Zero-Party Data vs. Declared Data
A survey is still a survey.
Asking people about their preferences (rather than inferring them) and then keeping them in a way that such people have no easy way to modify them or somehow stay in control has little to do with Zero-Party Data.
This would qualify as “declared data” but remain First-Party Data while retained (or “owned”) by the business that collected it in the first place. It could also turn into Second-Party Data if said business enters into an agreement to combine it with other data sets maintained by another company. And it could become Third-Party Data given a longer chain of custody and a total loss of control over its eventual recipients.
In short, the self-declared or inferred nature of data refers to the level of awareness on the part of the data subject. On the other hand, the Zero-First-Second-Third Party distinction relates to the distance between an individual’s sphere of agency (or control) and the data itself.
As I have argued before, there is a primary difference between Zero-Party Data and all of the rest: True customer centricity. Businesses will defend “their” First-Party Data tooth and nail, but it is up to their customers to preserve, enrich, maintain, and ultimately kill a Zero-Party Data set. Businesses will determine the purpose of processing “their” First-Party Data and ask consumers to “wilfully” consent to such purposes. But it is consumers who, once presented with its impact on a particular value proposition, have a say in sharing it in a Zero-Party Data scenario.
Finally, the decentralization of personal data storage is an entirely different problem. Of course, a world of edge-based personal data “pods” would greatly simplify the entire debate, but we don’t need to reach such nirvana (that I for one consider unattainable) for agency and control to make sense. And there is always a suitable middle road: cloud-based personal assistants that can act as intermediaries between both consumers and businesses, guaranteeing personalization and curatorship for the former and a Privacy-First approach to leveraging Zero-Party Data for the latter.
*******
SIDE NOTE (a legal point of view)
The EU GDPR’s article 6 provides six possible lawful grounds for processing personal data: consent, contract, legal obligation, vital interests of the data subject, public interest, and legitimate interest.
I subscribe to the (ok, counterintuitive) view that “consent” is the GDPR’s least human-centric (and thus, less suitable to Zero-Party Data) of all available legal bases, whereas “legitimate interest”, itself naturally flowing from the obvious need for a particular data point in a personalized shopping or service delivery scenario, represents the most pure embodiment of Privacy by Design principles.
And this latter point could provide the ultimate test: Do you need to ask for consent? You probably cannot justify collecting that data from the individual’s point of view. Relying on a contract or legitimate interest? Your interests are more likely to be aligned (that is, given a proper test for such legitimate interest).