Reasonably practicable compliance with POPI is not enough

When considering how much you should do to comply with legislation like the Protection of Personal Information Act, you have three choices:

  1. Do as little as possible and see what you can get away with;
  2. Calculate the degree of “reasonably practicable” compliance required and stick with that;
  3. Adopt a more holistic approach to compliance.

Of the three options, the first is clearly a recipe for disaster. The only questions are when disaster will strike and how devastating will it be?

The second option is a popular one. To begin with, it is a practical solution because it takes into account what the law requires of you in order to meet the law’s standard so you limit your potentially significant investment in a compliance program without a corresponding quantitative benefit. Makes sense, right? In a way, yes, but what it doesn’t take into account is that your primary compliance risk is increasingly not regulators (at least not in South Africa where regulators often lack the capacity to respond very quickly), but rather the people who are directly affected by your decisions.

In other words, complying with laws like the Consumer Protection Act and Protection of Personal Information Act is not a quantitative exercise where you empirically (or as close to empirically as a legal compliance assessment can be) calculate your desired degree of compliance and work to that standard. Instead compliance is qualitative.

John Giles published a terrific post on the Michalsons blog titled “Only do what is reasonably practicable to comply with POPI” in which he explains POPI’s baseline compliance standard which is based on reasonableness and how this translates into what is likely an effective quantitative approach to compliance. It is worth saving the article because it is a handy reference for when you need to understand what the law means by “reasonably practicable”.

I don’t believe that this is enough, though. If anything, the question of what is reasonably practicable should only be part of your assessment of what you should do. The next, and arguably more important, question should be “What should we do to ensure not only compliance with the law but also to earn our customers’ trust?”. No, I’m not suggesting you drink the “rainbows and unicorns” energy drink and incur real money complying with some nebulous standard because your customers will like you more. Well, not entirely. What I am suggesting is that there is another dimension to compliance with legislation that affects people in very personal ways.

When you look at recent privacy controversies involving services like Facebook, Google and SnapChat, one theme that emerges from each of these controversies is not that these companies handled users’ personal information in ways they necessarily concealed from users. Their privacy policies describe what they do with users’ personal information in varying degrees. What really upsets users is that they weren’t expecting these companies to do the things they did because users tend to develop a set of expectations of what to expect from their providers which is typically not informed by privacy policies (because few people read them). These expectations are informed by what these companies tell them in marketing campaigns, what other users and the media tell them, what their friends share with them and their experiences with the services themselves.

When a provider steps outside its users’ collective expectations, mobs form and there is chaos in the metaphorical streets. The fact that these companies stuck to their published privacy policies and terms and conditions is largely irrelevant because users are not wholly rational and analytical. They don’t go back to the legal documents, read them quietly and go back to their daily lives when they realise that they mis-read or misunderstood the legal terms and conditions. No, they are outraged because the companies violated the trust users placed in these companies based on users’ expectations.

You may not have the same number of customers as Facebook, Google or SnapChat and your business may be different but if you are considering Protection of Personal Information Act or Consumer Protection Act compliance, you are dealing with the same people: consumers who have expectations and perceptions which you influence but certainly don’t control. If you violate the trust they place in you, the response will be swift and the consequences from a reputational perspective could be severe.

Fountain Square in Downtown Cincinnati Is a Public Square That Works for the City and Its People in a Myriad of Ways: Tyler Davidson Fountain 05/1973

When you develop your compliance program, assess what is reasonably practicable and set that as your commercial baseline. Then, consider how transparent you can be with your customers about what you intend doing with their personal information?

I remember reading a discussion about partners cheating on each other and at one point in the article the writer said that cheating isn’t just about the act but also the thoughts that precede it. If you have thoughts about another person which you don’t want to share with your partner, that is probably a good indication you are contemplating something you shouldn’t be doing. Apply that to your compliance program and ask yourself if you are comfortable disclosing what you intend doing with your customers’ personal information to them? If you are, be transparent about it in your privacy statement/policy and in your communications with your customers.

If you don’t feel comfortable being transparent about how you intend using your customers’ personal information and, instead, intend hiding behind technical legal compliance with the law to justify your data use, you may be setting yourself up for a bitter divorce and a costly battle with your customers. By the time the regulators arrive to assess your compliance, the damage will already have been done and the reasonably practicable thing to do will be to pick up the pieces of your reputation (and possibly your business) and start earning your customers’ trust again.

POPI compliance and your plan to fail

Unfortunately many companies may have left their preparation too late, especially the larger companies, and have not yet established a complete set of practices and processes to ensure their compliance with POPI’s many requirements. Although companies will likely have a year before many of POPI’s compliance requirements go into effect, a year is simply not enough time to prepare adequately. Compliance isn’t just a matter of writing a privacy policy and publishing that. In order to comply with POPI, organisations have to ensure that all their underlying processes are aligned with POPI’s requirements. In this sense a privacy policy is really more of a description of a series of data protection practices which have been implemented throughout the organisation. If there is a disconnect between your organisation’s practices and processes and what the privacy policy describes, the consents you are hoping to obtain through the privacy policy will amount to little more than lip service to the legislative framework it serves.

Nokia Lumia launch-9 railing

The Protection of Personal Information Act has been in the pipeline for so long I keep expecting someone to develop a drinking game around “POPI” mentions in conferences (every time a speaker says “POPI”, everyone takes a drink). The Bill was passed by Parliament and the President has signed it into law as the Protection of Personal Information Act (No. 4 of 2013). The next step is POPI’s commencement date in a government gazette and the final countdown to its implementation and a compliance deadline. A copy of the Act is at the bottom of this post for your reading pleasure.

Unfortunately many companies may have left their preparation too late, especially the larger companies, and have not yet established a complete set of practices and processes to ensure their compliance with POPI’s many requirements. Although companies will likely have a year before many of POPI’s compliance requirements go into effect, a year is simply not enough time to prepare adequately. Compliance isn’t just a matter of writing a privacy policy and publishing that. In order to comply with POPI, organisations have to ensure that all their underlying processes are aligned with POPI’s requirements. In this sense a privacy policy is really more of a description of a series of data protection practices which have been implemented throughout the organisation. If there is a disconnect between your organisation’s practices and processes and what the privacy policy describes, the consents you are hoping to obtain through the privacy policy will amount to little more than lip service to the legislative framework it serves.

Something else to bear in mind is that a data gold rush before POPI comes into effect may amount to a waste of time, money and effort. Some of my colleagues have advised their clients that POPI will not have retrospective effect so anything done before POPI goes into effect will not be affected by POPI’s more stringent restrictions. They are likely correct about POPI not having retrospective application but POPI’s compliance requirements will almost certainly not be waived just because you collected personal information before POPI’s implementation date. If, for example, you don’t obtain adequate consent for your intended personal information uses before POPI is implemented, I doubt very much that this will be excused once POPI goes into effect and you could find your shiny data treasure trove is tainted, must be discarded and you will have to start again and do the work you should be doing now (if you haven’t done it already).

The bottom line, so to speak, is that if you haven’t prepared for POPI you may not have much time left. As the saying goes, your failure to plan for POPI is, effectively, your planned failure to comply.

That said, here are a couple next steps in your road to compliance:

  1. Review your processes which touch on personal information collection and processing. The best data protection policies are useless if your underlying processes are not going to comply with POPI’s requirements. Your marketing teams, in particular, need to understand how POPI affects them and must assess their databases, marketing initiatives and other personal information-related activities. Don’t forget to include internal data processing in your review. You will have to apply similar principles to the personal information you process internally so your human resources people need to be involved too.
  2. Align your marketing initiatives with your organisation’s compliance requirements and your underlying processes. Marketing campaigns rely on personal information and they have to be supported by the day to day data processing workflows and, in turn, support essential policy frameworks. Don’t just leave this up to your marketing teams, you need people who understand POPI’s impact and can mediate between Marketing/Communications and Legal/Compliance imperatives.
  3. Take into account industry regulatory frameworks like the WASPA Code of Conduct. It is now backed by a law and could have a fundamental impact on any mobile initiatives you are running. Failure to comply with WASPA’s Code and its Advertising Rules can behead a mobile campaign that relies on mobile short codes, for example.
  4. Develop and implement clear and practical privacy or data protection policy frameworks. These policy frameworks must be supported by the practical realities of how your teams handle personal information every day. A policy framework in a process vacuum is pretty ineffective and a pretty short road to reputational harm and regulatory attention.

Preparing for POPI is not a quick and easy process and I’m not saying this because this is one of my focus areas, the more you delve into the law the more you realise what a mammoth undertaking it is. Call me if you could use some help. Alternatively, read the Direct Marketing Legalities Survival Guide I published earlier this week. I explain many of the compliance requirements in POPI and other legislation like the Electronic Communications and Transactions Act and Consumer Protection Act as well as WASPA and ISPA Hall of Shame considerations.

Consent for Direct Marketing Under POPI

The Protection of Personal Information Act has particular interest for direct marketers because of the likely substantial impact the legislation will have on consumer-facing initiatives when it goes into effect. POPI has a section that deals specifically with and introduces a consent model designed for direct marketing. It is an interesting model and I’ll explain why in this post.

The Protection of Personal Information Act has particular interest for direct marketers because of the likely substantial impact the legislation will have on consumer-facing initiatives when it goes into effect. POPI has a section that deals specifically with and introduces a consent model designed for direct marketing. It is an interesting model and I’ll explain why in a moment. In the meantime, it is worth reading the following posts if you haven’t already:

Protection of Personal Information Act’s section 69 is titled “Direct marketing by means of unsolicited electronic communications”. It begins with the following general prohibition on –

The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail …

unless the data subject [1] either consents[2] or, importantly, is the “responsible party’s[3]” customer.

If, on the other hand, the consumer (or data subject) is not the provider’s (responsible party) customer and if the consumer has not “previously withheld” consent, the provider has a once-off opportunity to send the consumer a request for the consumer’s consent to allow his or her personal information to be used for direct marketing purposes. In practice this is usually a message simply informing the consumer about the products or services the provider would like to market to the consumer and requesting consent. This once-off message should not be a marketing message because that would violate the general prohibition. It should be an information message and its specific format may be prescribed in regulations supporting the Protection of Personal Information Act in due course.

If the consumer consents then the provider will be entitled to use the consumer’s personal information for direct marketing purposes within the consent’s parameters. This may sound obvious but this can be a little tricky. The best way to obtain the quality consent the Protection of Personal Information Act contemplates (take another look at the consent definition[2]) is through a sufficiently detailed privacy policy document. This is a privacy policy’s role. It is the foundation of a compliant direct marketing campaign so do it properly!

If the consumer doesn’t give express consent through a privacy policy but is a provider’s customer[4] already, the consumer’s consent is essentially implied by virtue of the consumer being a customer who is already interested in learning more about the provider’s products or services. In this scenario, the provider can use the consumer’s personal information for marketing purposes where –

  1. the provider obtained the consumer’s personal information in the context of a sale of a product or service;
  2. “for the purpose of direct marketing of the [provider’s] own similar products or services”; and
  3. the consumer has been given “a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details” both at the time the consumer’s personal information was first collected and each time the provider communicates with the consumer for marketing purposes (and assuming the consumer didn’t refuse to consent the first time he or she was asked).

Then, lastly, the each communication for the purpose of direct marketing must contain both the provider’s identity as well as contact details which the consumer can use to opt-out of further marketing communications.

This basic model isn’t totally new. It has existed for some time in other regulatory frameworks like the WASPA Code of Conduct (mobile service providers will be familiar with this mechanism). It does represent a broader shift in South African law because the Protection of Personal Information Act will establish minimum requirements for practically all direct marketing communications, particularly from a consent perspective.

If you are engaged in direct marketing, this is a pretty important aspect of the Protection of Personal Information Act for you. This isn’t the only legislation dealing with direct marketing, though, just arguably the most important from a privacy perspective. The Consumer Protection Act, for example, deals with other issues relating specifically to direct marketing such as cooling off periods for sales made through direct marketing (there is some overlap with the Electronic Communications and Transactions Act which also deals with cooling off periods and which Act applies will depend on what was sold and how?).

In the meantime, it is worth taking some time to explore how your direct marketing activities may need to change to accommodate the Protection of Personal Information Act’s compliance requirements. You may not need to make substantial changes, only make sure you have an adequate privacy policy framework and the back-end systems to properly process opt-ins and opt-outs. Whatever your particular requirements may be, time is running out. The Protection of Personal Information Act has been passed by Parliament and is likely before the President waiting for his signature and then it will be implemented.


  1. ‘‘data subject’’ means the person to whom personal information relates.  ↩
  2. consent” means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.  ↩
  3. ‘‘responsible party’’ means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.  ↩
  4. Express consent would be required where a consumer is approached for the first time by a provider’s representative and asked to consent to direct marketing. An example could be a consumer who completes a feedback form at a bookstore which includes a section requesting permission to send the consumer marketing information about book sales and specials. On the other hand, a consumer who has already bought books from the bookstore is, obviously, already a customer and the rules change somewhat.  ↩

The Path to the spam Dark Side is paved with lawyers’ wishful thinking

Planning for the Protection of Personal Information Act is not a small endeavour and taking shortcuts to preserve current business models may turn out to be disastrously short-sighted in the year or two ahead. My colleagues may be correct in their approach and their clients may be able to adopt a relatively liberal interpretation of the Protection of Personal Information Act and its implementation. I have a different take on how the Act will apply, especially given its broader role as substance for the Constitutional right to privacy. Going beyond the Act’s interpretation and application by the proposed Regulator and Courts, the risk of being too careless with consumers’ personal information could have even more dire consequences for brands than legal non-compliance. 

The path of the righteous man is beset on all sides by the inequities of the selfish and the tyranny of evil men. Blessed is he who, in the name of charity and good will, shepherds the weak through the valley of darkness, for he is truly his brother’s keeper and the finder of lost children. And I will strike down upon thee with great vengeance and furious anger those who attempt to poison and destroy my brothers. And you will know my name is the Lord when I lay my vengeance upon thee.

This quote from the movie Pulp Fiction is a colourful reminder to direct marketers intent on taking liberties with consumers’ personal information. The self-proclaimed “personal network”, Path, has recently come under a considerable amount of scrutiny due to its apparent practice of spamming users’ contacts through its mobile apps. According to an article in The Verge, “Path is spamming address books with unwanted texts and robocalls — again”

Path, the photo-centric social network that just hit 10 million users yesterday, has been getting some heat for what some users say are spammy tactics to recruit new users. Digital marketer Stephen Kenwright downloaded the app earlier this week, tried it out, uninstalled it, and went to bed. When he woke up, he found that Path had gone on a rogue mission early in the morning, texting and robocalling an unknown number of his contacts, including his grandparents.

By the time Kenwright got to work, it became clear that Path had gotten in touch with his entire phone book. Coworkers, friends, and family were asking him about the text or phone call they’d received from Path, which stated that Kenwright wanted to share photos with them.

Path’s Dave Morin defended Path’s privacy practices in an interview with AllThingsD. Mike Isaac’s article, Dave Morin Talks About the Hyper-Growth Pains of Path examines Morin’s claims, particularly his assertion that “Path does not spam users”. Morin insisted that –

Invites on Path are never sent without a user’s consent — any allegations to the contrary are false.

This may be technically correct but, as Isaac notes –

Here’s the big issue: During the invitation process, check-boxes are automatically marked to send messages to your friends, which means you have to uncheck them in order not to send out invites. Technically it’s an opt-in process to send out those invites, as the user must tap a button to send them out. But for the average user who is not paying close attention and just wants to get to the app, it’s easily something that could be missed — and, ultimately, could feel like Path has spammed your network of friends.

What this model ignores is that the personal information being used to reach out to your contact through the app to promote Path is not the user’s, it belongs to the user’s contacts. As I pointed out in our previous post titled “Processing, personal information and direct marketing under POPI“, the definition of “personal information” is pretty broad:

‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person

Take this a step further and consider whose consent is required. The Protection of Personal Information Bill defines consent as follows:

any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information

Consider that the personal information Path uses to reach out to users’ contacts belongs to those contacts and those contacts are probably not current Path users who have consented to Path contacting them and the result is that Path has violated their privacy. When a Path user taps the button to send the messages out to his or her contacts, that isn’t consent from those contacts to Path, that is, at best, the Path user indicating to Path that the contacts probably won’t mind being contacted. Perhaps the messages are sent with the user’s consent, as Morin insists, but that is largely irrelevant.

Path services integration screenshot - iPad

What is interesting about this story is that it highlights a mindset local marketers seem to be latching on to. Path is relying on some pretty technical explanations for why its promotional practices are not “spammy” by pointing to consents given and choices made by users. To a large extent, this is a valid model when applied at scale and is in fairly widespread use. Users consent to privacy policies all the time without being particularly mindful of having done so. It is a flawed model but the alternative is just not practical. What is problematic is when marketers forget the broader context within which they operate. Simple, technical consent may be fine from a legal perspective (with the appropriate privacy policy framework in place). That isn’t particularly comforting to consumers who are alarmed when they discover precisely what they have consented to and lash out at the provider. This controversy over Path’s approach is the latest of a long line of case studies.

As the Protection of Personal Information Act approaches (theoretically), many of my colleagues are adopting technically correct, although short-sighted, approaches to privacy law compliance. The latest example I read recently is an article explaining the current legal requirements for consent in a marketing context. The thoughtful articles reviews applicable legislation and points out that the current paradigm is still largely opt-out. Changes to the Electronic Communications and Transactions Act will alter that position when it comes to electronic communications. Until the Protection of Personal Information Act comes into effect, the general paradigm remains “opt-out” and this is what my colleagues are pointing out to marketers who are, rightfully, concerned that Protection of Personal Information Act threatens their survival unless they take decisive action soon to adapt.

What my colleagues don’t point out is that it isn’t just about the legislation in place. They also have to consider the WASPA and ISPA Codes of Conduct if they use SMS or email for their campaigns. More importantly, my colleagues don’t seem to be pointing out the big downside for marketers who adopt a strictly self-serving approach to their campaigns and treat their consumers like commodities. Reputational harm could be devastating to marketers who don’t take their consumers’ interests into account. Marketers may be acting in compliance with current legal requirements when they send unsolicited marketing materials to consumers and then rely on opt-out mechanisms when consumers complain but how does that assist them when outraged consumers revolt and take their frustrations online?

Another difficulty with the “make hay while the sun shines” approach to direct marketing is that it doesn’t take into account the possible retrospective effect of the Protection of Personal Information Act when it goes into effect. I had a few thoughts about this last week:

Planning for the Protection of Personal Information Act is not a small endeavour and taking shortcuts to preserve current business models may turn out to be disastrously short-sighted in the year or two ahead. My colleagues may be correct in their approach and their clients may be able to adopt a relatively liberal interpretation of the Protection of Personal Information Act and its implementation. I have a different take on how the Act will apply, especially given its broader role as substance for the Constitutional right to privacy. Going beyond the Act’s interpretation and application by the proposed Regulator and Courts, the risk of being too careless with consumers’ personal information could have even more dire consequences for brands than legal non-compliance.

<

p>Consumer activism is swift and brutal and doesn’t pay much heed to legal technicalities.

Processing, personal information and direct marketing under POPI

Consent, while critical, just scratches the surface of the Protection of Personal Information Bill. There is a lot more to the anticipated Protection of Personal Information Act and, in this post, I’d like to give you an overview of two further important terms used in the Protection of Personal Information Bill, namely “personal information” and “processing”.

I touched on consent as a key consideration in the Protection of Personal Information Act (expected to be passed shortly) in our recent post titled “POPI is a steep, uphill climb for direct marketers“. As I pointed out in that post, the consent issue (the video above summarises consent as a key concept and why it is so important in direct marketing), while critical, just scratches the surface. There is a lot more to the anticipated Protection of Personal Information Act and, in this post, I’d like to give you an overview of two further important terms used in the Protection of Personal Information Bill, namely “personal information” and “processing”.

Personal Information and Processing

Before you can understand the conditions, you need to understand two further terms used in the Protection of Personal Information Bill, namely “personal information” and “processing”. The “personal information” definition is pretty broad. It includes all the usual categories of personal information and a great deal more:

‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

I highlighted some of the interesting aspects of “personal information” because these categories of personal information are not always recognised as such. For example, “any identifying number, symbol” or “online identifier” could include a Twitter handle or pseudonym (assuming it could be associated with an identity). “Personal opinions, views or preferences” covers a wide range of questions marketers often ask people in surveys and competitions. Add to this other people’s “views or opinions” about your data subject and you’re now dealing with personal information about person A which you obtain from person B and which is also person B’s personal information so you potentially need to obtain consent from both people.

The next important term is “processing”. This is the term used for a variety of activities pertaining to how personal information is handled. It is also fairly broad:

‘‘processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—

(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;

This definition basically categorises virtually any action relating to personal information as “processing” and subject to consent by the data subject. As the definition’s lead-in indicates, this covers both single actions and groups of actions or, as the definition puts it: “any operation or activity or any set of operations”. Like I said, it is broad, very broad.

<

p>Both of these terms form part of the foundation of an adequate privacy model that direct marketing businesses should have in place already or, at the very least, should be actively developing. We will explore more POPI themes in an upcoming series of posts about the processing conditions in this anticipated legislation in more detail. The processing conditions establish a series of parameters that will shape direct marketing campaigns and other activities that make use of personal information for quite some time to come.

POPI compliance is a steep, uphill climb for direct marketers

The Protection of Personal Information Act is going to have a radical impact on the direct marketing industry and a number of direct marketing businesses are going to shut down because they won’t be able to adapt and remain viable, especially if they don’t take action right away. If you don’t have a direct marketing business that is already based on a truly consensual business model (bearing in mind the consent model in the Protection of Personal Information Bill), you simply can’t afford to waste any more time.

Nokia Lumia launch-59

Direct marketers who are working towards bringing their businesses into line with the Protection of Personal Information Bill, which is expected to be finalised and put to a vote by 6 March 2013, may have a lot of work ahead of them. What is worrying is that many direct marketers don’t really appreciate just how much work they have to do. Ignorance isn’t bliss, it is a recipe for disaster.

We’ve been working with clients on bringing their direct marketing businesses into line with the Protection of Personal Information Act. The first step is understanding what the business’ current degree of compliance is and, more often than not, there are usually compliance gaps big enough to float a cruise liner through. The first thing that direct marketers need to understand is that the starting point is not the direct marketer’s current systems and processes but rather its database’s origins and the consents which were given to compile the database the direct marketing business is based on.

As a general rule[1], personal information must be collected directly from the data subject[2] (where I refer to a consumer in this post, I am referring to a consumer as a data subject) who must also consent to how the personal information will be “processed”[3]. We’ve seen letters from data suppliers simply stating that consumers have “consented” or “opted in” to their personal information being collected, added to the databases they have supplied and for the purposes those databases are to be used. That just isn’t enough of an indication of what the consumers have given their consents for.

Consent is not just some generic approval for some personal information to be collected and used for marketing purposes. The consent has to be very specific. It has to be –

any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information

If you break that down, consent, under the Protection of Personal Information Bill –

  • can’t be taken from the data subject involuntarily (this sounds obvious but how many campaigns purport to take a consent without the data subject being aware that he or she is giving consent for anything?);
  • has to be specific and must relate to specific uses and conditions instead of a general purpose consent for vague uses under the umbrella term “marketing purposes”;
  • has to be informed (this ties in with the specificity requirement) so the data subject is well aware of what personal information is being collected; what that personal information is going to be used for; how the personal information will be handled and under which circumstances the personal information will be disclosed to whom?

A consumer must also give consent explicitly. This is borne out by the phrase “expression of will” which implies some sort of express act and not an implicit understanding that consent is required for some or other purpose.

Once you have that understanding of consent as a fundamental requirement for personal information to be processed and that obtaining that consent from the data subject directly is required for any subsequent personal information processing. In essence, that consent applies to subsequent use of the data subject’s personal information and if those subsequent uses are not adequately covered by the original consent, those subsequent uses will probably infringe the data subject’s privacy rights and fall foul of the Protection of Personal Information Act.

As a direct marketer, your entire business rests on the quality and scope of the consents that relate to each and every record in your database. Those consents must cover aspects such as –

  • what personal information is being processed (can you use the data subject’s name, phone number and email or did the data subject only consent to you using a phone number, for example?);
  • which personal information can be processed for which campaign or use (did the data subject consent to receive marketing information about cars and you are marketing furniture?);
  • have you received consent to process the data subjects’ personal information or was consent only given to your source (if consent was not given to you, specifically, you may still be permitted to process the personal information depending on your relationship with the party that received the consent).

Another problematic practice is enriching databases using 3rd party data sources. Firstly, this can only be done under the Protection of Personal Information Act with the Regulator’s consent[4] and you also have to take into account that the requisite consents must have been given to the parties you obtain the additional personal information from to add it to your databases and then process that additonal personal information in the manner in which you intend to process it.

Of course there are also specific provisions in the Protection of Personal Information Bill that deal with direct marketing[5] which impose additional requirements on direct marketers when it comes to the forms of consents required in different contexts. The Electronic Communications and Transactions Act is also about to be amended to support the opt-in requirements for so-called “electronic communications” and I expect the Consumer Protection Act will be amended to close the opt-out loophole too.

This only really just scratches the surface of the analysis that has to take place just to determine how much work a direct marketing business has ahead of it to bring it into line with the Protection of Personal Information Act when it goes into effect (if everything stays on track, this could be around March 2014). The process of identifying the gaps can take months, the process of changing a business model to adapt to the necessary changes could take longer. We and other lawyers in this space have been talking about the need to perform the necessary analysis and introduce the necessary changes for some time now. It is a long and complex process.

The Protection of Personal Information Act is going to have a radical impact on the direct marketing industry and a number of direct marketing businesses are going to shut down because they won’t be able to adapt and remain viable, especially if they don’t take action right away. If you don’t have a direct marketing business that is already based on a truly consensual business model (bearing in mind the consent model in the Protection of Personal Information Bill), you simply can’t afford to waste any more time.

As we mentioned at the beginning of our post, we are working with clients to help them adapt to the coming changes. We have developed a detailed and comprehensive compliance gap analysis and review model which we use to gain a detailed understanding of our clients’ businesses and give specific advice on how to close the gaps.

Contact us

if you would like us to assist you.

  1. Section 12 of the Protection of Personal Information Bill  ↩
  2. Defined as “the person to whom personal information relates”  ↩
  3. ‘‘processing’’ means any operation or activity or any set of operations, whether or
    not by automatic means, concerning personal information, including—
  4. (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
  5. (b) dissemination by means of transmission, distribution or making available in any other form; or
  6. (c) merging, linking, as well as restriction, degradation, erasure or destruction of information  ↩
  7. Section 57(1)(ii)  ↩
  8. Section 69  ↩

Is WhatsApp violating your privacy rights?

Whatsapp screenshot

Background

The popular mobile and multi-platform messaging service, WhatsApp, was investigated recently by the Office of the Privacy Commissioner of Canada and the Dutch Data Protection Authority for apparent violations of Canadian and Dutch privacy laws. The investigation found a number of violations and the Canadian Privacy Commissioner released an update on 28 January 2013 reporting back on the violations which have since been addressed and those which remain unresolved:

The investigation revealed that WhatsApp was violating certain internationally accepted privacy principles, mainly in relation to the retention, safeguard, and disclosure of personal data. For example:

  • In order to facilitate contact between application users, WhatsApp relies on a user’s address book to populate subscribers’ WhatsApp contacts list. Once users consent to the use of their address book, all phone numbers from the mobile device are transmitted to WhatsApp to assist in the identification of other WhatsApp users. Rather than deleting the mobile numbers of non-users, WhatsApp retains those numbers (in a hash form). This practice contravenes Canadian and Dutch privacy law which holds that information may only be retained for so long as it is required for the fulfilment of an identified purpose. Only iPhone users running iOS6 on their devices have the option of adding contacts manually rather than uploading the mobile address numbers of their address books to company servers automatically.

  • At the time the investigation began, messages sent using WhatsApp’s messenger service were unencrypted, leaving them prone to eavesdropping or interception, especially when sent through unprotected Wi-Fi networks. In September 2012, in partial response to our investigation, WhatsApp introduced encryption to its mobile messaging service.

  • Over the course of the investigation, it was found that WhatsApp was generating passwords for message exchanges using device information that can be relatively easily exposed. This created the risk that a third party may send and receive messages in the name of users without their knowledge. WhatsApp has since strengthened its authentication process in the latest version of its app, using a more secure randomly generated key instead of generating passwords from MAC (Media Acess Control) or IMEI (International Mobile Station Equipment Identity) numbers (which uniquely identify each device on a network) to generate passwords for device to application message exchanges. Anyone who has downloaded WhatsApp, whether they are active users or not, should update to the latest version to benefit from this security upgrade.

WhatsApp’s Privacy Notice

If you are a WhatsApp user, you probably already know that the WhatsApp app lists all your contacts in your phone’s contacts list and reveals which of your contacts use WhatsApp. Aside from the authentication and encryption concerns the Canadian and Dutch authorities raised, this seems to be the source of the currently unresolved concerns the Canadians and the Dutch have.

Essentially, these concerns are that WhatsApp collects details of your contacts automatically (unless your phone is running iOS 6, in which case you would be prompted to allow WhatsApp to access your contacts’ details) and uploads that data to WhatsApp’s servers to be compared to its database of users so it can identify which of your contacts are using WhatsApp and allow you to message them using the app. So far, so good, but WhatsApp doesn’t subsequently discard the data pertaining to non-users after it has compared them to its database.

As the Canadian press releases mentions, this touches on two personal information processing limitations, namely purpose specification and related processing limitations. Specifically, WhatsApp is processing personal information for longer than it requires, given its intended purpose and may be collecting more than it requires. It seems that the concern is specifically about the non-user personal information and the expectation seems to be that WhatsApp discard non-users’ personal information once it establishes that they are, in fact, non-users and that the app prompt users to agree to submitting contacts’ details to WhatsApp when users want to check whether additional contacts are users.

The WhatsApp Privacy Notice deals with this in a couple sections:

The Information WhatsApp Collects

WhatsApp may obtain the following types of information from or concerning you or your mobile phone device, which may include information that can be used to identify you as specified below (“Personally Identifying Information”):

User Provided Information: You provide certain Personally Identifiable Information, such as your mobile phone number, push notification name (if applicable), billing information (if applicable) and mobile device information to WhatsApp when choosing to participate in various uses of the WhatsApp Service, such as registering as a user, updating your status or requesting status for your contacts. In order to provide the WhatsApp Service, WhatsApp will periodically access your address book or contact list on your mobile phone to locate the mobile phone numbers of other WhatsApp users (“in-network” numbers), or otherwise categorize other mobile phone numbers as “out-network” numbers, which are stored as one-way irreversibly hashed values.

and

The Information WhatsApp Does Not Collect

WhatsApp does not collect names, emails, addresses or other contact information from its users’ mobile address book or contact lists other than mobile phone numbers—the WhatsApp mobile application will associate whatever name the WhatsApp user has assigned to the mobile telephone number in his/her mobile address book or contact list — and this occurs dynamically on the mobile device itself and not on WhatsApp’s servers and is not transmitted to WhatsApp. This means that if you have your friend’s mobile phone number associated with the name “Shakespeare” in your mobile address book, that’s the name that will appear for that mobile phone number in your WhatsApp contact list. We do not collect location data, but users may voluntarily share their location with other users via the WhatsApp Service.

The big question is whether WhatsApp should retain non-user phone numbers after it has conducted its comparisons between the captured data through the app and its database?

South African law

At present the main issue in South Africa is whether transmitting your contacts’ personal information to WhatsApp violates their privacy. Our current privacy law is informed by the right to privacy in the Bill of Rights, prevailing case law developed by our courts and legislation like the Electronic Communications and Transactions Act and Consumer Protection Act. The Protection of Personal Information Bill has not yet been passed although I’ll deal with that below.

The answer to this lies in the implicit (or explicit, if you have it) consent you have from your contacts to take the personal information they give you and pass that on to WhatsApp and then contact them through WhatsApp if they are users? This is a tough question to answer in the absence of an explicit preference from your contacts one way or another. Presumably they gave you their contact details or made them available with the expectation that you contact them. Whether a contact would object to being contacted using WhatsApp is a secondary issue. Conceivably some users may object to their personal information being passed to WhatsApp due to concerns about its privacy practices or out of a desire to remain out of that system and where a contact expresses that preferences, you should certainly act appropriately. Absent that express preference, may users assume they have their contacts’ implicit consent? Perhaps.

Under the anticipated Protection of Personal Information Act (I refer to the “Protection of Personal Information Bill” interchangeably with “Protection of Personal Information Act” because it is still going through the legislative process of being passed as an Act of Parliament), the question is ordinarily what sort of consent is given and whether this covers the intended personal information uses. “Consent” is defined as –

any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information

When it comes to individual users, the Protection of Personal Information Act probably won’t require individuals to comply with its restrictions when it comes to compiling their contacts lists where doing so is “in the course of a purely personal or household activity”. WhatsApp wouldn’t be able to take advantage of this exclusion so it would be required to obtain its users’ consent to process their personal information.

Will the Protection of Personal Information Act apply?

You may have noticed that WhatsApp indicates that it stores non-users’ (or “out-network”) phone numbers as “one-way irreversibly hashed values” which, when coupled with improved encryption options make it practically impossible to resolve those hash values back to phone numbers (classified as “personal information” in most jurisdictions).

The Protection of Personal Information Act has a further exception to its application in that it does not apply to personal information “that has been de-identified to the extent that it cannot be re-identified again”. It would be interesting to test whether this exclusion would apply here and would probably be dependent on whether the hashed values could, somehow, be associated with individuals despite the encryption. WhatsApp only collects phone numbers and not names and other details (the association between a number and a name occurs on your device, not on the server) so this exclusion could well apply and get WhatsApp off the hook when it comes to potential Protection of Personal Information Act compliance. It would also likely address residual privacy concerns because the phone numbers will appear to have been practically and irreversibly anonymised.

Even if the Protection of Personal Information Act applies

If this exclusion does not assist WhatsApp, the Protection of Personal Information Bill contains a number of processing limitations along the lines of the limitations the Canadians and Dutch found were exceeded.

One processing limitation is “Minimality” which states that –

  1. Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.

The Protection of Personal Information Bill requires that personal information be collected directly from what it refers to as “data subjects” (in other words, the people the personal information relates to) and one of the exceptions to this is where –

collection of the information from another source would not prejudice a legitimate interest of the data subject

Given the steps taken to disassociate the phone numbers collected and pertaining to non-users with the non-users’ identities, this may be an exception to the general rule that the personal information be collected directly from the non-users concerned. In this case the “other source” would be the WhatsApp user submitting the personal information.

The Protection of Personal Information Bill’s purpose specification limitations include the following which are more appropriate to what WhatsApp is doing:

Collection for specific purpose

  1. (1) Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.
    (2) Steps must be taken in accordance with section 18(1) to ensure that the data subject is aware of the purpose of the collection of the information unless the provisions of section 18(4) are applicable.

Section 18 deals with the necessity for informed consent from data subjects and includes the following exclusion which is similar to the exclusion dealt with above:

non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act

Another processing specification limitation in the Protection of Personal Information Bill which relates to the Canadian and Dutch requirements is the following:

Retention and restriction of records

  1. (1) Subject to subsections (2) and (3), records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed …

Section 14(1) has a number of exclusions which probably won’t apply here but section 14(4) may assist WhatsApp:

A responsible party must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record in terms of subsection (1) or (2).

Section 14(2) deals with personal information processed for “historical, statistical or research purposes” but may not apply here.

On the topic of this retention restriction, its not clear why WhatsApp retains “one-way irreversibly hashed values” based on non-users’ phone numbers? If “one-way irreversibly” means that these phone numbers are not capable of being translated back into phone numbers (as I have assumed) then its not clear what purpose is being served by retaining this data? If these “one-way irreversibly hashed values” can be translated back into phone numbers then the exclusions in the Protection of Personal Information Bill will probably not apply and WhatsApp will be, almost by definition, in violation of the Protection of Personal Information Bill’s processing limitations where it does not obtain consent from non-users to process their phone numbers.

On the other hand, if “one-way irreversibly hashed values” does, in fact, mean they can’t be translated back into phone numbers and will remain as seemingly random data strings, then they will likely not be regarded as “personal information” in the first place as personal information is defined, at least by the Protection of Personal Information Bill, as including “information relating to an identifiable, living,
natural person”. If that is the case then the debate about whether the Protection of Personal Information Act becomes largely academic from WhatsApp’s perspective as non-users’ phone numbers cease to be personal information when they are converted into “one-way irreversibly hashed values”.

Of course, when it comes to WhatsApp users, they are bound by the WhatsApp Privacy Policy and part of that includes their consent to their personal information being processed by WhatsApp in the manner described in the Privacy Policy.

Where does that leave WhatsApp?

So where does this leave WhatsApp? When it comes to South African law, there may be far less of an issue about WhatsApp’s retention of non-users’ personal information in South Africa than the Canadians and Dutch seem to have with the service although if their definitions of personal information are similar, it should, perhaps, be less of an issue for them too if these “one-way irreversibly hashed values” can’t be translated back into phone numbers and will remain as seemingly random data strings.

Is it safe to keep using WhatsApp? In light of the increased security added after the initial Canadian and Dutch investigations, it does seem to be safe to use WhatsApp. At least from this perspective.

An introduction to the Protection of Personal Information Act

The Protection of Personal Information Bill is currently making its way through Parliament and is expected to be passed into law before the end of 2012. At that point it will become the Protection of Personal Information Act. This post is a brief introduction to POPI and part of an ebook about this law Paul is currently writing.

Outing for the family photo shoot-92

 

Just as the Promotion of Access to Information Act is designed to give meaningful effect to the right of access to information in the Bill of Rights, the Promotion of Access to Information Act gives substance to the right to privacy in the Bill of Rights and, to an extent, codified aspects of the Common Law developed by our courts over the years.

The Protection of Personal Information Act creates a privacy model based on the idea of privacy as more a matter of informational self-determination then as a concept based on secrecy. Conceptually, the Protection of Personal Information Act’s focus is on giving people (referred to as “data subjects”) more structured control over how their personal information is collected and what is done with it. There is also a fair amount of attention given to who may “process” personal information and under what circumstances.

Another important aspect of the Protection of Personal Information Act is the compliance framework which the Act establishes and which includes a new Information Regulator which is given broad powers to enforce aspects of the Act and address non-compliance with the Act.

The Act will also impact on existing legislation including the Consumer Protection Act and the Electronic Communications and Transactions Act which incorporate an opt out privacy model as opposed to the opt in privacy model adopted by the Protection of Personal Information Act. This shift is bound to have a dramatic impact on a number of businesses and industries, not least of which the direct marketing industry.

Just how effective the Protection of Personal Information Act will be as a privacy framework remains to be seen, as does the Regulator’s effectiveness in enforcing the Act but what is already clear is that the Protection of Personal Information Act will create a new set of structures and frameworks around privacy law and data protection which South Africa has lacked until now.