as they build a deeper relationship with your brand.

“Many times, online shoppers just have a mission,” says Nicolas Rodet, SVP and Global Head of Digital at Okta. “When they visit your website, they just want to get the job done as quickly as possible. Often, they just want to be left alone. If they don’t have to engage with anyone, they’ll have better experiences.” 

“Customers won’t tell brands that they’re being invasive. Instead, they just don’t engage with you and go somewhere else instead. People’s patience has worn really thin.”

2. Have an opt-in policy.

Regulatory requirements (specifically, the GDPR) require that consent be “freely given, specific, informed and unambiguous.” Site visitors must take clear steps to indicate that they agree to be tracked, not just do nothing. 

Publish a clear and straightforward opt-in notice, so that customers can readily understand which data they’ve agreed to share, and for which purposes. 

Even better, offer users the ability to manage the data they’ve consented to share. If they’ve decided they want greater privacy, they can remove information. If their email address has changed, they can update it. And if they’d like to share more details about their current needs and preferences, they have the ability to do so. 

3. Consider progressive profiling.

Relationships with customers are just that: relationships. Just as you wouldn’t ask someone to marry you on the first date, you shouldn’t ask for large amounts of detailed information at the first login.

Instead, start with the least amount of data possible (that’d still allow someone to create an account). You can build from there, asking more questions based on context clues, what stage of the buyer’s journey someone is in, and what products or features they’ve signaled interest in.

Match the amount of effort that answering questions would take with the amount of value you’re able to provide. 

Remember that in the world of Zero Party Data, privacy-conscious consumers aren’t absolutely unwilling to give up their personal information. They’re simply not ready to do so if they’re not engaged in a trusting relationship. Or if they’re not getting anything of value in return.

In the cookieless future, marketing will still be data-driven, and personalization will still be based on understanding your customers thoroughly and deeply. In fact, collecting Zero Party Data can enable you to know more about them than ever before, and to strengthen relationships at the same time that you’re gathering information — a new opportunity.

However, to achieve this (admittedly lofty) aim, you need the right technology foundation. Not only can a modern CIAM easily capture the basic biographical information needed to create an account, but it can also be used to build the custom data capture workflows that make progressive profiling possible. CIAM has the advanced capabilities needed to offer customers the ability to express detailed preferences when giving consent, and change these preferences at will. In addition, the right CIAM solution can be integrated with your customer data platform (CDP) to link first-party and Zero Party Data together.  This way, you can create a 360-degree customer view that’s future-ready.

Reach out to our team to learn more about how Okta Customer Identity Cloud can support your personalization strategy.

These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein. Okta is not liable to you for any loss or damages that may result from your implementation of any recommendations in these materials. Okta makes no representations, warranties, or other assurances regarding the content of these materials.  Information regarding Okta's contractual assurances to its customers can be found at