Data Brokers and Direct Marketing

You have probably received unsolicited text messages marketing some goods or services. The most common of these include texts marketing mobile loans, offers in supermarkets, offers to subscribe to pay TV and offers for food delivery among others. The texts may be one off or periodic. The situation is more curious during an electioneering period where candidates for various political positions within your constituency spam you with campaign messages. Truly, some of the texts are obnoxious and irritating.

To your recollection, you have never shared your phone number with the aim of receiving this kind of targeted marketing or political messaging. Secondly, anytime you block the short codes or numbers sending these messages, you receive same messaging from other short codes or numbers. It seems like the senders realise when you have blocked their numbers; you then make a complaint to your mobile service provider who proposes that you block the said numbers or unsubscribe from the service sending the texts. You do as advised but you continue to receive the unsolicited text messages.

This situation is in most cases occasioned by data brokers. These are individuals or companies that collect personal information about you and sell to individuals, companies or even the government who in turn use the information for commercial, political, surveillance or social purposes. Personal information collected by the data brokers includes an individual’s name, age, sex, phone number, email address, location, interests and purchasing behaviour.

Data brokers have mastered the art of scrapping personal data from social media sites, mobile money agents, sign sheets used at security points when accessing buildings, loyalty cards, health facilities and public records. They may also access census data, voter registration information, motor vehicle records, collect or purchase data from credit card providers and retailers. Some personal is collected from online data leaks that have now become common.

The data brokerage industry is currently unregulated. But this is about to change if draft regulations under the Data Protection Act that were recently published for public participation are enacted. The draft regulations provide that it will be mandatory for businesses that are wholly or mainly in direct marketing to register with the Office of the Data Protection Commissioner. In making an application for registration, these companies will be required to provide information on the description of personal data they will be collecting, from whom they will collect this data, the purpose of collecting the data and persons or institutions with whom they will disclose or share any personal data collected.

Another important aspect that the draft regulations provide for is commercial use of data. The draft regulations propose to define what modes of direct marketing will be allowed either through direct messaging or online advertisements. A relief to Kenyans is that the direct marketing companies will now be obligated to seek consent before sending those marketing messages. Further, even if consent is obtained, an individual will be at liberty to opt out of direct marketing schemes at no cost. There is nothing within the law that stops data brokers from trading in information or engaging in direct marketing where individuals expressly consent to this. But the consent only applies to the direct messaging consented to. If I consent to receiving text messages on offers from a supermarket, my personal data may not be used to send me text messages on food delivery options by a different service provider.

It is for the data broker to prove that they have obtained free, prior and informed consent from people they will spam with targeted text messaging. Free consent means that institutions should not coerce or unduly incentivise people to consent or penalise anyone who refuses to give consent. The data brokers must also inform the data subjects that they will use their personal data for marketing or other commercial purposes. Such information ought to be specific. For example, indicating that the market information the data subject will receive will only be in relation to a specified product or service. If I pay for a service by MPESA, that does not give leeway to the service provider to use my mobile phone number to market their services to me. They must only use my phone number to confirm that I have paid for their services.

Data brokers may argue that they obtained personal information well before enactment of the Data Protection Act, 2019 and that they are under no obligation to subject such data to data protection principles. Unfortunately for data brokers, Article 31 of the Constitution already provided for the right to privacy.  This right includes right not to have one’s information relating to their private affairs required or revealed or one’s communication privacy infringed. And the draft regulations define this right further by regulating use of personal data for commercial purposes.

It is instructive that data brokers seek to comply with the Constitution and the Data Protection Act in relation to how they collect and use personal data. For starters, they must stop using personal data for direct marketing purposes without consent of data subjects. It is just a matter of time before the office of the Office of the Data Protection Commissioner starts issuing administrative fines to persons and institutions not complying with the Data Protection Act.