The rise of the information age has forced businesses to re-evaluate their modes of carrying on business with a key shift in advertising. Advertising is no longer the dominant way to pay for information and culture. What previously was the purview of corporate logic has been replaced by algorithms and informational architecture meant to create a personalised experience for the user. In the heightened noise of marketing, with all fighting for the user’s attention, the temptation to directly engage the user with a targeted and personal advertisement is understandable, yet such engagement often comes at the risk of violating the user’s right to privacy. In this article, we explore ways through which a business can navigate these murky waters and strike a balance between respecting a customer’s right to privacy whilst creating an effective and satisfactory user experience through direct marketing.
Direct Digital Marketing: The Basics
Hamman and Papaodulos define direct digital marketing (DDM) as a system of marketing where the marketer communicates directly with the intended customer over a medium, with the expectation that such interaction will elicit a measured response, often positive. Whereas traditional direct marketing can take various forms such as the use of fliers, DDM involves the use of a digital medium such as a mobile phone, e-mail, television, or web-based platforms for the direct or indirect purpose of promoting a good or a service. Practically, this can take the form of Short Message Services (SMS) alerts sent to a person informing them of the latest offers in a particular restaurant or email alerts notifying a user of an ongoing promotion in a department store.
In Kenya, an attempt to codify the meaning of DDM has been made under regulation 13 of the Draft Data Protection (General) Regulations, 2021 (the Draft Regulations) which are still under consideration. Regulation 13 stipulates that a data processor or controller will be deemed to have used data for commercial purposes where they send a catalogue through any medium which addresses a data subject; display an advertisement on an online media site where a data subject is logged on using their personal data relating to the website the data subject has viewed – this includes the use of data collected by cookies to target users; send an electronic message to a data subject about a sale or other advertising material relating to a sale, using personal data provided by a data subject.
It is critical to note that under the Draft Regulations, a person will not be considered to have utilised a data subject’s personal data for DDM purposes, where the personal data is not used or disclosed to identify or target particular recipients. For instance, the use of data analytics by a data processor or controller for the purposes of estimating the content most viewed by users, or the resources a user sought when using an organisation’s website, would not qualify as DDM. However, should the organisation proceed to either use personal data collected from an analytical review of their website, such as one’s age and gender to then target the user during their next visit to the organisation’s website or to sell that data to an advertiser, then such use would effectively qualify as DDM thus calling for the application of the Data Protection Act, 2019 (DPA).
For DDM to be successful, marketers need to address a target audience. To accomplish this, marketers will ordinarily require large volumes of personal data thus the crux of direct marketing. This is premised on the fact that most of the data sought by marketers is often of a personal nature such as details of a person’s name, age, gender, residence, purchase habits or preferences. In most instances, this data is likely to be collected from a consumer’s interaction with the concerned entity or platform. DDM may however present a risk to a marketer, where the marketer obtains a consumer’s personal data without their consent. An example would be the collection of one’s phone number by a hotel while booking one’s accommodation where the hotel uses such information to send promotional messages on their discounted rates, without disclosing to the customer that they intended to use the customer’s phone number for that purpose. As innocuous as such collection, storage and subsequent use might seem, it presents a real legal risk to the enterprise. To begin with, such collection would be a violation of a data subject’s rights under section 26 (1) (a) of the DPA which provides that a data subject has the right to be informed of the use to which their personal data is to be put. Further, these actions would constitute a violation of section 30 (1) of the DPA which prohibits the processing of a data subject’s personal data without their consent. In addition to this, the resultant storage and use of a customer’s data in the example above would be in further breach of the DPA which prohibits the use and storage of personal data without obtaining a data subject’s consent. As such, the enterprise is likely to incur liability for breaching the user’s right to privacy thereby exposing the business to the risk of lawsuits and regulatory fines. The unlawful disclosure of personal data constitutes an offence under the section 72 (1) of the DPA and upon conviction, one would be liable to a fine not exceeding KES 3,000,000 (USD 30,000) or to a term of imprisonment not exceeding ten (10) years or both.
a. Obtain consent
Businesses that intend to adopt a DDM strategy should obtain consent from their intended audience before carrying out any advertising campaign. This obligation is founded on the provisions of section 30 (1) of the DPA which imposes the obligation to obtain a data subject’s consent before processing any data upon a data controller or data processor. The above position is further bolstered by the provisions of regulation 14 (1) of the Draft Regulations which sets out the instances in which commercial use of personal data other than sensitive data may be permitted.
Under regulation 14 (1), a data controller or processor would be permitted to use personal data if they meet five (5) conditions. Firstly, the data controller or processor must have collected the personal data sought to be used from the data subject. Secondly, the data subject must be notified that direct marketing is one of the purposes for which the data has been collected. Additionally, the data subject must have consented to such use of their personal data. Further, the data controller or processor must provide an opt-out mechanism for the data subject to not receive the DDM communications.
Generally, opt-out mechanisms allow a data subject to withdraw their consent from the use of their personal data in DDM. Practically, this may be in the form of an unsubscribe button. To effect this, regulation 15 (1) of the Draft Regulations prescribes the features that should accompany an opt-out mechanism. First, opt-out mechanisms must have a visible, clear, and easily understandable explanation of how to opt-out, such as instructions written in simple language and in a font size that is easy to read. Also, opt-out mechanisms must use a simplified process for opting-out that requires minimal time and effort. In addition, opt-out mechanisms must provide a direct and accessible communication channel and be free or involve not more than a nominal cost to a data subject. Finally, the data subject must have not made an opt-out request at the time of the collection, use and/or processing of the data.
b. Use the data obtained for a limited purpose
The obligations of a business entity are not strictly limited to lawfully obtaining data. A business must also ensure that they use the data obtained for the purpose for which it was acquired. Where the initial purpose for which personal data was obtained changes, a data controller may still use the data, subject to obtaining consent from the data subject for the changed use. This is in line with regulation 5 (3) of the Draft Regulations which provides that where the data controller or processor intends to use personal data for a new purpose, it shall ensure that the new purpose is compatible with the initial purpose. For instance, if a business collects a customer’s phone number for the purposes of determining whether payment made through a mobile money payment platform has been effected, the same number should not be used to send out promotional messages. To use such data for a purpose which is not intrinsic to the root purpose would constitute a violation of the data subject’s rights under section 26 of the DPA.
c. Respect the data subject’s rights
A data subject has a right under section 26 (c) of the DPA to object to the processing of their personal data. Examples of this include the sending of SMSs to specific codes calling for the cessation of promotional marketing messages or the clicking of an unsubscribe button on email marketing. It is critical to note that once a customer has objected to the processing of their data, then, any subsequent use of such data becomes unlawful, and the marketer runs the risk of incurring liability for such use. For this reason, once a customer objects to the use and or processing of their data, a business is obliged to comply with the same and cannot continue to use the customer’s data.
d. Adopt data protection by design in devising DDM Strategies
The use of DDM as a marketing strategy involves the collection and subsequent storage of data. Therefore, a business which seeks to adopt DDM must at the very core ensure that its technical and organisational measures are designed at all times to implement the data protection principles in an effective manner and integrate necessary safeguards for the purposes of processing. The above obligation is consistent with the provisions of section 41 (2) of the DPA, which mandates data processors and data controllers to adopt technical and operational measures that implement the data protection principles at the time of determining the means of processing the data and at the time of processing data. Failure to adopt technical and organisational measures that ensure data protection by design, may expose the business to a data breach and potential legal liability. It is thus important for a business to ensure that the technical and operational measures adopted comply with this principle.
e. Notify the data subject in case of breach
If a data breach occurs, the business must first notify the data subject of the breach, the nature of data lost, and the intended remedial action taken up to prevent further loss of data. This obligation is imposed by section 43 (1) (b) of the DPA which mandates a data controller to notify a data subject of any unauthorised access or risk of unauthorised access to the data subject within forty-eight (48) hours. Such notification not only serves to alert the data subject of the expected loss of personal data, but also allows the data subject to take on remedial actions as an end-user such as changing or updating their credentials, which can stave off the worst of attacks.
In conclusion, the use of DDM, whilst a viable and useful method of reaching and engaging with one’s clientele, is often laden with the risk of violating a customer’s right to privacy. To avoid such risk, businesses are advised to adopt a DDM strategy that is alive to the target’s right to privacy and data protection duties and obligations.