Customer data sovereignty: who really owns your data?

By Michael Froment, CEO and Founder of Commanders Act

In 2012, a major American fashion brand had built a community of millions of fans on Facebook — years of content, investment, real engagement. Then Facebook changed its algorithm. Organic reach for brand pages dropped from 16% to under 2% within months. Overnight, that brand could no longer reach its own fans without paying.

It hadn’t lost anything technically. Its fans were still there. But it never owned them: it was renting them, without ever really measuring that.

What played out on Facebook in 2012 is playing out again today, at a larger scale, on deeper ground: brands’ data infrastructure. Not social audiences this time, but customer data itself.

The invisible dependency of digital marketing

For fifteen years, digital marketing ran on a delegation model that nobody really chose — it became standard out of convenience. Platforms collected customer behavior on the brand’s site, organized it into targetable audiences, and the brand paid to reach them. A smooth, efficient cycle… and a deeply asymmetric one.

Asymmetric, because in this model, customer knowledge belongs to the platform, not the brand. Meta knows what your customers do across the entire web. Google knows what they search for. Amazon knows what they buy. You know what they do on your own site — and only if you took care to collect that data properly.

This asymmetry was tolerable as long as the rules of the game stayed stable. They no longer are: third-party cookies disappearing, Apple’s ATT reducing iOS visibility, GDPR governing transfers to non-EU entities, the US Cloud Act theoretically allowing US authorities to access data hosted by American companies wherever it sits, Schrems II invalidating entire transfer mechanisms to the United States.

Every regulatory shift, every platform decision, reveals the same reality: brands that delegated their customer relationship to third parties built on ground they don’t control.

Customer data sovereignty: what it actually means

Sovereignty isn’t reserved for states. For a brand, it has a very operational definition: the ability to know your customers, talk to them, and deliver an experience, independently of the platforms that facilitate that relationship. Three concrete dimensions follow.

Sovereignty over collection. Who collects your customers’ behavior first? If it’s the Meta pixel or the Google tag, the data passes through their infrastructure first before coming back — maybe — to you. A server-side architecture reverses this logic: your infrastructure collects first, in your own environment, and you then decide what you share and with whom.

Sovereignty over identity. Do you really know your customers without depending on third-party identifiers (cookies, IDFA, GAID) controlled by platforms? A robust first-party identity, built from data collected with consent in your own environment, is the foundation of a customer relationship that survives external rule changes.

Sovereignty over activation. Can you activate your audiences toward Meta, Google, TikTok, but also toward your personalization tool, your CRM, your data warehouse — without depending on a single platform as a mandatory gateway? A distributed architecture, where you control the pipeline end to end, lets you switch partners without rebuilding everything.

Cloud Act, GDPR, Schrems II: the geopolitical stakes brands can no longer ignore

Reducing this topic to a question of data architecture would be inaccurate. There’s a real geopolitical dimension, well understood by legal teams and DPOs, but one marketing teams sometimes struggle to factor into their daily thinking.

Most of the world’s advertising infrastructure is owned by American companies — Google, Meta, Amazon, The Trade Desk — subject to US law, including its extraterritorial provisions. This same issue now extends to AI platforms, as illustrated by the US government’s decision to restrict access to an Anthropic model for foreign nationals. Your European customers’ behavioral data, if it passes through this infrastructure, enters a different legal regime than the European one.

This isn’t an ideological position, it’s a legal fact with practical implications for any brand operating in Europe under GDPR. The CNIL has already sanctioned data transfers to the United States it deemed non-compliant; other European data protection authorities are taking similar positions.

The question isn’t leaving American platforms — they remain indispensable for media activation at scale. The question is not delegating the collection and governance of your customer data to them: collect on your own ground first, govern by your own rules, then distribute to the destinations you choose.

Building a customer relationship you actually own

The 2012 fashion brand hadn’t anticipated that its fans didn’t belong to it — it had confused visibility with relationship, rented audience with built community.

The same misunderstanding is playing out today, at greater scale, with customer data. Brands invest heavily in customer knowledge — CRM, CDP, analytics tools — without ensuring that collection at the source was sovereign. They have rich profiles, fed by data that first passed through infrastructure they don’t control.

Sovereignty isn’t isolation. It isn’t refusing to work with Meta or Google — that would be counterproductive. It’s shifting from a dependency relationship with these platforms to a partnership one: sending them what you choose to send, from your own infrastructure, on your own terms.

Brands building this sovereignty today are building a durable competitive advantage — not just for better regulatory footing, but because customer knowledge you truly own, collected with consent and governed on your own ground, is structurally worth more than knowledge you rent.

The customer relationship is a brand’s most valuable asset. It might be time to check who really owns it.

About the author
Michael Froment is CEO and Founder of Commanders Act, a European CDP, CMP and Tag Management platform dedicated to first-party data and marketing sovereignty.

EU Score: adtech sovereignty finally measurable

Cloud, large language models, messaging apps… The debate on European digital sovereignty is expanding to an ever-growing list of topics. It comes as no surprise, then, to see adtech covered by initiatives such as EU Score — a platform that is also the flagship of a European digital resistance movement. A Wikipedia-inspired model Number of…