Data Hub

How invasion into Kenyans’ privacy is set for a shake up

privacy law

Kenya's draft law spells out tough measures against the use of data picked online for digital marketing. PHOTO | POOL

Data protection regulator is set to crack down on the digital intrusion of privacy by snoopy advertisement on phones and computers, a move that could upend business such as Facebook, Instagram, Jumia, digital advertisers and local retailers.

According to a draft law on data privacy seen by Business Daily, marketers are restricted from using personal data for commercial purposes, setting the stage for what could be a massive legal battle between Internet users and marketers.

The proposed law describes the “use of personal data for commercial purposes” as advertising an online media site a data subject is logged on, using data collected by cookies, relating to a website the data subject has viewed.

“A data controller or data processors shall be deemed to use personal data for commercial purposes where the data controller or processors displays an advertisement on an online media site a data subject is logged on using their data, including data collected by cookies, relating to a website the data subject has viewed,” the draft law explains.

Sending an electronic message to a data subject about a sale or other advertising material relating to a sale, using personal data provided by a data subject, is considered a breach of privacy, under the draft law.

“Marketing is not direct if personal data is not used or disclosed to identify or target particular recipients,” the new data law notes.

For many years, Kenyans have become inured to the relentless collection of their personal information by giant companies that have grown rich by riding on personal data, which helps pinpoint users’ interest and better target finely tuned advertisements.

Picture this, you shop online for a wristwatch or perhaps search for the price of a smartphone on a search engine such as Google, and the next thing you know is watches and phones advertisements following you everywhere.

On your computer, the ads pop in your Facebook and Instagram feed. On a web browser, the ads keep appearing everywhere on news sites that have nothing to do with watches and phones.

Even if you end up ordering the watch or the phone, the advertisement continues trailing you.

On your phone, a local supermarket keeps sending spam messages about an offer of your favourite perfume. Hotels and airlines know when you go on vacations and pop a message to you.

You feel stalked! You question how these marketers know precisely what you are looking for and when you need it. How much more information about you do they hold?

This is the daily reality of most Kenyans both on the Internet and on offline. Every minute a person spends online helps countless companies build a thicker dossier about that person.

Google knows your health status and location, Facebook is aware of your appearance and friends, while Netflix gives you recommendations with so much precision. Your local supermarkets probably know your shopping habits and it is no surprise that they target you with personalised vouchers and offers.

The law permits the use of personal data only if the data subject has consented to the use of their information for direct marketing.

In addition, there should be a simple opt-out mechanism for the data subject to request not to receive adverts.

“Data controllers should provide a visible, clear and easily understood explanation of how to opt-out, and may include instructions written in simple language and in a font size that is easy to read. The process for opting out should require minimal time and effort,” says the Office of the Data Protection Commissioner (ODPC) in a document.

However, some companies are so tactful in complying with the law. These companies bury users in a deluge of pop-ups that have large ‘accept’ buttons but hidden opt-out options.

In other instances, the opting-out means going through increasingly complicated hoops that most users end up giving in their privacy rights.

On offline services like messages, for an individual to opt-out from promotion messages, one would be required to call the service provider, costing them some cash.

“No fee shall be charged to a data subject for making or giving effect to a request of opting out from the commercial use of personal data,” says the ODPC.

In addition to marketing restriction, the proposed law gives Kenyans teeth to own their data and control who and how long data controllers will keep their information.

“A data controller or data processor shall establish personal data retention schedule with appropriate time limits. The data controller shall erase, delete or anonymise personal data upon the lapse of the purpose for which the personal data was collected,” the law commands

Data handlers are required to inform data subject when engaging in automated processing.

Last week, Apple unveiled a new privacy feature that requires iPhone owners to explicitly choose whether to let apps like Facebook track users or not across other apps.

“We simply believe users should have the choice over the data that is being collected about them and how it’s used,” said Apple during the launch of iOS 14.5.

However, digital advertiser, including Facebook, were not happy with the new update.

Facebook took out a full-page newspaper advertisement contesting the changes by Apple. The tech giant argued that the change could cut the money earned through its ad network by half, hitting small businesses the hardest.