New data laws signal higher marketing costs for firms

It will now be illegal for companies to collect personal data from Kenyans to use for direct marketing without obtaining the users’ consent.

This is according to the Data Protection (General) Regulations, 2021 which introduces new statutory requirements that will significantly raise the cost of doing business for many firms.

“In obtaining consent from a data subject, a data controller or a data processor shall ensure that the data subject has the capacity to understand and communicate their consent and is informed of the nature of the processing in simple and clear language,” explains the regulations.

The new regulations define personal data to include information collected from surveillance cameras, information associated with web browsing as well as data collected from biometric technology among others. 

This is expected to have a major impact on almost all local and international companies that collect customers’ data for analytics so as to use it to develop new market insights.

This includes financial technology firms (fintechs), telcos, airlines, e-commerce sites, online publishers, insurance companies, private and public hospitals among others. 

The law also makes it illegal for companies to use personal data for direct marketing without informing the subjects.

This includes online adverts that are targeted at consumers by their browsing history as well as promotional material sent directly to consumers. 

Companies will further be required to provide a clear opt-out mechanism for users to reject receiving any direct marketing communications.

If adopted, the law will criminalise the practice by some companies of spamming users with promotional text messages.

Additionally, the law has introduced new modalities for companies that use automated individual decision making.

Social media

This includes the use of algorithms relied on by social media platforms and digital lenders for example, for user engagement and computing credit risk respectively as well as data used by betting firms.  

“Data controllers of processors making automated decisions shall inform data subjects, provide meaningful information about the logic involved and ensure specific transparency and fairness requirements are in place,” explains the law.

Entities that process personal data to actualise a public good will also be required to ensure that the processing and storage of such data are done through a server and data centre located within Kenya.

This includes the data collected when administering a national civic registration system including registrations of births and deaths, persons, adoption and marriages.

Other reasons that will compel local hosting of data include when operating a population register, identity management system or personal data in respect to access to primary and secondary education.

Entities managing election data, those managing electronic payments systems licensed under the National Payment Systems Act or those dealing with public revenue administration systems will also be required to host their servers locally.

However, according to the new law, State and national security organs could be exempted from the law once they write to the Cabinet Secretary of ICT. 

Companies are also forbidden from transferring personal data out of Kenya unless the recipient is bound by legal obligations comparable to Kenya’s Data Protection Act or unless users give consent to the transfer.