There's often confusion about the difference between first party data, second party data, and third party data. However, what often underlies that confusion is a misconception that any of these parties actually 'own' the data. 

Contracts will frequently talk about Party X or Party Y 'owning the data.' Whilst there are, of course, certain IP rights than can exist in relation to certain types of data sets (databases in particular) - as a general principle 'personal data' isn't and cannot be 'owned' by a business. That doesn't make sense from a legal perspective and it's clearly completely contrary to the basic principles of privacy and data protection stemming all the way back to the OECD Guidelines in the early 1980s and beyond. It's not a new concept introduced by the GDPR (or the UK GDPR for us in the UK), or the CCPA etc.

This article may get it slightly wrong in terms of the necessity for consent in all cases, but what it does do is give a good [amusingly ranty] explanation about the fallacy of a company 'owning' its first party data - i.e. the real first party is the consumer.