Balancing data privacy and first-party research

Due to browser restrictions and increasing privacy regulations like The California Consumer Privacy Act (CCPA) and The General Data Protection Regulation (GDPR), third-party cookies are in a major decline. 

Safari and Firefox have blocked cookies since 2020 — meaning around half of the internet is now cookieless. Where cookies could provide intricate insights into consumer's perspectives and habits, first-party data has now stepped in to fill the gap for brands looking to understand their audiences. 

First-party data is data collected directly from consumers, customers and audiences across channels — whether that’s websites, apps, company CRMs or interviews and surveys. This data is highly accurate and gives you direct insight into consumer's perceptions, behavior and sentiment. 

With the decline of cookies, first-party data has become essential. But brands need to carefully balance the need for insight with rising regulatory scrutiny and consumer concerns around privacy. 

47% of consumers say they’ve ditched a company with poor data privacy practices. 172 countries now have data privacy laws in place, a 72% jump from a decade ago.

Many brands are now making consumer research privacy central to their research initiatives. To protect consumer privacy and build trust, research teams must balance insight depth with research data transparency, consumer autonomy and control and compliance.

In this post, I show you how you can support privacy-first insights, moving beyond CCPA and GDPR research compliance — building privacy and consent into the foundations of every research project.

Privacy regulations are still evolving. Companies now need to have an explicit, verifiable purpose for collecting data from consumers. Here’s some of the recent legislation impacting research privacy. 

Global compliance requirements

A host of privacy laws including GDPR in Europe, CCPA/CPRA in California and emerging frameworks in Asia and South America now demand a privacy-by-design research approach from brands collecting and managing first-party consumer data. 

By legal design, privacy considerations have shifted from a post-research boxtick to a foundational part of early-stage research design. Privacy risks must be fully considered, anticipated, managed and integrated into brand research.  

Companies have been fined over $8 million due to GDPR violations with over 400 daily breach alerts recorded for 2025-2026. While companies have racked up fines amassing to over $4 million in the first three months of 2026 alone following the California’s enforcement CCPA legislation, with Disney/ABC paying out the largest penalty to date — $2.75 million in February after they reportedly failed to honor customers’ decisions to opt out of sharing their personal information.

Shifting consumer expectations

Consumers have also become more data privacy savvy. They now have a better understanding of privacy and data breach risks and are demanding more transparency and control from the companies they give their business and information to. 

73% of consumers say they feel they lack control over how companies use their personal data. While over 70% of consumers say they want more regulations about how their data is used. 

Adam Hartley, writing for Spreckley, says: "What was once buried in terms and conditions or relegated to compliance checklists is now a defining factor in how people choose products, trust brands, and engage with digital services. Today’s consumers are not only aware that their data is being collected, but they actively question how it is used, who benefits from it, and whether companies can be trusted to protect it. This shift represents more than a regulatory challenge. It signals a fundamental change in consumer expectations. And a new competitive reality for tech companies."

The decline of passive third-party tracking

With browsers like Safari and Firefox blocking all third-party cookies, as of 2026 around 50% of all web traffic is now untraceable when it comes to third-party trackers. Many consumers also take active steps to stop companies from tracking them with 62% of consumers saying they feel uncomfortable and choose to opt out of online tracking.

With less access to this consumer data online, first-party insight collection has become an even more integral part of companies’ audience discovery process. Companies are directly asking for more  information from consumers to build their insights. In return, they’re requesting consent more often, offering more transparency and building privacy considerations and data protection into the foundation of their research approach.

Based on these shifts, companies are moving from reactive compliance to proactive trust-building. From mandatory consent to full transparency around data storage, processing and retention, companies are taking a number of steps towards putting consumer privacy and ethical data collection at the center of their research programs.  

Clear consent and disclosure practices

To ethically collect first-party information, companies must deliver both transparency and clarity. While data privacy is a huge concern for 92% of Americans, 56% of consumers report that they "always agree” to privacy policies without reading them. 

And it's often lengthy terms and conditions filled with complex, jargon-heavy language that get in the way of clarity and consent — undermining data privacy in research. In order to collect data ethically, you need to prioritize providing clarity on data storage, processing and retention. Pare back complex technical terms and make sure consumers get the chance to clarify and ask questions on anything that’s unclear. 

Data minimization principles

A privacy-by-design framework puts purpose-driven collection at the forefront. Every piece of data you collect should have a pre-clarified, time-bound end goal. When it comes to ethical, privacy-first research, data is never collected in case it may be of use later. You collect data to answer a specific question or prove a specific hypothesis. In order to follow CCPA/CPRA laws, you can’t repurpose or reuse the data you collect now, later.  

Transparent data storage and retention policies

When it comes to providing consumers with transparency on data storage and retention, the aim is to deliver both understanding and greater confidence in how your brand will use their data. Tell them exactly how their data will be collected, processed, stored and transferred. Inform them of the purpose of data collection and storage and tell them how long you’ll store their data. It’s also important to let them know their rights, such as whether they can opt out and request their data be deleted in full later.

Data privacy and insight generation are not necessarily contradictions, as researcher Jaap Wieringa and his team says, "Data is considered the new oil of the economy, but privacy concerns limit their use, leading to a widespread sense that data analytics and privacy are contradictory. Yet such a view is too narrow, because firms can implement a wide range of methods that satisfy different degrees of privacy and still enable them to leverage varied data analytics methods."

Here’s how to balance the two. 

Anonymous and aggregated analysis

Anonymizing data, which involves removing any personal information that could be used to identify someone, is one of the most effective ways to protect consumers' privacy. Names, addresses, phone numbers and information on where someone works are some examples of things that may be anonymized during a research project. 

Aggregation is another key part of protecting consumers' privacy. Aggregated data is data that groups information into broader trends. Think of post codes rather than addresses or the most common opinions on a product package rather than one person’s sentiment.  

Ethical segmentation practices

Ethical segmentation refers to the practice of categorizing research participants into categories based on declared intent and behavioral engagement, avoiding discrimination, rather than sensitive personal attributes. 

Ethical segmentation works with active consent and does not exploit irrelevant personal information consumers did not intend to share for usage. For example, consumers may be categorized based on the level of loyalty they show to a brand — such as early-stage skeptics or loyal VIP customers (reflecting behavior). 

Building trust as a brand asset

By prioritizing privacy-first insights, transparency and consumer consent, you can differentiate by building trust as a brand asset. With so many brands prioritizing collecting consumer data at the expense of consumer privacy, brands that take consumer data and privacy seriously quickly stand out as brands that value ethics and integrity over profit. 

By showing you’re a company that takes data privacy and transparency seriously, consumers trust you more. This often leads to more honesty, authenticity and openness in their research responses. By providing consumers with greater transparency and more control over their data, you break through skepticism and mistrust, which typically leads to higher response rates and more detailed and open feedback.

Here’s how to implement it. 

Vendor and platform due diligence

Work with vendors that prioritize data privacy and security. Before you agree to work with a vendor, make sure you do your due diligence. Here’s what you need to cover: 

1. Check the certs: Two of the main certifications to look out for are the SOC 2 Type II with privacy criteria and the ISO/IEC 27701. As a continuation of the ISO 27001 (information security), the System and Organization Controls 2 (SOC 2 Type II) with Privacy Trust Services Criteria sets the international standard for Privacy Information Management Systems (PIMS). Look for a Type II report that includes the Privacy Trust Services Criteria. This will verify that a vendor has proven they follow their own privacy policy on the collection, use, retention and disposal of consumers' data. While a framework such as the ISO/IEC 27701 provides guidelines for effectively managing Personally Identifiable Information (PII) for controllers and processors. This certificate shows that a vendor has gone beyond IT security developments and has put a dedicated comprehensive and audited system in place to help protect data privacy.

2. Audit annually: Undertake regular audits of your current vendors to make sure they’re fully compliant and continue to share your business values around data and security. To make sure your vendors continue to meet the data privacy and security standards you’ve set for your brand and partners, include the right to request third-party audit reports, such as SOC 2 Type II or ISO 27001 certifications, each year in your contracts.

3. Review their policies and procedures on generative AI: Want to pre-vet vendors using generative AI? It's important to review how vendors use consumer data to train their AI models. Look for vendors that have "zero-retention" or "opt-out" policies for model training to make sure consumer data isn’t kept longer than it’s needed for. 

Cross-functional alignment

An important part of protecting consumer data is making sure departments that handle data are in sync and held to the same standards. Work to develop cross-functional alignment across legal, IT and your insights and marketing teams to make sure that data privacy is fully integrated into the lifecycle of your research program. 

Set up a compliance team that includes heads from each department who can build frameworks together, agree on approved vendors, review research approaches and project designs and continue to hold each other accountable when it comes to compliance.

Ongoing auditing and documentation

Ongoing auditing and updating documentation is another essential part of making sure your internal workflows stay compliant and that your processes are reflected in your compliance records. 

• Focus on centralization: Centralize contracts, consent forms and participant information sheets. 

• Set up automatic reminders: Schedule automation reminders to make sure consumer data is anonymized and removed after your retention period finishes. 

• Map data: It’s important to maintain full visibility into consumers’ personal data and its usage over the course of your project, from initial collection through to deletion. Provide detailed information on data sources, flows and storage location.  

• Include incident response plans: These should provide step-by-step guidance on what to do if there is a data breach. Include who on the team is responsible for specific responses, which organizations must be notified and when these steps need to be taken (such as within 24 hours). 

Here’s how to anticipate continued regulatory and cultural evolution and make sure you keep building trust when it comes to consumer privacy. 

Increased demand for transparency dashboards

The more visibility you can give consumers around data usage, the better. Consumers’ mistrust and cynicism around how companies use their personal data is only set to build. Transparent dashboards give consumers full visibility into how their data is being used, stored and processed.

Dashboards that deliver transparency and control, allowing consumers to easily review and manage their data and retract consent if they wish, fully satisfies GDPR and CCPA requirements and builds trust with consumers. They also help distinguish your company as one that prioritizes consumer trust, consent and autonomy over business interests, improving loyalty and research engagement. 

AI and privacy governance

41% of Americans mistrust AI with consumers showing increasing concerns around its safety and the risk it poses to every area of their lives — including privacy. With AI evolving faster than regulations can keep up, it’s essential to make sure your AI usage remains both ethical and compliant. 

"We see AI as a threat to what we care about. Overwhelmingly, over the near term, people think AI will worsen almost everything they care about. We asked people whether they thought AI would improve or worsen a range of salient issues, ranging from the economy to politics, health and society. The pattern is clear. The trend is negative for every issue except health care and pandemic prevention." - Seismic Foundation

Data governance should be a top priority. Put frameworks in place that make sure the data AI collects, processes and analyzes is only collected from ethical sources and that it does not store data for longer than is required to complete your research. Annually audit your AI-based tools and systems to make sure security, non-bias and privacy continue to be upheld.  

AI-based consumer insights platforms like Zappi were designed for privacy-first first-party insight collection. At Zappi, we couple secure data handling, consumer consent and transparent research practices with delivering high-quality audience intelligence. 

Our platform focuses on zero-party data. That means we only collect and analyze information shared directly by consumers with their full consent. Our platform is ISO27001 compliant and allows users to request the deletion of their data in line with GDPR and CCPA regulations. Personal data is encrypted, secured using Virtual Private Clouds with restricted network access and restricted for use by authorized users only. 

Trust as competitive advantage

With so many brands putting profit over people, brands that prioritize privacy, consumer consent and control often win consumer trust and quickly build long-term loyalty. 27% of consumers say their main driver for staying loyal to a brand is strong ethics. While four in five consumers say they won’t do business with an unethical brand. 

"Trust is under fire across a variety of contexts: in the news, in our relationships, in our leaders and our belief in brands, and especially for Gen Z, whose BS is on high alert."

- Amy Davies, VP Insights and Publishing, Vice Media

Despite the benefits of trust and transparency, only 29% of companies cite transparency as a top company value. Whether on the employee or customer side, transparency, honesty and authenticity are becoming increasingly important to consumers in a rising global cultural climate of mistrust, anxiety and misinformation. 

Data privacy in research is no longer optional or purely legal, it’s a core part of building customer confidence and preserving customer trust. 

As a brand, you need to ace the balance between compliance, transparency and insight depth — as each needs equal attention to both strengthen consumer trust and provide the basis for an innovative, insights-led strategy. 

In a growing climate of consumer skepticism and mistrust, moving to a privacy-first approach can be a core differentiator for brands looking to reassure consumers and win their long-term trust and loyalty.