There's often confusion about the difference between first party data, second party data, and third party data. However, what often underlies that confusion is a misconception that any of these parties actually 'own' the data.
Contracts will frequently talk about Party X or Party Y 'owning the data.' Whilst there are, of course, certain IP rights than can exist in relation to certain types of data sets (databases in particular) - as a general principle 'personal data' isn't and cannot be 'owned' by a business. That doesn't make sense from a legal perspective and it's clearly completely contrary to the basic principles of privacy and data protection stemming all the way back to the OECD Guidelines in the early 1980s and beyond. It's not a new concept introduced by the GDPR (or the UK GDPR for us in the UK), or the CCPA etc.
This article may get it slightly wrong in terms of the necessity for consent in all cases, but what it does do is give a good [amusingly ranty] explanation about the fallacy of a company 'owning' its first party data - i.e. the real first party is the consumer.
But let me be clear: That data is not, and never will be, “your” first-party data. The customer is the first party in this transaction – you, as the marketer, are the second party. This is the only logical party-numbering scheme especially considering our oft-repeated mantra that we “put the consumer first.”