Consumer data fuels direct marketing strategies among businesses, more so through telecommunications and information technologies that are increasingly being incorporated in the day-to-day running of businesses. Through phone calls, text messages, emails and social media, businesses can increase their chances for sales and referrals by promoting themselves, their products or services to potential customers without the need for middlemen.¹ Usually, this will involve collecting personal data from potential customers and creating profiles around their preferences then sending personalised communications to them.² The reliance of direct marketing on personal data makes regulating data collection and processing activities necessary to guard against crossing of the lines of privacy. The Data Protection Act(DPA) and the newly proposed draft Data Protection(General) Regulations of 2021 make significant efforts towards this end.

The DPA recognises the data subject’s consent as a key prerequisite to processing their personal data,³ especially in commercial transactions.⁴ The Act describes consent as an express, unequivocal, free, specific and informed indication of the data subject’s wishes.⁵ This, it says, should be done by a statement or clear affirmation, signifying agreement to the processing of the data subject’s personal data.⁶ This implies that the action the data subject takes to agree to the processing of their data should be through an opt-in mechanism whereby a data subject takes a positive action to indicate their consent. Checking an unchecked box, answering yes to an oral request for consent, clicking a button or link online to opt in and selecting yes/no options are some of the ways data subjects can opt into a request for their data to be processed in a specified manner.⁷

Consent requirements in the draft Data Protection(General) Regulations, to a large extent, depict those in the Act.⁸ The Regulations, however, introduce a rule which at first glance seems to vacate from the supposed opt-in consent model under the Act. Regulation 14 states as follows:⁹

“A data controller or data processor may use personal data, other than sensitive information, concerning a data subject for the purpose of direct marketing only if… the data subject has consented to the use or disclosure of the personal data for that purpose; the data controller or data processor provides a simple opt out mechanism for the data subject to request not to receive direct marketing communications; and the data subject has not made an opt out request.”

Whereas opt-in consent relies on the affirmative action of the data subject, opt-out consent is generally understood as its opposite such that consent is in the affirmative by default unless data subjects take action to withdraw it. Under the opt-out model, silence or pre-checked boxes are valid forms of consent. This is seen in countries such as the United States where there is no requirement in federal law to obtain affirmative consent prior to data collection.¹⁰ Though some laws require prior express consent for text message promotions, telemarketing and fax marketing,¹¹ the CAN-SPAM Act allows direct marketing email messages to be sent to persons if they do not request that they cease.¹²

EU member countries and the UK, on the other hand, are proponents of the opt-in consent regime. Elements of consent under the DPA almost completely mirror those in the General Data Protection Regulation (GDPR) which have been interpreted to provide for opt-in consent.¹³ The GDPR takes a step further to prohibit consent through silence, pre-ticked boxes or inactivity. ¹⁴ These rules guarantee that data subjects have autonomy over how their data is used. An exception known as soft opt-in consent, which can be carried out for a legitimate interest, is provided for in the Privacy and Electronic Communications Regulations(PECR), allowing organisations to make marketing communications to existing customers.¹⁵ By this law, soft opt-in consent can be used if an organisation receives an individual’s contact details in the course of making or negotiating a sale of a product or service; notifies the individual of their intention to market similar goods and services to them and; provides them the opportunity to opt-out of receiving those marketing communications, both at the outset and every time they receive subsequent marketing communications.¹⁶

Notably, the Kenya Information and Communications (Consumer Protection) Regulations too makes provision for soft opt-in consent but does not obligate persons to notify consumers of an intention to market similar goods or services.¹⁷ It also stipulates that automated direct-marketing schemes are to be based on opt-in consent, according consumers the opportunity to accept or reject inclusion in a marketer’s “mailing list”.¹⁸ While this provision so clearly caters to automated emails, it can be understood to exclude other means of automated marketing such as automated text messages and calling systems.

Given the implication under the DPA that consent be opt-in, it appears that the opt-out mechanism proposed in the Data Protection(General) Regulations was intended to be a consent withdrawal mechanism for data subjects to unsubscribe from direct marketing communications after the original point of consent.¹⁹ This would be in line with Section 32(2) of the DPA which provides that a data subject has the right to withdraw consent at any time.²⁰

Differing yet related understandings of the “opt-out mechanism” cause confusion as to the intention of regulation 14 of the Regulations. For clarity’s sake, the Regulations should expressly prohibit opt-out consent and shine a light on whether soft opt-in consent, as currently framed, fulfils a legitimate interest in accordance with Section 30(b)(vii) of the DPA. Finally, to guarantee compliance, the Regulations should adopt an open-ended description of the modes of direct marketing to accommodate a larger scope of technologies as they currently only list catalogues, online media sites and electronic messages.²¹