Obtaining Customers’ Data Consent for Marketing

Obtaining Customers’ Data Consent for Marketing

In Data Protection

By Victor Orandi

The Data Protection Act (DPA) has changed the way that companies communicate with prospects and customers. Failure to comply with DPA can lead to hefty fines of up to Ksh. 5,000,000 or, in the case of an undertaking, not more than 1% of its annual turnover.

The DPA applies to personal data, which means any information relating to any aspect of an individual’s identity such as a name, Tel No, ID number, personal email addresses and website cookies.

The key consideration is to make sure your company’s marketing practices comply with the DPA. Processing of personal data is only allowed by the DPA if either the individual has consented or another legal basis exists, such as an existing relationship with the customer(s).

Consent

The company needs to ensure that it has actively sought permission from its prospects and customers, confirming that they want to be contacted for marketing purposes. A pre-ticked box that automatically opts them in is not allowed. Opt-ins need to be a deliberate choice.

The company is advised to keep records of consent statements to demonstrate when consent was obtained and what information was provided to your company at the time of obtaining consent.

To receive no further information, i.e. by newsletter or e-mail, the customer receiving them need only object to processing for marketing purposes, but you can still process the data for other purposes previously consented to.

Withdrawal of consent

The company’s customers need to have a way to withdraw their consent as easily as they’ve given it. The company should make it clear to its customers that they can revoke consent at any time. This can be through offering a standard unsubscribe link in the footer of every marketing email the company sends out.

Retention of any personal data following the withdrawal of consent shall only be for as long as it is necessary for compliance with a legal obligation.

The company must obtain new and specific consent if the purpose for data collection changes. Consent that was validly obtained before the commencement of the DPA and is compliant with the provisions of the DPA will continue to be valid. 

Please reach out to us for more information.