There is one idea that keeps cropping up in many marketing meetings in 2026: «Since Google hasn’t actually phased out third-party cookies after all, we can carry on as before.» It is a convenient conclusion, but also a strategic mistake. The own data (or first-party data) were not just a Plan B for when cookies were phased out. They are, now more than ever, the raw material that makes artificial intelligence in marketing truly work. At Vandelay, we see this every week with our clients: a brand that knows its customers first-hand is in a league of its own.
What is first-party data?
The own data This is the information your business collects directly from the people who interact with you, with their knowledge and — where required by law — with their consent. It is not purchased from third parties, nor is it inferred by tracking a user across external websites: it is generated through the direct relationship between your brand and your customer.
Here are some specific examples that almost any SME already has to hand:
- Subscribers to your newsletter and their open and click-through history.
- Purchases, receipts and order frequency recorded in your shop or CRM.
- Forms, surveys and preferences that the customer shares with you.
- User behaviour on your website and app (with analytics configured to respect privacy).
- Conversations via WhatsApp, chat or customer service.
It is worth distinguishing them from two neighbours: the third-party data (third-party data), which is purchased from external platforms and tracks users outside your website; and the zero-party data, a subset of the customer’s own data which they provide explicitly and voluntarily (for example, by indicating in a questionnaire what sort of products they are interested in).
Google retains third-party cookies: why we shouldn’t let our guard down
On 22 April 2025, Anthony Chavez, Vice President of Privacy Sandbox, announced on Google’s official blog that the company would «maintain its current approach» to third-party cookies in Chrome and that would not launch the new independent advert the choice it had proposed for 2024. In practice, third-party cookies are still in use in Chrome, and users can manage them via the browser’s privacy settings (source cited at the end).
It is tempting to interpret this as a reprieve. But there are three reasons why basing your marketing on other people’s data remains a risky strategy:
- It is the user and the browser who are in control, not your brand. Safari and Firefox have been blocking third-party cookies by default for years, as has Chrome’s incognito mode. A significant proportion of your audience simply cannot be tracked in this way.
- Regulatory pressure continues to mount. In the European Union, the General Data Protection Regulation (GDPR) and the regulations of the Spanish Data Protection Agency require a legal basis and, for marketing purposes, informed consent. Google may change its policy; the law does not depend on Google.
- Third-party data is of poorer quality. These are estimates, which are often out of date and shared with your competitors. Your own data is accurate, exclusive and yours alone.
To put it another way: just because the door remains open doesn’t mean it’s the best way forward. Building on our own data wasn’t a reaction to Google; it was the right decision then and it remains so now.
Why first-party data is the fuel for AI in marketing
Here is the fundamental shift of 2026. Artificial intelligence doesn’t work magic out of thin air: it learns from the data you give it. A recommendation model, a personalisation system or an agent that segments campaigns is only as good as the information that feeds it. If that information is generic and purchased, you get generic results. If it’s your own and of high quality, the AI begins to truly distinguish between each customer.
We’re seeing this in three areas where we’re already working with real brands:
- Customisation. The AI-powered hyper-personalisation The growth seen this year is based on our own data: without a genuine history of purchases and preferences, personalisation is just a pipe dream.
- Measurement and attribution. With the AI-based marketing measurement, your own conversion events (emails, forms, sales) become the data used to train reliable attribution models, far more so than a single click.
- Automation. AI agents that run and optimise campaigns need a single source of truth about who your customers are. That source is your own data, not a rented segment.
The consequence is a worrying one for those who put it off: the more AI advances, the wider the gap becomes between brands that have their own well-organised data and those that do not. The technology is becoming increasingly accessible to everyone; the data that makes it useful, however, is not.
First-party data and the GDPR: complying with the law is part of the strategy
In Spain and throughout the EU, collecting your own data does not mean you can do whatever you like with customers’ information. The GDPR (Regulation (EU) 2016/679) sets out principles that should be borne in mind: lawfulness and transparency, data minimisation (only collecting what you need), purpose limitation, and valid consent for uses such as email marketing or personalised advertising.
Far from being a hindrance, this works in your favour. When you ask for data clearly, explain what you’re using it for and offer value in return, customers share more and better information. Trust is, in itself, a competitive advantage; we’ve explored this when discussing authentic marketing with AI. And if you work with AI, remember that the new European framework also comes into play: take a look at our article on the transparency obligations under the EU AI Act.
How to start building your first-party data strategy
You don’t need a big budget or a data department. What you need is a method. This is the approach we recommend for an SME starting almost from scratch:
- Take stock. Identify where your customer data is currently stored: email, POS systems, online shops, CRM systems, spreadsheets, WhatsApp. There’s almost always more data than you realise, scattered across various sources.
- Centralise. Bring all that data together in one place (a CRM is a good place to start). A customer who makes a purchase, opens your emails and messages you on WhatsApp should be a single record, not three.
- It offers value in exchange for the data. Offer something useful — a guide, a discount, exclusive content, a better experience — so that signing up or filling in a form makes sense to the customer.
- Make sure you ask for consent properly. Clear, transparent terms and conditions, with no hidden traps, explaining how they are used. Complying with the GDPR and being honest is, moreover, what pays off best in the long run.
- Powered by AI. With clean, organised data, you can apply personalisation, segmentation and automation. This is where the groundwork pays off in sales.
The order matters: many brands want to skip straight to step five, buy an AI tool and expect miracles. Without the first four steps, that investment yields only a fraction of what it could.
Frequently asked questions about first-party data
Is ‘own data’ the same as ‘personal data’?
Not exactly. «First-party data» describes the origin (you collect them yourself), whilst «personal data» is a legal category under the GDPR (information that identifies an individual). Much of your own data is personal data, and must therefore be processed in accordance with data protection regulations.
If Google keeps cookies, why invest in first-party data?
Because third-party cookies are already unreliable (blocked by default in Safari, Firefox and incognito mode) and because first-party data is more accurate, unique to your brand and the fuel that AI needs to personalise. Google’s decision in April 2025 does not change that underlying reality.
Can a small SME have its own data strategy?
Yes. In fact, that’s where it makes the biggest difference. Simply by centralising your mailing list and sales history in a CRM, you’re already ahead of many competitors. It’s not a question of size, but of consistency and method.
What is the difference between first-party, zero-party and third-party data?
The first-party you gather them yourself through your relationship with the client; the zero-party are a type of first-party data that the customer provides explicitly and voluntarily; the third-party They are purchased from third parties and track users outside your website.
If, as you read this, you’re thinking about that mailing list you’ve somewhat neglected, the sales you haven’t quite synced with your CRM, or that AI tool you bought that isn’t quite delivering results, you’re on the right track: that’s where your opportunity lies. Organising and putting your own data to work is probably the marketing investment with the best return you can make this year. At Vandelay, we help SMEs set up exactly that system, step by step and without any fuss. If you’d like us to take a look at your situation, Let's have a chat.
Sources
- Google — Privacy Sandbox: «Next steps for Privacy Sandbox and tracking protections in Chrome» (Anthony Chavez, 22 April 2025): privacysandbox.google.com/blog/privacy-sandbox-next-steps
- General Data Protection Regulation, Regulation (EU) 2016/679 (EUR-Lex): eur-lex.europa.eu
- Spanish Data Protection Agency (AEPD): aepd.es