Commercial use of personal data or direct marketing has been defined as the ‘distribution of products, information and promotion by aiming interactive communication with the consumers’.¹ It has also been defined as a practice of ‘sending promotional messages directly to the consumers on an individual basis and not based on a large extent’.² Commercial use of personal data also means approaching a data subject either in person, by mail or by electronic communication for the purpose of promoting or advertising goods or services to the data subject or requesting them to donate.³

Direct marketing is regarded as an effective means of marketing since it comprises activities like ‘forecast analysis, compilation of lists, the creation and implementation of the important campaign for the audience and the efforts for the fulfillment of the analytical marketing’s activities.’⁴ These activities aid in understanding marketing trends thus enabling marketers to adjust their marketing strategy so as to gain and keep clients. The benefits that accrue from direct marketing have led companies to embrace this form of marketing and also utilise it. Advertising agencies have also embraced it and most now have a ‘department for direct marketing.’⁵

The importance of direct marketing to a marketer is that it allows him to promote the product or service directly to his target audience and also measure results quickly.⁶ Other benefits to a marketer include ‘high segmentation and targeting, enables a marketer to increase sales with current and former clients and also upgrade loyalty strategies.’⁷The common forms of direct marketing include direct mail, social media marketing, Email marketing and SMS marketing.⁸ In as much as this practice is beneficial, its success is dependent on legal compliance by the marketer.⁹ An example of unlawful marketing is where a marketer shares data subjects’ personal data with non-compliant parties.¹⁰ This poses a risk to data subjects since their personal data may be misused and their privacy may also be infringed.

In Kenya, the legal frameworks applicable to direct marketing include the Constitution of Kenya 2010, the Data Protection Act 2019 together with the Data Protection (General) Regulations 2021 and the Kenya Information and Communication (Consumer Protection) Regulations 2010 (KICA Regulations). The Constitution plays a fundamental role since it has rights accorded to every citizen and these rights include the right to privacy which plays an important role in direct marketing practices, especially where the marketing comprises ‘unsolicited communications.’¹¹

The Data Protection Act 2019 contains requirements applicable to the commercial use of personal data.¹² At the same time, the KICA regulations prescribe ‘consent, opt-in and opt-out principle requirements as well as offences related to direct marketing.’¹³ Other countries with direct marketing provisions in their legislations include: the United Kingdom (UK GDPR and Privacy and Electronic Communications Regulations 2003 (as amended) (PEC Regulations), United States (CAN-SPAM ACT and also Federal and State Regulations), Australia (Spam Act 2003), New Zealand (Privacy Act 1993 and the Unsolicited Electronic Messages Act 2007), European Union Member States (GDPR and the ePrivacy Directive) and others.¹⁴

Since marketers are involved in collecting and processing personal data, they are regarded as data controllers or data processors. The Data Protection Act 2019, section 2 defines a data controller as a ‘natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing personal data.’ A data processor is defined as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.’

As a data processor, a marketer should realise that each processing activity requires a legal basis such as ‘consent or legitimate interest.’¹⁵ Consent is described in the Data Protection Act 2019 as ‘any manifestation of express, unequivocal, free, specific and informed indication of the data subject’s wishes by a statement or by a clear affirmative action signifying agreement to the processing of personal data relating to the data subject.’¹⁶ Some examples of lawful consent include ‘clicking an opt-in button or link, signing a consent statement, responding to an email requesting consent and selecting from yes or no options.’¹⁷

The action a data subject takes to agree to have their personal data processed should be through an opt-in mechanism and here the data subject ‘takes a positive action to indicate their consent.’¹⁸Opt-in consent is whereby one asks for someone’s consent or permission before using their data for marketing.¹⁹ An opt-out consent is whereby ‘consent is in the affirmative by default unless data subjects take action to withdraw it.’²⁰Opt-out options are offered to the consumer in two ways:

• Pre-emptive opt-out is whereby a consumer unticks or unchecks a pre-selected checkbox indicating their refusal to data processing.²¹

• Consent withdrawal is where users are provided with the option of withdrawing their permission or changing their preferences concerning treatment of their personal data.²²

The Data Protection (General) Regulations 2021 further provide that personal data may be used for commercial purposes where the data subject has been notified that direct marketing is one of the purposes for which personal data is collected, the data subject has consented to the use of personal data for direct marketing purposes and the data controller or processor has provided a ‘simplified opt out mechanism for the data subject to request not to receive direct marketing communications.’²³

The processing of personal data should also be in compliance with general data protection principles. These principles are contained in section 25 of the Data Protection Act 2019 and also the General Data Protection Regulations (GDPR).²⁴ They include: lawful, fair and transparent processing, purpose limitation, data minimization, data accuracy, data retention and data security, integrity and confidentiality. ²⁵

The purpose limitation principle is fundamental in direct marketing since it requires data controllers or data processors to collect personal data for ‘explicit, specified and legitimate purposes…’²⁶ Therefore the personal data should be used for purposes ‘informed to the user.’²⁷ For instance, if data is collected for research purposes, it cannot be used for marketing purposes.²⁸ In cases where a marketer wants to use the collected data for other purposes, he should obtain new consent from the data subject.²⁹ This principle protects data subjects from misuse of their personal data and also ensures that data controllers or processors comply with the law.

Profiling also plays a significant role in direct marketing and cannot be understated. It has been described as the ‘automated processing of personal data to evaluate the “personal aspects” of an individual, in particular, to analyse or make a prediction about that individual.’³⁰Customer profiling focuses on understanding one’s customers and reasons why they behave in a certain way.³¹Although it facilitates better communication with customers, a data controller or data processor should ensure that the ‘rights of a data subject to oppose profiling and specifically profiling for marketing are present.’³²

Finally, the shift from traditional mode of marketing to the use of personal data for direct marketing practices is not only beneficial, but it also involves intricacies that require legal compliance from data controllers or data processors and active participation from data subjects especially in exercising their rights. Digital platforms have indeed facilitated the use of big data to improve marketing performance. However, the efficiency of these platforms should not only have a one-sided effect but should also ensure every party involved is adequately protected by the law. It is therefore important to identify any loopholes that may exist in direct marketing laws and revamp them to cater for ongoing developments in digital marketing.

Image is from jjlyonsmarketing.com