In the Privacy Soapbox, we give the stage to privacy professionals, guest writers, and opinionated industry members to share their unique points of view, stories, and insights about data privacy. Authors contribute to these articles in their personal capacity. The views expressed are their own and do not necessarily represent the views of Didomi.


Do you have something to share and want to take over the privacy soapbox? Get in touch at


Note: This article was originally published on May 30, 2023, on the Yes We Trust blog.


Gen Z - born between ~1995 and 2012 - is the largest consumer demographic in the market. With the huge spending power they command and the next fifty years or so that brands will depend on them for sales, there is a real urgency for marketers to get their act right to win their attention, interest, and loyalty. 


It’s no surprise, then, that the ‘CX wars’ have reached a fever pitch. But legacy brands are missing something. A valuable upstream opportunity that could outsize their marketing and CX outcomes. That opportunity is customer data privacy.


Here’s the rub. Legacy brands, used to marketing to Gen X and millennials, are at risk of not only misreading Gen Z’s expectations on data privacy but also of missing the business opportunity it offers.


Before I tell you why I think legacy brands are reading Gen Z’s personal data preferences all wrong, let’s take a quick literature check to agree on who Gen Z is and what they want from brands in the context of privacy.


Here are some things we do know about Gen Z


Didomi - Gen-z timeline


  • They are ‘digital natives’ born into the age of data and technology. They have no lived experience (or very hazy memories) of life before technology, big tech, social media, and digital shopping. They have been creators and consumers of data from the early years of their lives.

  • They have a unique relationship with technology. They do not fear it or aim to master it. It is not a novelty but an intrinsic part of life, an enabler and an amplifier. But that doesn’t mean they ‘live with their head in the cloud.’ Several studies find that Gen Z expects technology to enhance their physical experiences rather than replace them. 

  • They have a strong opinion on social responsibility. Gen Z is more socially conscious than other generations and is involved with issues like gender justice, climate change, and sustainability.

  • They prioritize values and authenticity in brands. Perhaps that explains why they prefer digital native brands to legacy brands by a margin of 40%. D2C brands generally get ‘authenticity’ and are better at direct engagement with customers on channels like Discord and TikTok

  • They have a unique relationship with social media, distinct from other generations. They are more digitally active and the largest social media users than any other generation. They rely heavily on social media and peer review to form opinions on businesses. A third of them follow brands they consider buying from on social media, while 85% discover new products that way.

    This study shows that being aware of its ill effects does not stop Gen Z from using social media to their advantage as a force for positive change, self-expression, and community. This line sums it up well, “They don’t cling to the notion of social media as a source of good (or evil), but an inseparable reality of life; something to be managed and exploited for personal gain. They’ve embraced and channeled this power into a source of expression, creativity, intimacy, and belonging.”

  • They have a unique and distinct point-of-view on privacy and data: This research shows that transparency and control are the most positive actions companies can take for data protection regardless of a consumer's age or generation. 


But Gen Z has some unique distinctions from their predecessors. 


In a nutshell, Gen Z is concerned about their privacy, but feels more in control, knows the value of their data, and is open to exchanging personal data with brands in return for ‘value.’ 


Here are the nuances:


  • Generally skeptical about a brand’s ability or intent to protect or use its data responsibly.

  • More cautious about data privacy than predecessors, though more rational about their concerns. See basic compliance and security by brands as table stakes.

  • More aware of the dangers of privacy invasions such as improper use or unauthorized monetization of data by brands, data breaches, ID fraud, and hacking.

  • More confident about taking action to protect themselves, like managing privacy settings, choosing privacy-centric browsers and private social networks, and using tools like ad blockers, VPN, and 2FA.

  • More aware of the value of their data. While  48% of Gen Z believe sharing personal data online is "a part of life", that doesn’t make them feel disempowered. They know brands need their data to survive. 

  • Value the ability to make informed choices about their data. Gen Z increasingly sees personal data as a currency they can create, own, protect, trade, and control.  

  • Over half are not opposed to sharing personal data with third parties - but only in exchange for the right value. This ‘value’ can take the form of convenience, rewards, discounts, loyalty points, privileges, or unique experiences. They are clear about how much — and what data — they would be more willing to share in exchange.

  • They know not all data is created equal and classify their personal data as low, medium, and high value to appraise exchanges. 

  • They’re less likely than the general public to trust financial services, online retail, search engines, ride-hailing companies, and even themselves with protecting their data online. Social media is a notable exception. Gen Z is more likely than their predecessors to trust social media companies to handle their data properly. 


Note from the author: 


  • The full list of surveys used to compile the qualitative findings is at the end of this piece.

  • Where I have used specific stats, direct links are provided.

  • I acknowledge that ‘Gen Z’ is not a simplistic, homogenous group - there are many nuances based on geography, socioeconomic segments, and several other variables. However, since most of the data available refers to Gen Z in developed markets, I use that as my broad definition of Gen Z for this article.

  • For my analysis, I deliberately exclude popular social media brands because those seem to enjoy Gen Z trust despite their customer data privacy inadequacies. 


Legacy brands have a challenge on their hands 


For the last 50 years or so, they’ve had somewhat of a golden phase - eager and often uninformed baby boomers and millennials as customers; a free run on monetizing customer personal data since the advent of the digital age; and negligible government or consumer focus on matters of data privacy and security. 


That era has ended. Data privacy regulations are spiraling at the state and national levels. Consumer awareness and activism about data privacy and corporate responsibility are louder than ever (although still not loud enough). The D2C boom has upended multiple industries, as young, agile upstarts give legacy brands a run for their money with data-driven marketing. And economic pressures mean big, bulky brands must acquire and retain customers more efficiently than ever before. 


Didomi - Gen-z spending power


All this coincides with Gen Z, the official corporate golden goose for the next half century, stepping into the workforce and growing their disposable income.


And unlike any generation before them, while Gen Z cares about their data privacy, they know the power and value of their data and aren’t afraid to use it to get what they want from brands. 


With Gen Z, the data has to be earned, not sneakily taken, coerced, demanded, or outright stolen. And for data to be earned, trust has to be earned.


Bold, innovative data privacy strategies will play a central role in winning Gen Z's trust.


How a brand handles customer data privacy could be the tie-breaker in a world where marketing success depends almost entirely on customer data. Privacy strategies will have a direct impact on a brand’s ability to gather the highest quality zero- and first-party data and build a sustainable data-driven competitive advantage with Gen Z. 


But such a transparent, customer-centric approach to data privacy can’t exist as a silo. Gen Z values authenticity, and for this to work, the customer data narrative must be consistent with the larger brand narrative. It has to be a part of what the brand stands for, not just a well-dressed (or disguised) legal mandate. 


In short, the privacy experience (PX) has to be an intrinsic part of the customer experience (CX).


Successful D2C and digital-first brands have already demonstrated this model works. They have understood Gen Z’s attitudes and motivations for sharing personal data, woven that understanding into the brand experience, and delivered the CX with healthy doses of rewards, discounts, privileges, personalization, convenience, speed, or whatever the customer sees as ‘value.’ 


As a result of the connect, data-powered personalized CX and trust, Gen Z customers already prefer D2C brands by a factor of 40 over legacy brands.


If legacy brands don’t get their data privacy strategy right, this gap will only widen.


Are they up to the challenge? I argue not. These brands are often characterized by their all-too-cheerful websites, achingly trying to connect with Gen Z, but given away by the clunky, unfriendly privacy notices appearing like a dreary fishing trawler in a river of foam and sparkles.


The headline cheerfully says, “Welcome, bestie!” but the cookie message will say, “You must accept our terms or else jump through hoops to make your choices known.” 


For instance, the website of a major US-based automobile manufacturer did not even give me a consent notice upon arrival. I had to scroll sixfold to the very bottom of the page, where I found the consent tab. I know the law allows it, but the feeling of being ‘auto-opted-in’ reminds me of Hotel California.


Didomi - Gen-z privacy notice


So what makes some legacy brands so myopic about the privacy opportunity?


Here’s the problem. Some legacy brands insist on using baby boomer and millennial data tactics on Gen Z, which is unfathomable. Ask any self-respecting marketer if they ‘market’ the same way to a millennial and a Gen Z consumer, and you may receive a pitying look in return. 


So, why do they take a ‘one-size-fits-all’ approach to their data privacy?


Marketing myopia #1: Keeping marketing and privacy separate

Consumer data is crucial for brands and retailers looking to learn more about shoppers and leverage more personalized offerings. And yet, marketing teams that are otherwise laser-focused on creating a data-driven CX do not, in their strategies, even mention the privacy UX.


My argument is that, in many ways, CX starts with privacy. You cannot separate the two. 


Increasingly, shoppers' first ‘choice’ with a brand will be to opt-in with a consent banner. That’s where it starts at the front end. And at the back end, if you cannot gather consumer data in compliant ways, you won’t be able to create sustainably good CX at all.


To succeed in a “privacy-first data economy,” marketing must own the privacy UX as a crucial component of CX. In other words, considering Gen Z’s distinct relationship with personal data, privacy should be central to the process of defining not just the data privacy strategy but the entire CX and brand strategy as well.


Not doing so is a missed opportunity for competitive differentiation. Apple’s marketing team got that. Do you?


Marketing myopia #2: Seeing data privacy  only as a risk, not an opportunity 

Many marketers still view data privacy as something “only-legal”, to do with compliance rather than customer-centricity, and associate it with risk rather than reward. Despite the fact that they cannot ‘do’ marketing without the data.  


When you see only the risk side of data privacy, you will seek solutions only in terms of risk mitigation. This means focusing on legal and compliance-centric data privacy strategies.


Of course, I’m not debating or questioning the importance of legal compliance. But that is table stakes. And for Gen Z consumers, it’s just not enough.


Here’s what I suggest to marketers. Leave the risk mitigation to legal and IT. Marketing should focus on seeing the data privacy opportunity instead. This is based on two insights we can pick from our data review.


Insight 1: Gen Z consumers are more socially conscious, showing their commitment to issues like gender justice, climate change, and sustainability with their purchasing choices. Privacy and data protection align with broader social justice and rights concerns. So if a brand can authentically bring these into their personality and the CX, they have a better chance at winning Gen Z support.


Insight 2: Gen Z knows the value of their data and is not averse to exchanging it for value. 


Instead of being threatened by Gen Z’s preference for transparency and authenticity, you can use this insight to make it your superpower. 

Focus on creating value. Spend time to understand (without assumptions) what Gen Z customers see as value in the context of your brand - rewards, privileges, discounts, experiences, convenience, speed, or free customer service. Understand their threshold for sharing data in exchange for different kinds of value.


For example, this study found that Gen Z has different thresholds for sharing data they consider low or high value:


YWT - Privacy Soapbox_GenZStudy


Once your data-value equation is tested and in place, be transparent and collaborative about collection and usage. Without any sneaky tricks, and with your head held high, ask them for their data in exchange for what they most value. 


Marketing myopia #3: Believing the rules that apply to social media will apply to them 

Large legacy brands sometimes believe they are like big tech and social media. That the same rules apply. But the reality is that Gen Z consumers see Tik Tok, Discord, Snapchat, and Instagram as an irreplaceable part of life (at least for now). Unfortunately, the same can’t be said of your car or refrigerator brand.  


So no. The same rules do not apply. Despite Google or Tik Tok’s questionable record on data privacy, it seems  Gen Z is ready to make certain concessions for the ‘value’ they offer in exchange. That’s just the breaks.


Other brands - legacy or otherwise - must demonstrate their loyalty to shoppers rather than the other way around. 


This calls for marketing to make a mindset, culture, and strategy shift that places customer data privacy - not just ‘customer data’ - at the core of creating CX.


How do you turn a battleship around?  


Of course, it's not all doom and gloom; not all legacy enterprises fail to adapt their privacy approaches. Brands such as Apple, P&G, Ikea, and Mozilla Firefox have all successfully made privacy a part of their CX by enhancing privacy features and building trust, transparency, control over data, and mutual value exchanges into their larger brand messaging to meet Gen Z expectations.


This addition enhances and affirms ‘who they are as a brand,’ and shines through in all their communications and interactions. Some have even managed to make ‘privacy-first’ a distinct brand differentiator. 


Didomi - Gen-z regulations

For the others, I have a few ideas. Hear me out. 


First of all, let’s get compliance out of the way

Accept that compliance is a moving target and will be so for the foreseeable future. Every day we see more, stricter and better-enforced regulations. Let legal keep pace with and guide you on the nitty gritty. 


CMOs should always commit to the highest possible standards, even if it's not currently a legal requirement, starting today. It makes more sense than doing it piecemeal over time. If you know new leaks will spring up in new places in unpredictable ways, you don’t buy more buckets - you build a stronger roof. 


That strong roof is GDPR - the strictest law there is. Adapt it as your baseline for every geography you operate in. Invest in the best possible consent and preference platforms, so you have the infrastructure to handle privacy at that level. And then, obsessively apply the Privacy by Design framework to every single external and internal marketing and sales process and workflow.


Next, change the questions you ask about customer data privacy

Stop asking, ‘How do we get customers to share their data?’ 


That will only get you competing for the same data everyone else is getting, and perhaps even resorting to the sneaky tricks department.


Instead, ask, ‘What does my customer value? How can I create and deliver it to them, in exchange for their best data, with their full knowledge and consent?


Remember, Gen Z does not see anything odd about this - they will likely appreciate the honesty and transparency of a mutually beneficial value exchange.


Third, shift the frame of reference for personal data from ‘Collect’ to ‘Connect’

Gen Z customers don’t want to be sold to - they want to be a part of their favorite brand’s story. They want to be part of the community. They want to co-create their CX. So let them also help co-create the privacy experience. 


This is one of the reasons D2C brands have done so well - they have truly made the consumer part of their growth story. They do things with the consumer, unlike legacy brands that do things for or to the consumer.


Gen Z is too savvy to be fooled by quirkily worded consent banners that neither gives them control nor connection. They expect to be consulted with, and because they are okay sharing data for the right value, brands that engage with them will earn not only their preference but also better - and more - zero- and first-party data than competitors.


This insightful report says, As brands and brand advocates, we have to do more to invite this generation into the conversation and be willing to listen to and give them what they want and need to build a connection.”


Fourth, accept that privacy does not have to be a source of friction

The friction around data and consent arises only when brands know the value exchange they offer is unfair. When brands think of data as something that must be ‘taken’ than something that can be ‘given in exchange for value.’ When creative teams design beautiful campaigns, then legal or IT slaps an incongruent privacy and consent layer on top of it.


Marketing can change this by giving the privacy experience (PX) mandate to all teams responsible for CX. Go beyond legal. Educate the creative, social media, UX, and content teams about privacy and let them internalize and immerse in designing the experience. Empower them to design campaigns that do not need skewed value exchanges, or Jekyll & Hyde UX that needsdark patterns’ to coerce data submissions.


Give them the mandate to create a consistent, relatable, authentic brand voice that includes the mutually beneficial data-value exchange.


A caveat: authenticity and accuracy are two different things, so make sure you get a compliance sign-off from legal and a security sign-off from IT for all your decisions!


Finally, here’s a radical thought. How about personalizing privacy? 

If CX is all about segmenting, targeting, and personalization, then why should privacy be any different? In a fair value exchange, each customer will have a unique notion of value and a unique threshold to share data in exchange for that value. 


For brands that really want to push the envelope, they should find ways to offer personalized PX as part of the personalized CX. 


The telecommunications company Orange takes this idea of personalizing the privacy user experience very seriously, allowing users to specify to each partner whom they want offers from. By today’s standards, it offers the user significant control over how their data is used and a sense of co-designing their privacy choices.


Didomi - Gen-z Orange

Building for a future that’s always shifting


Even as I write this, I realize things are changing and evolving. While adhering to a GDPR compliance standard is great, other disruptions will impact how all of this works out for brands. 


While I will leave a deeper exploration of those for another time, let me just share some of the questions keeping me up at night:


  1. How will the omnipresence of AI impact data privacy? How connected will that be to the labor market and consumer shopping choices? (David Raab has one of the most interesting takes I’ve read on this, shared in his new blog here)

  2. What will privacy look like in the metaverse?

  3. How will the cultural trends stirring up under Gen Z and likely to mature for Gen Alpha impact PX and CX? For instance, the circular economy, getting off social media and preferring to shop in physical stores.

  4. What will the privacy regulatory landscape look like in ten years? Will we have a global consensus on laws and the use of AI?

  5. Of course, brands cannot forget that Gen Z does not live only in the streets of America or Europe - how will these privacy-first strategies play out for Gen Z consumers in different economies around the world?

  6. Finally, there is the changing demographics of employees - companies will soon have more Gen Z staffers than ever before. How will that impact their privacy and data strategies?


Making privacy intrinsic to the CX will help win Gen Z 


To earn Gen Z's trust and loyalty, companies need to weave transparency, consent, data minimization, and user control into the CX in authentic, innovative ways. But perhaps more crucially, they need to shift their marketing mindset to make the privacy UX intrinsic to the CX strategy. 


With Gen Z’s spending powers slated to reach $2 trillion in less than ten years, the payoff for brands that get the personal data privacy equation right is massive.


List of reference surveys and reports