← Back to thoughts

The Next Decade of Personal Data

Why the future of data will be defined by permission, verification and provenance.

I came into the data industry in 2006 through B2C lead generation, when the market rewarded volume above almost everything else. Lists were traded, co-reg was everywhere, and the question was rarely "should we use this data?" It was usually "how much of it can we get?"

The next decade will be different. The value of personal data is moving away from volume and towards proof. Where did it come from? Why are you allowed to use it? Is it still accurate? Is there a real person behind it? Can that person understand, control or revoke the relationship?

That is the direction of travel. Less volume, more proof. Less assumption, more provenance.

TL;DR: The next decade of personal data will not reward the biggest databases. It will reward the companies that can defend their data. Where it came from, why they can use it, whether it is still accurate, whether there is a real person behind it, and whether that person has a meaningful relationship with them.

From volume to provenance

I started in B2C lead generation in 2006. Compliance and performance were both stretched thin, and the culture rewarded collection. By around 2010 my view shifted. The race to the bottom was obvious and I could see how it would end. We started Mediabowl with a stronger focus on quality and performance, and built Databowl so we could control quality, track consent and measure performance against actual sales and CPA, not impressions.

Better data, clear consent, and transparency about what is collected and why does not just reduce risk. It performs. That has been the throughline ever since.

Where we have been: the old data economy rewarded volume

The mid 2000s to the late 2010s were defined by easy collection, broad profiling and borrowed signals. Cross-site pixels followed people across the open web. Mobile identifiers connected journeys across apps. Third-party data filled every gap a brand had not earned. Consent controls existed, but they were buried, and the default path kept the machine running.

Dashboards rewarded collection. The market quietly confused more data with better data, and most teams went along with it because the incentives lined up that way.

Consent became real

GDPR in Europe and the UK turned consent, purpose limitation and meaningful fines into a real constraint. CCPA and then CPRA gave Californians rights that other US states started to copy. Apple's App Tracking Transparency put a clear permission prompt in front of users on cross-app tracking, and most of them said no. ATT did not end tracking, but it made the cost of permission visible.

The cookie did not die as cleanly as people predicted. Google stepped back from full third-party cookie deprecation in Chrome and moved to a user-choice model instead. The direction still changed. Tracking is more contested, more regulated, more platform-controlled, and more dependent on consent, modelling and first-party relationships than it was a decade ago.

The US has not landed a federal GDPR-style law, but the state-by-state direction is clear. More rights, more opt-outs, more deletion, more scrutiny of brokers, sensitive data and automated decisioning.

Average cookie or tracking consent rates in Europe over time with GDPR and Apple ATT markers

Consent rates fell as privacy controls became real.

More data started to mean more risk

As easy consent and easy tracking weakened, the hidden cost of bad data became more visible. Breaches poured billions of records into the wild. Bots and synthetic identities got cheaper to spin up. Lead funnels filled with noise. CRM systems quietly polluted themselves. ID verification produced false positives because the upstream data was stale or wrong.

I have seen affiliate campaigns with fraud rates around sixty percent. I have seen lead files where roughly a third of the records could never be sold to anyone. I have seen false positives in ID verification because the industry rewarded volume, not accuracy. Once you have lived with those numbers, you stop believing in big databases for their own sake.

Estimated annual cost of bad data over time

Bad data carries a rising cost in wasted spend and poor decisions.

Where we are now: first-party data is not enough

The standard line is that first-party data is the future. It is better than borrowed third-party trails, but first-party does not automatically mean good. If it is fake, stale, unverified, badly permissioned, or collected through a low-quality incentive flow, it is still bad data. A CRM full of unverified first-party records is not a strategic asset. It is a liability with a friendlier label.

Brands are now responsible for the resilience of their own data relationships. If they want performance that holds up, they need direct relationships with people who chose to be there, and they need to verify those relationships. The two go together. One without the other is wishful thinking.

Verification becomes infrastructure

Verification used to be seen as form hygiene. A quick email check, maybe a phone validation, and the record went into the database. That model is finished. Verification is moving from a single check at the edge of a form to an infrastructure layer that connects marketing, fraud prevention, compliance, security and customer experience.

That layer combines email verification, phone validation, IP risk, device signals, behavioural signals, consent records, source transparency, the stated purpose for collection, and active fraud detection. None of these are new on their own. What is new is treating them as a connected stack rather than a series of disconnected checks. Together they reduce fraud, protect downstream models, make consent meaningful, and stop bad data flowing into systems where it will quietly do damage for years.

Diagram of an integrated verification stack with data point checks, device and behaviour analysis, and a unified decision layer

Verification moves from single checks to a connected stack.

AI makes provenance more important, not less

It is fashionable to argue that AI makes the underlying data less important because models can compensate. The opposite is true. AI does not remove the need for trusted data. It increases it. If models, scores and automated decisions are built on personal data, the question is not just what the model predicts. It is why anyone should trust the data underneath it.

The EU AI Act pushes high-risk AI systems into a world of data governance, documentation, logging, transparency, human oversight, accuracy, robustness and cybersecurity. You do not need to read the legal text to see the implication. Provenance, freshness and verification of the inputs become part of the product, not a back-office concern.

Where we are heading: fewer records, higher value

The direction of travel is clear. Value will concentrate in verified, permissioned data with provenance that can be shown. Organisations will hold fewer records. Each record will be fresher and better verified. Unverified or non-consensual data will lose commercial utility as platform defaults, regulations and customer expectations continue to tighten. Residual third-party trails will keep declining in usefulness rather than mounting a comeback.

Data quality will matter more than database size. Source, freshness, consent and contactability will become commercial differentiators rather than back-office concerns. The economic effect is simple: fewer records, better verified, each worth more.

Projected value index for verified, permissioned personal data

As volume reduces and trust rises, the value per verified and permissioned record increases. Illustrative.

The Data You idea

In 2018 I worked on a concept called Data You. The idea was straightforward. A person holds their data, chooses who can access it, and is rewarded when there is a clear value exchange. They can revoke access when the value is gone. We could not get meaningful adoption at the time, because the market still believed data collection was the advantage and brands were not ready to give up the assumption that the database was theirs by default.

The next decade looks different. The advantage moves to permission, portability, verification and trust. Whether it ends up looking like a wallet, a Solid pod, decentralised identifiers, or something we have not named yet, the principle is the same. People grant access on their own terms and the systems that respect that will outperform the systems that try to route around it. Data You was too early. The principle was right.

Data You concept from 2018 showing user-controlled data and value exchange

Data You concept from 2018. Right principle, early timing.

The rules and the defaults

Regulation and platform policy are different things, but they push in the same direction. GDPR set the reference point in Europe and the UK. US state laws are moving in the same general direction, with broker, sensitive-data and automated-decision rules getting tougher rather than softer. Platform policies behave like law in practice because they change what is technically possible, often before any regulator catches up.

If you build around permission, verification and provenance you do not have to chase every tweak in the rulebook, because the direction is already clear. The companies that try to optimise for the current loophole keep having to rebuild. The companies that build for the direction of travel keep compounding.

Timeline of major data regulations across the EU, UK and US

Regulation and platform policy set the direction of travel.

The same problem keeps showing up

This same pattern shows up across the rest of my work. In The Human Data Illusion, it is the mistake of treating data as human because it looks human. In Do Data Breaches Drive Fraud?, it is the long tail of stolen identity data. In The Great Content Swindlefication, it is fake demand dressed up as intent. In The Verification Dividend, it is the compounding upside of verified data. They are all versions of the same shift: proof is becoming more valuable than volume.

Closing

The next decade will not reward the companies with the biggest databases. It will reward the companies that can defend their data.

Where did it come from? Why are you allowed to use it? Is it still accurate? Is there a real person behind it? Can that person understand, control or revoke the relationship?

That is where personal data is heading.

Less volume. More proof. Less assumption. More provenance.

References

GDPR overview. gdpr.eu

California Consumer Privacy Act and CPRA. oag.ca.gov

Apple App Tracking Transparency. developer.apple.com

Google Privacy Sandbox and Chrome cookie policy update. privacysandbox.com

Cookie consent benchmarks. Cookiebot

IBM Cost of a Data Breach 2024. ibm.com

Cisco Consumer Privacy Survey. cisco.com

EU AI Act. artificialintelligenceact.eu

EU Digital Markets Act. European Commission

W3C Decentralised Identifiers. w3.org

Solid and Inrupt. inrupt.com