An Overview of the Kenyan Law on Commercial Use of Personal Data

An Overview of the Kenyan Law on Commercial Use of Personal Data

Commercial use of personal data or direct marketing has been defined as the ‘distribution of products, information and promotion by aiming interactive communication with the consumers’.1 It has also been defined as a practice of ‘sending promotional messages directly to the consumers on an individual basis and not based on a large extent’.2 Commercial use of personal data also means approaching a data subject either in person, by mail or by electronic communication for the purpose of promoting or advertising goods or services to the data subject or requesting them to donate.3

Direct marketing is regarded as an effective means of marketing since it comprises activities like ‘forecast analysis, compilation of lists, the creation and implementation of the important campaign for the audience and the efforts for the fulfillment of the analytical marketing’s activities.’4 These activities aid in understanding marketing trends thus enabling marketers to adjust their marketing strategy so as to gain and keep clients. The benefits that accrue from direct marketing have led companies to embrace this form of marketing and also utilise it. Advertising agencies have also embraced it and most now have a ‘department for direct marketing.’5

The importance of direct marketing to a marketer is that it allows him to promote the product or service directly to his target audience and also measure results quickly.6 Other benefits to a marketer include ‘high segmentation and targeting, enables a marketer to increase sales with current and former clients and also upgrade loyalty strategies.’7The common forms of direct marketing include direct mail, social media marketing, Email marketing and SMS marketing.8 In as much as this practice is beneficial, its success is dependent on legal compliance by the marketer.9 An example of unlawful marketing is where a marketer shares data subjects’ personal data with non-compliant parties.10 This poses a risk to data subjects since their personal data may be misused and their privacy may also be infringed.

In Kenya, the legal frameworks applicable to direct marketing include the Constitution of Kenya 2010, the Data Protection Act 2019 together with the Data Protection (General) Regulations 2021 and the Kenya Information and Communication (Consumer Protection) Regulations 2010 (KICA Regulations). The Constitution plays a fundamental role since it has rights accorded to every citizen and these rights include the right to privacy which plays an important role in direct marketing practices, especially where the marketing comprises ‘unsolicited communications.’11

The Data Protection Act 2019 contains requirements applicable to the commercial use of personal data.12 At the same time, the KICA regulations prescribe ‘consent, opt-in and opt-out principle requirements as well as offences related to direct marketing.’13 Other countries with direct marketing provisions in their legislations include: the United Kingdom (UK GDPR and Privacy and Electronic Communications Regulations 2003 (as amended) (PEC Regulations), United States (CAN-SPAM ACT and also Federal and State Regulations), Australia (Spam Act 2003), New Zealand (Privacy Act 1993 and the Unsolicited Electronic Messages Act 2007), European Union Member States (GDPR and the ePrivacy Directive) and others.14

Since marketers are involved in collecting and processing personal data, they are regarded as data controllers or data processors. The Data Protection Act 2019, section 2 defines a data controller as a ‘natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing personal data.’ A data processor is defined as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.’

As a data processor, a marketer should realise that each processing activity requires a legal basis such as ‘consent or legitimate interest.’15 Consent is described in the Data Protection Act 2019 as ‘any manifestation of express, unequivocal, free, specific and informed indication of the data subject’s wishes by a statement or by a clear affirmative action signifying agreement to the processing of personal data relating to the data subject.’16 Some examples of lawful consent include ‘clicking an opt-in button or link, signing a consent statement, responding to an email requesting consent and selecting from yes or no options.’17

The action a data subject takes to agree to have their personal data processed should be through an opt-in mechanism and here the data subject ‘takes a positive action to indicate their consent.’18Opt-in consent is whereby one asks for someone’s consent or permission before using their data for marketing.19 An opt-out consent is whereby ‘consent is in the affirmative by default unless data subjects take action to withdraw it.’20Opt-out options are offered to the consumer in two ways:

  • Pre-emptive opt-out is whereby a consumer unticks or unchecks a pre-selected checkbox indicating their refusal to data processing.21

  • Consent withdrawal is where users are provided with the option of withdrawing their permission or changing their preferences concerning treatment of their personal data.22

The Data Protection (General) Regulations 2021 further provide that personal data may be used for commercial purposes where the data subject has been notified that direct marketing is one of the purposes for which personal data is collected, the data subject has consented to the use of personal data for direct marketing purposes and the data controller or processor has provided a ‘simplified opt out mechanism for the data subject to request not to receive direct marketing communications.’23

The processing of personal data should also be in compliance with general data protection principles. These principles are contained in section 25 of the Data Protection Act 2019 and also the General Data Protection Regulations (GDPR).24 They include: lawful, fair and transparent processing, purpose limitation, data minimization, data accuracy, data retention and data security, integrity and confidentiality. 25

The purpose limitation principle is fundamental in direct marketing since it requires data controllers or data processors to collect personal data for ‘explicit, specified and legitimate purposes…’26 Therefore the personal data should be used for purposes ‘informed to the user.’27 For instance, if data is collected for research purposes, it cannot be used for marketing purposes.28 In cases where a marketer wants to use the collected data for other purposes, he should obtain new consent from the data subject.29 This principle protects data subjects from misuse of their personal data and also ensures that data controllers or processors comply with the law.

Profiling also plays a significant role in direct marketing and cannot be understated. It has been described as the ‘automated processing of personal data to evaluate the “personal aspects” of an individual, in particular, to analyse or make a prediction about that individual.’30Customer profiling focuses on understanding one’s customers and reasons why they behave in a certain way.31Although it facilitates better communication with customers, a data controller or data processor should ensure that the ‘rights of a data subject to oppose profiling and specifically profiling for marketing are present.’32

Finally, the shift from traditional mode of marketing to the use of personal data for direct marketing practices is not only beneficial, but it also involves intricacies that require legal compliance from data controllers or data processors and active participation from data subjects especially in exercising their rights. Digital platforms have indeed facilitated the use of big data to improve marketing performance. However, the efficiency of these platforms should not only have a one-sided effect but should also ensure every party involved is adequately protected by the law. It is therefore important to identify any loopholes that may exist in direct marketing laws and revamp them to cater for ongoing developments in digital marketing.

Image is from

1 Halit Karaxha, Sejd Tolaj and Arjan Abazi, The Role of Direct Marketing in Relation with the Consumers in Kosovo<,than%20using%20a%20mass%20medium. >accessed 3 January February 2023

2 ibid

3 Protection of Personal Information Act 2013, section 1

4 Karaxha (n 1)

5 ibid

6 Berta Campos, What is Direct Marketing? Benefits, Steps and Examples (21 January 2022) < > accessed 30 January 2023

7 ibid

9 ICTLC, The legality of disclosure by transmission of personal data for direct marketing purposes under Italian Data Protection Law <> accessed 3 February 2023

10 ibid

12 Section 37(1) provides that, ‘A person shall not use for commercial purposes personal data obtained pursuant to the provisions of the Act unless the person has sought and obtained express consent from a data subject or is authorized to do so under any written law…’

13 Regulation 17

14 GALA, Privacy Law: A Global Legal Perspective on Data Protection Relating to Advertising and Marketing <> accessed 3 February 2023

15 Brokers Ireland, Brokers Ireland Guidance on Direct Marketing <> accessed 3 February 2023

16 Section 2

17 Luke Irwin, GDPR: When do you need to seek consent? (6 January 2022) < > accessed 3 March 2023

18 Margaret Zalo, Opt-in or Opt-out? Demystifying proposed consent requirements for direct marketing in Kenya (16 June 2021) < > accessed 3 March 2023

19 Securiti, Opt In vs Opt Out Consent: What’s the Difference? (29 August 2022) <,What%20is%20Opt%2DIn%3F,use%20their%20data%20for%20marketing. > accessed 3 March 2023

20 Zalo ( n 18)

21 Securiti ( n 19)

22 ibid

23 Regulation 15 (b) (c) and (d)

24 Article 5(1) enshrines the principles relating to processing of personal data and they include lawful, fair and transparent processing, collection of personal data for specified, explicit and legitimate purposes, data minimization, data accuracy, storage limitation and data security and confidentiality.

25 David Normoyle, Data Privacy for Marketers (20 June 2022) <> accessed 3 February 2023.

26 Data Protection Act 2019, section 25 (c)

27 Normoyle (n 25)

28 ibid

29 ibid

30 Orbital Law, Profiling and Automated Decision Making-“…the computer says no” < > accessed 6 March 2023

31 ibid

32 Data Protection (General) Regulations 2021, Regulation 22(2)(c)(ii)

Leave a Comment

Your email address will not be published. Required fields are marked