The Path to the spam Dark Side is paved with lawyers’ wishful thinking

Planning for the Protection of Personal Information Act is not a small endeavour and taking shortcuts to preserve current business models may turn out to be disastrously short-sighted in the year or two ahead. My colleagues may be correct in their approach and their clients may be able to adopt a relatively liberal interpretation of the Protection of Personal Information Act and its implementation. I have a different take on how the Act will apply, especially given its broader role as substance for the Constitutional right to privacy. Going beyond the Act’s interpretation and application by the proposed Regulator and Courts, the risk of being too careless with consumers’ personal information could have even more dire consequences for brands than legal non-compliance. 

The path of the righteous man is beset on all sides by the inequities of the selfish and the tyranny of evil men. Blessed is he who, in the name of charity and good will, shepherds the weak through the valley of darkness, for he is truly his brother’s keeper and the finder of lost children. And I will strike down upon thee with great vengeance and furious anger those who attempt to poison and destroy my brothers. And you will know my name is the Lord when I lay my vengeance upon thee.

This quote from the movie Pulp Fiction is a colourful reminder to direct marketers intent on taking liberties with consumers’ personal information. The self-proclaimed “personal network”, Path, has recently come under a considerable amount of scrutiny due to its apparent practice of spamming users’ contacts through its mobile apps. According to an article in The Verge, “Path is spamming address books with unwanted texts and robocalls — again”

Path, the photo-centric social network that just hit 10 million users yesterday, has been getting some heat for what some users say are spammy tactics to recruit new users. Digital marketer Stephen Kenwright downloaded the app earlier this week, tried it out, uninstalled it, and went to bed. When he woke up, he found that Path had gone on a rogue mission early in the morning, texting and robocalling an unknown number of his contacts, including his grandparents.

By the time Kenwright got to work, it became clear that Path had gotten in touch with his entire phone book. Coworkers, friends, and family were asking him about the text or phone call they’d received from Path, which stated that Kenwright wanted to share photos with them.

Path’s Dave Morin defended Path’s privacy practices in an interview with AllThingsD. Mike Isaac’s article, Dave Morin Talks About the Hyper-Growth Pains of Path examines Morin’s claims, particularly his assertion that “Path does not spam users”. Morin insisted that –

Invites on Path are never sent without a user’s consent — any allegations to the contrary are false.

This may be technically correct but, as Isaac notes –

Here’s the big issue: During the invitation process, check-boxes are automatically marked to send messages to your friends, which means you have to uncheck them in order not to send out invites. Technically it’s an opt-in process to send out those invites, as the user must tap a button to send them out. But for the average user who is not paying close attention and just wants to get to the app, it’s easily something that could be missed — and, ultimately, could feel like Path has spammed your network of friends.

What this model ignores is that the personal information being used to reach out to your contact through the app to promote Path is not the user’s, it belongs to the user’s contacts. As I pointed out in our previous post titled “Processing, personal information and direct marketing under POPI“, the definition of “personal information” is pretty broad:

‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person

Take this a step further and consider whose consent is required. The Protection of Personal Information Bill defines consent as follows:

any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information

Consider that the personal information Path uses to reach out to users’ contacts belongs to those contacts and those contacts are probably not current Path users who have consented to Path contacting them and the result is that Path has violated their privacy. When a Path user taps the button to send the messages out to his or her contacts, that isn’t consent from those contacts to Path, that is, at best, the Path user indicating to Path that the contacts probably won’t mind being contacted. Perhaps the messages are sent with the user’s consent, as Morin insists, but that is largely irrelevant.

Path services integration screenshot - iPad

What is interesting about this story is that it highlights a mindset local marketers seem to be latching on to. Path is relying on some pretty technical explanations for why its promotional practices are not “spammy” by pointing to consents given and choices made by users. To a large extent, this is a valid model when applied at scale and is in fairly widespread use. Users consent to privacy policies all the time without being particularly mindful of having done so. It is a flawed model but the alternative is just not practical. What is problematic is when marketers forget the broader context within which they operate. Simple, technical consent may be fine from a legal perspective (with the appropriate privacy policy framework in place). That isn’t particularly comforting to consumers who are alarmed when they discover precisely what they have consented to and lash out at the provider. This controversy over Path’s approach is the latest of a long line of case studies.

As the Protection of Personal Information Act approaches (theoretically), many of my colleagues are adopting technically correct, although short-sighted, approaches to privacy law compliance. The latest example I read recently is an article explaining the current legal requirements for consent in a marketing context. The thoughtful articles reviews applicable legislation and points out that the current paradigm is still largely opt-out. Changes to the Electronic Communications and Transactions Act will alter that position when it comes to electronic communications. Until the Protection of Personal Information Act comes into effect, the general paradigm remains “opt-out” and this is what my colleagues are pointing out to marketers who are, rightfully, concerned that Protection of Personal Information Act threatens their survival unless they take decisive action soon to adapt.

What my colleagues don’t point out is that it isn’t just about the legislation in place. They also have to consider the WASPA and ISPA Codes of Conduct if they use SMS or email for their campaigns. More importantly, my colleagues don’t seem to be pointing out the big downside for marketers who adopt a strictly self-serving approach to their campaigns and treat their consumers like commodities. Reputational harm could be devastating to marketers who don’t take their consumers’ interests into account. Marketers may be acting in compliance with current legal requirements when they send unsolicited marketing materials to consumers and then rely on opt-out mechanisms when consumers complain but how does that assist them when outraged consumers revolt and take their frustrations online?

Another difficulty with the “make hay while the sun shines” approach to direct marketing is that it doesn’t take into account the possible retrospective effect of the Protection of Personal Information Act when it goes into effect. I had a few thoughts about this last week:

Planning for the Protection of Personal Information Act is not a small endeavour and taking shortcuts to preserve current business models may turn out to be disastrously short-sighted in the year or two ahead. My colleagues may be correct in their approach and their clients may be able to adopt a relatively liberal interpretation of the Protection of Personal Information Act and its implementation. I have a different take on how the Act will apply, especially given its broader role as substance for the Constitutional right to privacy. Going beyond the Act’s interpretation and application by the proposed Regulator and Courts, the risk of being too careless with consumers’ personal information could have even more dire consequences for brands than legal non-compliance.

<

p>Consumer activism is swift and brutal and doesn’t pay much heed to legal technicalities.

Leave a Reply