Learn More About Data Privacy From Two Rivers

While collecting consumer data is extremely valuable for organizations and marketers, ensuring its protection has become a priority around the world. As we continue to see a rise in new data privacy frameworks, it’s clear that we must learn how to navigate the global data protection landscape. But with ever-evolving policies and regulations, it can be hard to keep up. In this blog post, our digital marketing experts answer questions about data privacy and discuss what’s ahead.

Q: What’s the difference between zero-, first-, second-, and third-party data?

Ashley Netzer, CRM and Marketing Automation Director, Headshot

Ashley Netzer, CRM and Marketing Automation Director

A: With Google’s upcoming third-party cookie phase-out, brands should prioritize collecting more zero- and first-party data. That’s because these types of data are intentionally given to brands by the consumers. To break it down further, zero-party data is information that a consumer proactively shares with a brand or company. This could occur during a survey or poll, and the information obtained is typically used for personalization and dynamic content. For example, Jane Smith filled out a survey indicating that she is interested in buying a piece of equipment.

When it comes to first-party data, there are two types we need to discuss: first-party known and first-party unknown. First-party known data is a company’s directly procured data that is gathered from its value exchange with consumers and prospects. This typically happens through sign-up forms. Let’s say Jane signed up for a monthly e-newsletter. In this instance, her email address would be first-party known data. First-party unknown data simply refers to anonymous contacts who can become first-party known if certain action is taken, like engaging with content and providing an email address.

Second-party data is another organization’s first-party data that they sell directly — in other words, there is no data aggregator. Similarly, third-party data is sourced from various known industry partners. It’s often used to enrich first-party data or to connect with new audiences. An easy example of third-party data would be an email list of people interested in an upcoming industry trade show.

Q: What’s the latest with U.S. regulations?

Anna VandeVenter, Digital Experience Director, Headshot

Anna VandeVenter, Digital Experience Director

A: Five states have enacted these comprehensive consumer privacy laws: California Consumer Privacy Act (CCPA) and its amendment California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (ColoPA), Connecticut Data Privacy Act (CDPA), and Utah Consumer Privacy Act (UCPA).

The CPRA and the VCDPA took effect on January 1, 2023. Both laws establish new and complex protections for consumers and obligations for businesses. However, an often-overlooked provision in the CPRA delays enforcement until July 1, 2023, giving businesses time to refine their compliance programs and avoid costly penalties. Additionally, other states have active consumer data privacy proposals, including Michigan, New Jersey, Ohio, and Pennsylvania. But the introduction of the American Data Privacy and Protection Act (ADPPA) could change all of that as Congress is considering one national privacy regulation that would preempt all state privacy laws.

Last, the new European Union-U.S. Data Privacy Framework — implemented in October 2022 — reestablishes clear data-sharing rules between the two entities. This gives companies that handle EU personal data legal peace of mind.

Q: What are some considerations for lead generation from a privacy and data management perspective?

Hillary Ferry, Sr. Digital Marketing Director, Headshot

Hillary Ferry, Sr. Digital Marketing Director

A: Data privacy will remain at the heart of our lead-generation strategies in 2023. At its core, lead generation involves identifying and nurturing potential customers by acquiring personal information, or PII, like name and contact information. With an increased emphasis on collecting zero- and first-party data and the rise in data privacy regulations and scrutiny, there are a lot of things to consider.

First things first: We must only collect information that is necessary to follow up on the request. Next, we need to ensure that the data is collected in a compliant and secure manner, with proper disclosures about what’s being collected, how it’s being used or shared, and how it's being processed and stored. In addition, there needs to be opt-in language on all forms and any subsequent communications. This includes information on how to unsubscribe from communications from your organization. Of course, all related disclosures and privacy policies must comply with applicable laws and regulations. If you are sourcing any data from third-party or external sources, it is also your responsibility to ensure that it is compliant.

Q: What is Two Rivers Marketing doing to prioritize data privacy?

Rachel Adams, Executive Director, Headshot

Rachel Adams, Executive Director

A: We recently held a very robust internal training session on data privacy. Our team provided a refresher on foundational considerations, including lead generation, zero-party through third-party data, and existing data privacy regulations. We also discussed Google’s third-party cookie phase-out, as well as other upcoming regulations and what that means for the future of marketing.

Additionally, we recently updated our data management policy, which all associates are required to acknowledge and sign on an annual basis. We also ask our vendors to sign a data management agreement to make sure they’re using best practices and keeping data secure. We audit this policy periodically and make adjustments as needed to follow all regulations and applicable laws.


In addition to the delay of Google's third-party cookie phase-out and evolving U.S. data privacy regulations, we're keeping a close eye on Google Analytics 4 (GA4), which aims to fill the data privacy gaps currently present in Universal Analytics. GA4’s privacy features include a data deletion mechanism, shorter retention period, and IP anonymization.

Equally as important as Google's privacy updates are Apple's iOS privacy changes, including App Tracking Transparency, Mail Privacy Protection, and more. Tracking these changes will remain a priority because Apple's iOS continues to hold the largest share of smartphone operating systems in the U.S.


In today’s era of transparency, it’s more important than ever for organizations to advocate for data privacy and work toward compliance. If you need assistance navigating or prioritizing data privacy as part of your marketing strategy, we’re here to help!