Corporate, Commercial, Tax & IP

Direct Marketing vis-à-vis the Right to Privacy

Written By :
Jude Okeche

The increased usage of digital media by consumers and the ever-continuous growth of users joining the digital age have necessitated businesses to use digital direct marketing to reach their target markets more effectively. However, for direct marketing to be successful, marketers need to address a target audience and, in order to accomplish that, they need information in the form of names, contact details such as phone numbers, addresses, demographic details, and purchase habits/history or preferences. The use of this personal information may further identify individuals from a target group of individuals and therefore constitute a violation of the consumer’s right to privacy under the Data Protection Act, 2019 and the Constitution of Kenya, 2010. This, therefore, brings to the fore the competing interests in the protection of the right to privacy and the legitimate interest of businesses to catch up with technology and grow their business by reaching out to potential customers.

Direct marketing has been defined as any marketing that relies on direct communication or distribution to individual consumers, rather than through a third party. Mobile device applications (Apps) eMail, phone calls, short message services (SMS), and social media campaigns are among the delivery systems used. It is called direct marketing because it generally eliminates the middleman, such as advertising media. Direct marketing has also been defined as any solicitation carried out through message dispatch, regardless of the message base or nature, especially messages of a commercial, political, or charitable nature, designed to promote, directly or indirectly, goods and services or the image of a person selling the goods or providing the services.

The Data Protection Act (hereinafter “DPA”) seeks to create an institutional framework and legal guidelines for the processing of personal data and processing of personal data belonging to Kenyans. Prior to the enactment of the DPA, businesses and other institutions that collected personal data encouraged abuse of power in sharing personal data with third parties without consent particularly, during the 2017 General Elections, political parties and politicians collected personal data from the electorate and disseminated bulk messages on various platforms as a form of advertising. The controversial ‘Huduma Number’ initiative involved linking the individual to a digital identification number which effectively identified the individual with a prepaid card, provided by and operated by a foreign financial service provider, with a chip and pin that would be used to pay for various government services. The bone of contention was the government had collected citizens’ and residents’ personal data without prior safeguards through regulation and an independent data commissioner’s office.

Even after the enactment of the Data Protection Act and the consequent appointment of the Data Commissioner various instances of misuse or illegal use of personal data are still prevalent. Political parties in June 2021 were found to have registered citizens as their members without their consent as prescribed under the DPA.

From the foregoing, the Data Protection Act, though a welcome initiative, has yet to cover loopholes in the protection of personal data from illegal use or violation of the right to privacy. For instance, the Act is broad-based and fails to cater to sector-specific areas where a broad approach in legislation would not suffice to effectively protect consumers. A stark example is in the financial sector where financial sector-specific regulations are required to prevent the misuse of personal data collected by the digital financial services providers. Some digital financial service providers, especially those providing short-term loans, evaluate their customers’ credit risk using personal data such as their call logs and contacts, where loan applicants spend their time and their social media data to collect debts and thereafter reach out to the borrowers’ close contacts in an effort to compel settling the debts.

Pursuant to the above shortcomings, the Cabinet Secretary Ministry of ICT, Innovation, and Youth Affairs appointed a task force on the development of Data Protection Regulations. The task force has developed Regulations that provide further safeguards in protecting data subjects from violation of their right to privacy by requiring data controllers/processors to comply with the Data Protection Act. It is important to note that the regulations are yet to be enacted and therefore are not yet in force.

The Regulations provide that the use of personal data may not be regarded as commercial use if the data is not used or disclosed to identify or target particular recipients. A data controller or processor may therefore not be deemed to be using data for commercial purposes where they anonymize the data so that the data subject is not identifiable or they have obtained the express consent from the data subject or is authorized to use the personal data under any other written law. The restriction is that a data controller/processor is restricted to lawful use commensurate to their purpose and if they intend to use the data for commercial purposes then they would be required to obtain consent from individual data subjects. Additionally, where the commercial use involves direct marketing, the data controller/processor may provide a soft opt-in or opt-out mechanism for data subjects.

Permitted use of personal data under the Data Protection Act and the Draft Data Protection (General) Regulations

For businesses to thrive in this digital age they would need to meet the consumer at the digital space. This however must be balanced against the individual’s right to privacy. The Act permits the use of personal data for commercial purposes subject to a data controller obtaining the consent of the data subject. The Regulations go further in defining the specific instances where personal data may be used for the purpose of direct marketing.  For this use, however, sensitive personal data may not be used. Sensitive personal data under the Data Protection Act includes data revealing the natural person’s race, health status, genetic data, family details etc.

From the foregoing, businesses may use personal data concerning a data subject for the purpose of direct marketing only if they have collected the data directly with the consent of the data subject and if the data controller or processor has provided a simple opt-out mechanism for the data subject to request not to receive direct marketing communications and lastly that the data subject has not made an opt-out request.

This then brings out the issues of consent under the ‘opt in’ – ‘opt out’ head. The Data Protection Act, 2019 provides for an opt-in consent model. Consent therein is described as an express, unequivocal, free, specific, and informed indication of the data subject’s wishes. The data subject is therefore required to take a positive action to indicate their consent.

Moreover, an obligation is placed on a business to provide opt-out mechanisms where a data subject wishes to withdraw their consent under Section 32(2) of the DPA. The Data Protection (General) Regulations provide for an opt-out mechanism under Regulation 14. The opt-out message should be clear and easily understandable. It should elaborate a simplified process of opting out. Furthermore, the Draft Regulations provide that the opt-out mechanism may be subject to charges but the same would have to be at a nominal cost to the data subject. The Regulations protect the interest of persons living with disability and impose an obligation on the data controller/processor to provide an opt-out mechanism that will not make it unreasonably difficult to withdraw consent. These regulations though not yet published, are intended to address other emerging issues such as cookies in order to adequately protect a data subject and to provide guidelines for processors and controllers of data on the best way forward.

Where businesses do not obtain the express consent of the data subject or obtain the said data but apply it to commercial use without the express consent of the data subject then the organization is exposed to the risk of legal action due to the violation of the data subject’s right to privacy under Section 26(1)(a) of the DPA which provides that a data subject has the right to be informed of the use to which their personal data is to be put. Consequently, where a data controller or processor obtains a data subject’s phone number and proceeds to sell the information to a third party then the said is classified as a violation of the data subject’s rights. This violation would attract a fine of Kshs. 3,000,000 or to imprisonment for a term not exceeding ten (10) years or both.

The stiff penalties for any data breaches or violation of a data subject’s right to privacy bestow upon a prudent business to take active steps to prevent such a situation.  This would entail obtaining consent from prospective target audiences and data subjects. The consent as discussed above would need to be obtained freely and the data subject would be required to be informed of the use to which their data will be applied. This obligation is placed on anyone intending to use personal data for commercial purposes and the same is buttressed in the DPA under Section 30(1).

In the case where a data breach occurs, the DPA provides that the data controller or processor has the obligation to notify the data subject within forty-eight (48) hours of the said breach. Notifiable breaches are breaches that include information about the data subject’s name, passwords, security codes, health and treatment information, and identification number. Information relating to personal data that is publicly available or that is disclosed to the extent that is stipulated under any written law. The purpose of the notification is to accord the data subject an opportunity to take protective measures such as changing or updating credentials to prevent further breaches or data loss.

It is advisable for business entities to adopt comprehensive data protection measures guided by the principles of data protection under Section 25 of the DPA at the earliest stage in order to avert any legal risks or potential data breaches. The measures to be implemented must integrate necessary safeguards including pseudonymization or encryption of personal data to protect highly sensitive data from any potential breaches. A data controller or processor is not required to notify the data subject of any breach in the case whereby they encrypted the subject’s personal data.


The increased use of direct marketing in the digital space has resulted in increased business for businesses and boosted small and medium enterprises’ visibility in the market. However, user information is increasingly at risk of being breached and entities will be culpable for any data breaches. To this end, businesses and entities who are essentially data processors and/or data controllers should ensure requests for consent are in clear and plain language. Further, entities should ensure they do not re-use or disclose personal data that is not linked to its intended purpose and that the data collected is relevant to the intended purpose.