Post Summary:
- On 13 April 2021, the Kenya Data Commissioner published draft regulations in support of the Data Protection Act. As discussed in our last article, the Regulations have paved way for public consultations and operationalisation of the Act.
- We consider some of the issues that online marketers will face in implementation of the Act.
Q: Is online marketing prohibited under the Data Protection Act?
The Data Protection Act,2019 does not prohibit marketing activities. The Act and supporting regulations provide that data controllers and processors may undertake direct marketing activities under certain conditions.
Q: What is direct marketing?
The Act and regulations do not provide a specific definition for the term “Direct Marketing”. However, the Data Protection (General) Regulations, 2021 (“The Regulations”) provide that direct marketing includes the following activities:-
- sending a catalogue, through any medium, addressed to a data subject. A good example is where a retailer sends a monthly price offer to customers on email.
- displaying an advertisement on an online media site a data subject is logged on using their personal data, including data collected by cookies, relating to a website the data subject has viewed. In other words, digital advertising is considered as a direct marketing activity.
- Sending an electronic message to a data subject about a sale or other advertising material relating to a sale using personal data provided by a subject.
Q: Can I use all types of data in my possession to market to my customers?
No. Under Regulation 14, a data controller or data processor may only use personal data for direct marketing activities. The use of sensitive personal data is prohibited. Sensitive personal data includes data which reveals a person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation of the data subject.
For example, if you are a healthcare company, users of your site should not receive targeted advertisements on your site (or other sites they visit which have links to your site) on possible treatments of health conditions disclosed to you.
Q: Are there any specific customer segments that should not be targeted?
Yes. Regulation 12 of the draft Data Protection (General) Regulation prohibits profiling of a child for purposes of direct marketing.
Q: Do I have to seek consent before I can launch a marketing Campaign?
Yes. Under section 37 of the Data Protection Act and Regulation 14(a) of the Regulation, you must seek consent a data subject’s consent to use or disclose his data for purposes of marketing.
Section 32 of the Data Protection Act provides that a Data Controller and Data Processor shall bear the burden of proof for establishing a data subject’s consent to the processing of their personal data. Therefore, you must have a mechanism for seeking and tracking consents.
Q: How do I seek consent?
The Act does not give specifics on how to seek consent. However, section 2 of the Data Protection Act provides the elements of valid consent. In particular, it must be:
- expressly provided by the data subject;
- an unequivocal, free specific and informed indication of the data subject’s wishes; and
- made through a statement or by a clear affirmative action signifying agreement to the processing of data.
In practical terms, this means that you should have appropriate opt-in mechanisms inbuilt into your website or mobile apps. For example, you can have a checkbox at the account creation stage requesting users to click to confirm their consent to receiving marketing material by email. Pre-checked opt-in boxes do not offer valid consent.
You should also avoid using omnibus or bundled consents. Instead, be as specific as possible in what you are seeking consent for e.g. consent for SMS marketing and email marketing should be sought separately. You may optimise your opt-in forms with layered opt-in preferences to allow a customer to consent to their preferred mode of communication. For example, a customer can choose to be contacted either through email, phone calls, SMS or they can agree to receive communication on all channels.
Q: Should I give data subjects an opportunity to withdraw consent?
Yes. Under section 32 (2) of the Data Protection Act, a data subject has the right to withdraw consent at any time. The draft Regulation also provides that a data controller or data processor must provide a simple opt-out mechanism for data subjects. Sending messages to persons that have opted-out of your marketing service is prohibited.
Q: Are there any guidelines for marketing opt-outs?
Yes. The Data Protection (General) Regulation sets out guidelines for the content of opt-out messages as well as the minimum requirement for opt-out mechanisms. In summary, opt-out messages and mechanisms should have the following elements:-
- written in simple language, visible, clear and easily understood
- take into account the interests of persons living with disability
- include a prominent statement to draw a data subject’s attention to the fact that they may make an opt-out request
- include a simple opt-out process i.e. one that requires minimal time and effort.
- offer customers the option to opt-out at no cost
- include a link on each email that takes the data subject directly to the control center
- indicate that a data subject can opt-out of future direct marketing by sending a single word instruction e.g. TO OPT OUT SEND STOP TO 88888
- Inform recipients of direct marketing phone calls that the can verbally opt-out of future direct marketing phone call
Q: Is there a time-frame within which to comply with an opt-out request?
Yes. You should comply with an opt-out request within seven (7) days of receipt of the request. Once a data subject has opted out, you should not send any future communication to them. This means that you need to clean up existing databases to ensure that all your customers have active opt-ins. You should also create rules to ensure that those who have opted out do not accidentally end up in your databases.
Q: Do I need a Privacy Policy
Yes, under section 26 of the Data Protection Act, a data subject has a right to be informed of the use to which their personal data is to be put. Further, Regulation 22 of the Data Protection (General) Regulation provides that a data controller and data processor shall make, publish and regularly update a policy refacing their personal data handling practices.
Therefore, you should publish a privacy policy on your website and your mobile app. The policy should, at a minimum, stipulate the following:-
- the nature of personal data collected and held
- how data subjects may access their personal data and exercise their rights
- complaint handling mechanisms
- lawful purposes for processing personal data
- obligations or requirements to transfer personal data outside the country, to third parties, or other data controllers and processors located outside Kenya, and where possible, specify such recipients
- the data retention schedule
- the collection of personal data about a vulnerable segment of the community including children and the criteria applied.
Q: What Should I Do About Cookies
Whenever a user visits a websites, the site will often deposit data about the visit known as “cookies” on the users hard-drive. Advertisers often use cookies to track user’s online activity so that can target consumers through highly customised and specific advertisements. Although the Data Protection Act does not make reference to the term “cookies” it does specify that personal data may include data such as an “online identifiers” which can be linked to an identifiable natural person. Apart from this, Regulation 13 (1) (b) of the Data Protection (General) Regulation considers cookies to be a form of personal data.
Therefore you need to give users an opportunity to consent to the use of their cookies for direct marketing purposes. The Regulations do not provide specific guidelines on Cookie Consent and compliance. We hope that the public consultation process on the regulations will bring out this need and lead to development of further guidelines. For now, marketers should at least seek consent of users prior to making use of cookies and other web tracking technologies.