Introduction
The protections afforded to data subjects under the Data Protection Act (Cap. 411C) Laws of Kenya (the Act) empower them to dictate and control how their personal data is processed. To promote the right to privacy, the Act dictates how personal data is used for direct marketing. Despite extensive provisions under the Act, Determinations from the Office of the Data Protection (ODPC), reveal compliance gaps where a data controller or processor (collectively data handlers) opts to market directly to data subjects.
Under section 37(3) of the Act, the Cabinet Secretary together with the ODPC are to issue guidelines on the commercial use of personal data including direct marketing. Given that the ODPC is yet to publish these guidelines and in addition to the Act, this article proposes safeguards that a data handler can employ when marketing directly to their customers.
Commercial Use of Personal Data
For starters, data handlers have to be cognisant of the provisions governing this commercial use of personal data.
Under section 37(1) of the Act, a data handler can only use personal data for commercial purposes where – a) it obtains consent from the data subject; or b) authorised under a written law and the data subject is informed of such use during collection. Section 37 (2) of the Act requires data handlers to, where possible, anonymise personal data to ensure that the data subject cannot be identified. Under regulation 14(2) of the Data Protection (General) Regulations (the General Regulations), direct marketing is identified as a commercial use of personal data where – a) a catalogue is ad- dressed to a data subject; b) an advertisement is displayed on an online site where a data subject’s personal data has been captured; or c) an electronic message is sent to a data subject using their personal data. Per regulation 14(3) of the General Regulations, marketing is only direct when personal data is used to identify an individual.
Regulations 8(4) and (5) of the General Regulations recognises a data subject’s absolute right to object to processing in direct marketing. The Information Commissioner’s Office (ICO) – the data protection authority in the United Kingdom – describes this right to object as “stronger than any other objection”. Due to its absolute nature, once a data subject exercises this right, a data handler must stop all processing for direct marketing purposes.
Profiling is defined under section 2 of the Act as “automated processing of personal data” to evaluate and predict a data subject’s aspects i.e., interests, preferences and/or behaviour; in this case, to ensure targeted marketing. Regulation 13(2)(b) of the General Regulations expressly prohibits the use of a child’s profile for direct marketing.
Regulation 15 of the General Regulations prescribes instances where use of personal data, other than sensitive personal data, is permitted i.e., where – a) the personal data was collected directly from the data subject; b) the data subject is informed that direct marketing is among the purposes for collection; c) the data subject has given consent for direct marketing; d) there is a simplified opt out mechanism; or e) the data subject has not exercised his/her right to opt out of the direct marketing.
Regulation 16 of the General Regulations dictates that the opt out mechanism should be free of charge, clear, require minimal time and effort to effect, provide a direct and accessible communication channel, and accommodate persons living with disability.
Regulation 17(2) of the General Regulations requires that for a direct marketing opt out mechanism to be compliant, it should have a clear and accessible means for a data subject to exercise this right i.e., by replying with a single word instruction, using a prominent link to a subscription control centre, verbally during a phone call or by following instructions in each message. Further, under regulation 17(3) and (4) of the General Regulations, a data handler may allow the data subject to dictate his/her direct marketing preferences, including by opting out of all future direct marketing communications.
Under regulation 18 of the General Regulations, requests by a data subject to restrict disclosure to third parties must be complied with within seven (7) days.
Direct Marketing Infractions by Data Handlers
In ODPC Complaint 1994 of 2023 as consolidated with ODPC Com- plaint 1998 of 2023 and ODPC Complaint 2298 of 2023 – David Owuor & 2 Others v. Ceres Tech Limited t/a Rocketpesa, three (3) data subjects were awarded a cumulative sum of KES. 2,600,000 as compensation against Rocketpesa. The ODPC found that the data handler in inducing the data subjects to take loans, sent unsolicited promotional messages and calls without providing opt out mechanisms and without obtaining consent from the data subjects. For two (2) of the data subjects, the ODPC determined that Rocketpesa had disregarded their objection to processing requests. The ODPC further noted that as a repeat offender, Rocketpesa had not complied with a previous Enforcement Notice issued against it in ODPC Complaint 869 of 2023 – John Otieno v. Ceres Tech Limited t/a Rocketpesa.
In August 2024, the ODPC in ODPC Complaint 762 of 2024 – Dennis Gathara v. Goodtimes Africa ordered Goodtimes Africa to pay a data subject KES. 700,000 as compensation for the data handler’s failure to provide an opt out mechanism, honour the data subject’s objection to processing – despite this being an absolute right – and honour a request for erasure of personal data. The ODPC made its determination after investigations revealed that Goodtimes Africa had sent promotional messages to the data subject without his con- sent and in spite of his objection to processing.
Recommendations
While the Act stipulates minimum standards when marketing directly to data subjects, good practice requires more than just compliance with the Act and General Regulations but also calls for adoption of the best practice standards.
a. Direct Marketing Suppression/Do Not Contact Lists
At a minimum, data handlers have to respect their data subject’s preferences i.e., the data subject’s right to object to processing, opt out of direct marketing activities, and erasure of their personal data. In respect of these preferences, other jurisdictions maintain direct marketing suppression/do not contact lists. This data protection practice is considered better when compared against wholesale deletion of a data subject’s details upon receipt of a request.
A suppression/do not contact list contains a list of people who have communicated their decision not to have their personal data used for direct marketing purposes. In using a do not contact list, a data handler retains minimal contact information for the sole purpose of ensuring that they do not inadvertently contact people who opt out of direct marketing. Thereafter, prior to carrying out any direct marketing initiatives, the data handler can cross check its records to determine who not to market to.
While it may seem counterintuitive when the Act requires a data handler to accede to an opt out request, this practice ensures stricter compliance with the direct marketing provisions under the Act; as only minimal contact details are maintained to ensure personal data is not used for direct marketing purposes.
The determinations by the ODPC referenced above depict blatant non-compliance with the provisions governing direct marketing under the Act. While the Act stipulates minimum standards when marketing directly to data subjects, as alluded to above, this article seeks to give recommendations to ensure data handlers create a robust privacy centric culture within their organisations. In our assessment, this requires more than just compliance with the Act and General Regulations but calls for adoption of the best practice standards that should permeate across the organisation’s data processing operations.
b. Granular Consent Options
The Act requires a data handler to obtain a data subject’s consent prior to processing personal data for commercial use. While this is an irreducible minimum when handling personal data, we suggest that data handlers should go a step further and provide their data subjects with multiple consent options.
Regularly seeking consent for specific direct marketing activities, creates transparency with the data subject while ensuring that the data handler can definitively demonstrate that it obtained consent for each direct marketing activities.
In essence, granular consent options allow data subject to communicate their preferences when it comes to handling their personal data. Consequently, the data handler is able to align its marketing initiatives with a data subject’s preference; thereby giving the data subject control over his or her personal data and ultimately fostering trust in the relationship.
c. Sensitisation and Training of Employees
Quite apart from training employees on the salient features of the Act, the data handlers would do well to develop customised training programmes aimed at addressing privacy challenges in their business. Such trainings ensure that there is constant messaging to employees of their obligations, which in turn creates a privacy centric culture within the business.
Upshot
Determinations from the ODPC reveal just how critical it is to create a privacy centric culture within an organisation. In conducting a cost-benefit analysis, it is clear that having data protection as a key consideration of a business’ operations is prudent. As ICO puts it, data protection must be “baked into” the company’s activities.
Furthermore, while these recommendations ensure that data protection is a key consideration, their application should not stifle a business’ ability to directly market to its customers. The idea is for the direct marketing to be undertaken with due regard to the data subject’s privacy rights.
