Most brands work with two kinds of data. Third-party data is bought or aggregated from outside — cookies, data brokers, advertising platforms. First-party data is what the brand collects itself, on its own site or app. A third kind sits apart: zero-party data, a term coined by Forrester, is information a customer chooses to share, deliberately and knowingly, with a brand they have decided to deal with.
The distinction matters more now than it did a few years ago. Third-party cookies are being phased out across browsers, GDPR and the ePrivacy rules have made acquired data harder to justify and use, and consumers are more aware of how their data circulates. Against that backdrop, the product passport — driven by EU regulation for compliance reasons — turns out to open a channel of a very different nature.
Why a product passport produces zero-party data
A digital product passport is reached by scanning the item: a QR code or an NFC tag carried by the product itself. That scan is an action the customer takes on their own, after the purchase, holding a physical object in their hand. Nobody bought a profile, nobody followed them across sites. The relationship starts from the product they own.
When that customer claims the product — registers it as theirs — they choose to attach themselves to it. From there, anything they share (registration, preferences, opting in to messages from the brand) is given on purpose, in a context they understand. That is the definition of zero-party data, and the passport is one of the few places it is generated naturally rather than extracted.
What the brand actually gets — and what it does not
Two things are worth separating. The brand gets a direct, post-purchase channel to the people who own its products: the ability to authenticate an item, confirm ownership, and — where the owner has opted in — reach them about that specific product. It also gets aggregate signal: where products are scanned, how many are claimed, how ownership moves. This is first- and zero-party data the brand holds itself, not data rented from a platform that can change its terms.
What it is not is a surveillance channel. The passport is built around access tiers: the regulation itself distinguishes what the public sees, what actors with a legitimate interest see, and what authorities see. Consumer data stays subject to GDPR — right of access, right to erasure, retention limits, IP anonymisation. A product passport that respected the letter of the regulation but quietly turned into a tracking tool would miss the point and the law. The value is in data that is given, scoped and revocable, not in data that is harvested.
Data sovereignty, concretely
"Sovereignty" is used loosely. In practice it means two things here. For the brand, it means owning the customer relationship and the data behind it rather than depending on an intermediary's audience and rules. For the customer, it means knowing what is shared, with whom, and being able to withdraw it. Where the data is hosted is part of this: European hosting keeps the records under EU jurisdiction, which matters for both the brand's compliance posture and the customer's rights.
None of this requires the customer to understand a wallet, a token, or any blockchain mechanics. The on-chain layer secures authenticity and the chain of ownership underneath; the person scanning a product sees an authenticity check and a passport, not a crypto interface. Sovereignty over data does not have to come bundled with friction.
What SealTrust does
SealTrust links each physical product to a secure NFC tag (NTAG 424 DNA) or a QR code, depending on the product. A scan proves the item is genuine — even offline — and opens its passport. The owner can claim the product, and that claim is what turns an anonymous scan into a known, consented relationship.
On top of that, brands can reach the owners of their products through an in-app messaging channel, based only on ownership and opt-in — no purchased lists. Passport fields are filtered by audience (public, value chain, authority), matching the access levels the regulation expects. And the consumer-data side is handled as GDPR requires: data export (Article 15), erasure (Article 17), IP anonymisation and bounded retention, on European infrastructure. The compliance obligation and the relationship channel are the same system, not two projects.
Where to start
Treat the passport as more than a checkbox. If you are already scoping ESPR compliance, you are also — whether you planned to or not — building a first- and zero-party data channel. The questions to settle early are simple: which data carrier (QR or NFC) per product line; what you want owners to be able to do once they claim an item; what you will and will not ask them to share; and how the consent and access tiers are set so the channel stays on the right side of GDPR. Brands that decide this on purpose end up with a customer relationship they own, instead of a compliance cost they merely absorb.
Want to look at the passport as a customer-relationship channel, not just a compliance task? Get in touch.
Sources
- Forrester — origin of the "zero-party data" concept (Fatemeh Khatibloo) — forrester.com
- Regulation (EU) 2016/679 (GDPR), Articles 15 & 17 — eur-lex.europa.eu
- CNIL — cookies and tracking guidance — cnil.fr
- Regulation (EU) 2024/1781 (ESPR), Digital Product Passport & access tiers — eur-lex.europa.eu


