Processing, personal information and direct marketing under POPI

Consent, while critical, just scratches the surface of the Protection of Personal Information Bill. There is a lot more to the anticipated Protection of Personal Information Act and, in this post, I’d like to give you an overview of two further important terms used in the Protection of Personal Information Bill, namely “personal information” and “processing”.

I touched on consent as a key consideration in the Protection of Personal Information Act (expected to be passed shortly) in our recent post titled “POPI is a steep, uphill climb for direct marketers“. As I pointed out in that post, the consent issue (the video above summarises consent as a key concept and why it is so important in direct marketing), while critical, just scratches the surface. There is a lot more to the anticipated Protection of Personal Information Act and, in this post, I’d like to give you an overview of two further important terms used in the Protection of Personal Information Bill, namely “personal information” and “processing”.

Personal Information and Processing

Before you can understand the conditions, you need to understand two further terms used in the Protection of Personal Information Bill, namely “personal information” and “processing”. The “personal information” definition is pretty broad. It includes all the usual categories of personal information and a great deal more:

‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

I highlighted some of the interesting aspects of “personal information” because these categories of personal information are not always recognised as such. For example, “any identifying number, symbol” or “online identifier” could include a Twitter handle or pseudonym (assuming it could be associated with an identity). “Personal opinions, views or preferences” covers a wide range of questions marketers often ask people in surveys and competitions. Add to this other people’s “views or opinions” about your data subject and you’re now dealing with personal information about person A which you obtain from person B and which is also person B’s personal information so you potentially need to obtain consent from both people.

The next important term is “processing”. This is the term used for a variety of activities pertaining to how personal information is handled. It is also fairly broad:

‘‘processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—

(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;

This definition basically categorises virtually any action relating to personal information as “processing” and subject to consent by the data subject. As the definition’s lead-in indicates, this covers both single actions and groups of actions or, as the definition puts it: “any operation or activity or any set of operations”. Like I said, it is broad, very broad.

<

p>Both of these terms form part of the foundation of an adequate privacy model that direct marketing businesses should have in place already or, at the very least, should be actively developing. We will explore more POPI themes in an upcoming series of posts about the processing conditions in this anticipated legislation in more detail. The processing conditions establish a series of parameters that will shape direct marketing campaigns and other activities that make use of personal information for quite some time to come.

POPI compliance is a steep, uphill climb for direct marketers

The Protection of Personal Information Act is going to have a radical impact on the direct marketing industry and a number of direct marketing businesses are going to shut down because they won’t be able to adapt and remain viable, especially if they don’t take action right away. If you don’t have a direct marketing business that is already based on a truly consensual business model (bearing in mind the consent model in the Protection of Personal Information Bill), you simply can’t afford to waste any more time.

Nokia Lumia launch-59

Direct marketers who are working towards bringing their businesses into line with the Protection of Personal Information Bill, which is expected to be finalised and put to a vote by 6 March 2013, may have a lot of work ahead of them. What is worrying is that many direct marketers don’t really appreciate just how much work they have to do. Ignorance isn’t bliss, it is a recipe for disaster.

We’ve been working with clients on bringing their direct marketing businesses into line with the Protection of Personal Information Act. The first step is understanding what the business’ current degree of compliance is and, more often than not, there are usually compliance gaps big enough to float a cruise liner through. The first thing that direct marketers need to understand is that the starting point is not the direct marketer’s current systems and processes but rather its database’s origins and the consents which were given to compile the database the direct marketing business is based on.

As a general rule[1], personal information must be collected directly from the data subject[2] (where I refer to a consumer in this post, I am referring to a consumer as a data subject) who must also consent to how the personal information will be “processed”[3]. We’ve seen letters from data suppliers simply stating that consumers have “consented” or “opted in” to their personal information being collected, added to the databases they have supplied and for the purposes those databases are to be used. That just isn’t enough of an indication of what the consumers have given their consents for.

Consent is not just some generic approval for some personal information to be collected and used for marketing purposes. The consent has to be very specific. It has to be –

any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information

If you break that down, consent, under the Protection of Personal Information Bill –

  • can’t be taken from the data subject involuntarily (this sounds obvious but how many campaigns purport to take a consent without the data subject being aware that he or she is giving consent for anything?);
  • has to be specific and must relate to specific uses and conditions instead of a general purpose consent for vague uses under the umbrella term “marketing purposes”;
  • has to be informed (this ties in with the specificity requirement) so the data subject is well aware of what personal information is being collected; what that personal information is going to be used for; how the personal information will be handled and under which circumstances the personal information will be disclosed to whom?

A consumer must also give consent explicitly. This is borne out by the phrase “expression of will” which implies some sort of express act and not an implicit understanding that consent is required for some or other purpose.

Once you have that understanding of consent as a fundamental requirement for personal information to be processed and that obtaining that consent from the data subject directly is required for any subsequent personal information processing. In essence, that consent applies to subsequent use of the data subject’s personal information and if those subsequent uses are not adequately covered by the original consent, those subsequent uses will probably infringe the data subject’s privacy rights and fall foul of the Protection of Personal Information Act.

As a direct marketer, your entire business rests on the quality and scope of the consents that relate to each and every record in your database. Those consents must cover aspects such as –

  • what personal information is being processed (can you use the data subject’s name, phone number and email or did the data subject only consent to you using a phone number, for example?);
  • which personal information can be processed for which campaign or use (did the data subject consent to receive marketing information about cars and you are marketing furniture?);
  • have you received consent to process the data subjects’ personal information or was consent only given to your source (if consent was not given to you, specifically, you may still be permitted to process the personal information depending on your relationship with the party that received the consent).

Another problematic practice is enriching databases using 3rd party data sources. Firstly, this can only be done under the Protection of Personal Information Act with the Regulator’s consent[4] and you also have to take into account that the requisite consents must have been given to the parties you obtain the additional personal information from to add it to your databases and then process that additonal personal information in the manner in which you intend to process it.

Of course there are also specific provisions in the Protection of Personal Information Bill that deal with direct marketing[5] which impose additional requirements on direct marketers when it comes to the forms of consents required in different contexts. The Electronic Communications and Transactions Act is also about to be amended to support the opt-in requirements for so-called “electronic communications” and I expect the Consumer Protection Act will be amended to close the opt-out loophole too.

This only really just scratches the surface of the analysis that has to take place just to determine how much work a direct marketing business has ahead of it to bring it into line with the Protection of Personal Information Act when it goes into effect (if everything stays on track, this could be around March 2014). The process of identifying the gaps can take months, the process of changing a business model to adapt to the necessary changes could take longer. We and other lawyers in this space have been talking about the need to perform the necessary analysis and introduce the necessary changes for some time now. It is a long and complex process.

The Protection of Personal Information Act is going to have a radical impact on the direct marketing industry and a number of direct marketing businesses are going to shut down because they won’t be able to adapt and remain viable, especially if they don’t take action right away. If you don’t have a direct marketing business that is already based on a truly consensual business model (bearing in mind the consent model in the Protection of Personal Information Bill), you simply can’t afford to waste any more time.

As we mentioned at the beginning of our post, we are working with clients to help them adapt to the coming changes. We have developed a detailed and comprehensive compliance gap analysis and review model which we use to gain a detailed understanding of our clients’ businesses and give specific advice on how to close the gaps.

Contact us

if you would like us to assist you.

  1. Section 12 of the Protection of Personal Information Bill  ↩
  2. Defined as “the person to whom personal information relates”  ↩
  3. ‘‘processing’’ means any operation or activity or any set of operations, whether or
    not by automatic means, concerning personal information, including—
  4. (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
  5. (b) dissemination by means of transmission, distribution or making available in any other form; or
  6. (c) merging, linking, as well as restriction, degradation, erasure or destruction of information  ↩
  7. Section 57(1)(ii)  ↩
  8. Section 69  ↩

Is WhatsApp violating your privacy rights?

Whatsapp screenshot

Background

The popular mobile and multi-platform messaging service, WhatsApp, was investigated recently by the Office of the Privacy Commissioner of Canada and the Dutch Data Protection Authority for apparent violations of Canadian and Dutch privacy laws. The investigation found a number of violations and the Canadian Privacy Commissioner released an update on 28 January 2013 reporting back on the violations which have since been addressed and those which remain unresolved:

The investigation revealed that WhatsApp was violating certain internationally accepted privacy principles, mainly in relation to the retention, safeguard, and disclosure of personal data. For example:

  • In order to facilitate contact between application users, WhatsApp relies on a user’s address book to populate subscribers’ WhatsApp contacts list. Once users consent to the use of their address book, all phone numbers from the mobile device are transmitted to WhatsApp to assist in the identification of other WhatsApp users. Rather than deleting the mobile numbers of non-users, WhatsApp retains those numbers (in a hash form). This practice contravenes Canadian and Dutch privacy law which holds that information may only be retained for so long as it is required for the fulfilment of an identified purpose. Only iPhone users running iOS6 on their devices have the option of adding contacts manually rather than uploading the mobile address numbers of their address books to company servers automatically.

  • At the time the investigation began, messages sent using WhatsApp’s messenger service were unencrypted, leaving them prone to eavesdropping or interception, especially when sent through unprotected Wi-Fi networks. In September 2012, in partial response to our investigation, WhatsApp introduced encryption to its mobile messaging service.

  • Over the course of the investigation, it was found that WhatsApp was generating passwords for message exchanges using device information that can be relatively easily exposed. This created the risk that a third party may send and receive messages in the name of users without their knowledge. WhatsApp has since strengthened its authentication process in the latest version of its app, using a more secure randomly generated key instead of generating passwords from MAC (Media Acess Control) or IMEI (International Mobile Station Equipment Identity) numbers (which uniquely identify each device on a network) to generate passwords for device to application message exchanges. Anyone who has downloaded WhatsApp, whether they are active users or not, should update to the latest version to benefit from this security upgrade.

WhatsApp’s Privacy Notice

If you are a WhatsApp user, you probably already know that the WhatsApp app lists all your contacts in your phone’s contacts list and reveals which of your contacts use WhatsApp. Aside from the authentication and encryption concerns the Canadian and Dutch authorities raised, this seems to be the source of the currently unresolved concerns the Canadians and the Dutch have.

Essentially, these concerns are that WhatsApp collects details of your contacts automatically (unless your phone is running iOS 6, in which case you would be prompted to allow WhatsApp to access your contacts’ details) and uploads that data to WhatsApp’s servers to be compared to its database of users so it can identify which of your contacts are using WhatsApp and allow you to message them using the app. So far, so good, but WhatsApp doesn’t subsequently discard the data pertaining to non-users after it has compared them to its database.

As the Canadian press releases mentions, this touches on two personal information processing limitations, namely purpose specification and related processing limitations. Specifically, WhatsApp is processing personal information for longer than it requires, given its intended purpose and may be collecting more than it requires. It seems that the concern is specifically about the non-user personal information and the expectation seems to be that WhatsApp discard non-users’ personal information once it establishes that they are, in fact, non-users and that the app prompt users to agree to submitting contacts’ details to WhatsApp when users want to check whether additional contacts are users.

The WhatsApp Privacy Notice deals with this in a couple sections:

The Information WhatsApp Collects

WhatsApp may obtain the following types of information from or concerning you or your mobile phone device, which may include information that can be used to identify you as specified below (“Personally Identifying Information”):

User Provided Information: You provide certain Personally Identifiable Information, such as your mobile phone number, push notification name (if applicable), billing information (if applicable) and mobile device information to WhatsApp when choosing to participate in various uses of the WhatsApp Service, such as registering as a user, updating your status or requesting status for your contacts. In order to provide the WhatsApp Service, WhatsApp will periodically access your address book or contact list on your mobile phone to locate the mobile phone numbers of other WhatsApp users (“in-network” numbers), or otherwise categorize other mobile phone numbers as “out-network” numbers, which are stored as one-way irreversibly hashed values.

and

The Information WhatsApp Does Not Collect

WhatsApp does not collect names, emails, addresses or other contact information from its users’ mobile address book or contact lists other than mobile phone numbers—the WhatsApp mobile application will associate whatever name the WhatsApp user has assigned to the mobile telephone number in his/her mobile address book or contact list — and this occurs dynamically on the mobile device itself and not on WhatsApp’s servers and is not transmitted to WhatsApp. This means that if you have your friend’s mobile phone number associated with the name “Shakespeare” in your mobile address book, that’s the name that will appear for that mobile phone number in your WhatsApp contact list. We do not collect location data, but users may voluntarily share their location with other users via the WhatsApp Service.

The big question is whether WhatsApp should retain non-user phone numbers after it has conducted its comparisons between the captured data through the app and its database?

South African law

At present the main issue in South Africa is whether transmitting your contacts’ personal information to WhatsApp violates their privacy. Our current privacy law is informed by the right to privacy in the Bill of Rights, prevailing case law developed by our courts and legislation like the Electronic Communications and Transactions Act and Consumer Protection Act. The Protection of Personal Information Bill has not yet been passed although I’ll deal with that below.

The answer to this lies in the implicit (or explicit, if you have it) consent you have from your contacts to take the personal information they give you and pass that on to WhatsApp and then contact them through WhatsApp if they are users? This is a tough question to answer in the absence of an explicit preference from your contacts one way or another. Presumably they gave you their contact details or made them available with the expectation that you contact them. Whether a contact would object to being contacted using WhatsApp is a secondary issue. Conceivably some users may object to their personal information being passed to WhatsApp due to concerns about its privacy practices or out of a desire to remain out of that system and where a contact expresses that preferences, you should certainly act appropriately. Absent that express preference, may users assume they have their contacts’ implicit consent? Perhaps.

Under the anticipated Protection of Personal Information Act (I refer to the “Protection of Personal Information Bill” interchangeably with “Protection of Personal Information Act” because it is still going through the legislative process of being passed as an Act of Parliament), the question is ordinarily what sort of consent is given and whether this covers the intended personal information uses. “Consent” is defined as –

any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information

When it comes to individual users, the Protection of Personal Information Act probably won’t require individuals to comply with its restrictions when it comes to compiling their contacts lists where doing so is “in the course of a purely personal or household activity”. WhatsApp wouldn’t be able to take advantage of this exclusion so it would be required to obtain its users’ consent to process their personal information.

Will the Protection of Personal Information Act apply?

You may have noticed that WhatsApp indicates that it stores non-users’ (or “out-network”) phone numbers as “one-way irreversibly hashed values” which, when coupled with improved encryption options make it practically impossible to resolve those hash values back to phone numbers (classified as “personal information” in most jurisdictions).

The Protection of Personal Information Act has a further exception to its application in that it does not apply to personal information “that has been de-identified to the extent that it cannot be re-identified again”. It would be interesting to test whether this exclusion would apply here and would probably be dependent on whether the hashed values could, somehow, be associated with individuals despite the encryption. WhatsApp only collects phone numbers and not names and other details (the association between a number and a name occurs on your device, not on the server) so this exclusion could well apply and get WhatsApp off the hook when it comes to potential Protection of Personal Information Act compliance. It would also likely address residual privacy concerns because the phone numbers will appear to have been practically and irreversibly anonymised.

Even if the Protection of Personal Information Act applies

If this exclusion does not assist WhatsApp, the Protection of Personal Information Bill contains a number of processing limitations along the lines of the limitations the Canadians and Dutch found were exceeded.

One processing limitation is “Minimality” which states that –

  1. Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.

The Protection of Personal Information Bill requires that personal information be collected directly from what it refers to as “data subjects” (in other words, the people the personal information relates to) and one of the exceptions to this is where –

collection of the information from another source would not prejudice a legitimate interest of the data subject

Given the steps taken to disassociate the phone numbers collected and pertaining to non-users with the non-users’ identities, this may be an exception to the general rule that the personal information be collected directly from the non-users concerned. In this case the “other source” would be the WhatsApp user submitting the personal information.

The Protection of Personal Information Bill’s purpose specification limitations include the following which are more appropriate to what WhatsApp is doing:

Collection for specific purpose

  1. (1) Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.
    (2) Steps must be taken in accordance with section 18(1) to ensure that the data subject is aware of the purpose of the collection of the information unless the provisions of section 18(4) are applicable.

Section 18 deals with the necessity for informed consent from data subjects and includes the following exclusion which is similar to the exclusion dealt with above:

non-compliance would not prejudice the legitimate interests of the data subject as set out in terms of this Act

Another processing specification limitation in the Protection of Personal Information Bill which relates to the Canadian and Dutch requirements is the following:

Retention and restriction of records

  1. (1) Subject to subsections (2) and (3), records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed …

Section 14(1) has a number of exclusions which probably won’t apply here but section 14(4) may assist WhatsApp:

A responsible party must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record in terms of subsection (1) or (2).

Section 14(2) deals with personal information processed for “historical, statistical or research purposes” but may not apply here.

On the topic of this retention restriction, its not clear why WhatsApp retains “one-way irreversibly hashed values” based on non-users’ phone numbers? If “one-way irreversibly” means that these phone numbers are not capable of being translated back into phone numbers (as I have assumed) then its not clear what purpose is being served by retaining this data? If these “one-way irreversibly hashed values” can be translated back into phone numbers then the exclusions in the Protection of Personal Information Bill will probably not apply and WhatsApp will be, almost by definition, in violation of the Protection of Personal Information Bill’s processing limitations where it does not obtain consent from non-users to process their phone numbers.

On the other hand, if “one-way irreversibly hashed values” does, in fact, mean they can’t be translated back into phone numbers and will remain as seemingly random data strings, then they will likely not be regarded as “personal information” in the first place as personal information is defined, at least by the Protection of Personal Information Bill, as including “information relating to an identifiable, living,
natural person”. If that is the case then the debate about whether the Protection of Personal Information Act becomes largely academic from WhatsApp’s perspective as non-users’ phone numbers cease to be personal information when they are converted into “one-way irreversibly hashed values”.

Of course, when it comes to WhatsApp users, they are bound by the WhatsApp Privacy Policy and part of that includes their consent to their personal information being processed by WhatsApp in the manner described in the Privacy Policy.

Where does that leave WhatsApp?

So where does this leave WhatsApp? When it comes to South African law, there may be far less of an issue about WhatsApp’s retention of non-users’ personal information in South Africa than the Canadians and Dutch seem to have with the service although if their definitions of personal information are similar, it should, perhaps, be less of an issue for them too if these “one-way irreversibly hashed values” can’t be translated back into phone numbers and will remain as seemingly random data strings.

Is it safe to keep using WhatsApp? In light of the increased security added after the initial Canadian and Dutch investigations, it does seem to be safe to use WhatsApp. At least from this perspective.

An introduction to the Protection of Personal Information Act

The Protection of Personal Information Bill is currently making its way through Parliament and is expected to be passed into law before the end of 2012. At that point it will become the Protection of Personal Information Act. This post is a brief introduction to POPI and part of an ebook about this law Paul is currently writing.

Outing for the family photo shoot-92

 

Just as the Promotion of Access to Information Act is designed to give meaningful effect to the right of access to information in the Bill of Rights, the Promotion of Access to Information Act gives substance to the right to privacy in the Bill of Rights and, to an extent, codified aspects of the Common Law developed by our courts over the years.

The Protection of Personal Information Act creates a privacy model based on the idea of privacy as more a matter of informational self-determination then as a concept based on secrecy. Conceptually, the Protection of Personal Information Act’s focus is on giving people (referred to as “data subjects”) more structured control over how their personal information is collected and what is done with it. There is also a fair amount of attention given to who may “process” personal information and under what circumstances.

Another important aspect of the Protection of Personal Information Act is the compliance framework which the Act establishes and which includes a new Information Regulator which is given broad powers to enforce aspects of the Act and address non-compliance with the Act.

The Act will also impact on existing legislation including the Consumer Protection Act and the Electronic Communications and Transactions Act which incorporate an opt out privacy model as opposed to the opt in privacy model adopted by the Protection of Personal Information Act. This shift is bound to have a dramatic impact on a number of businesses and industries, not least of which the direct marketing industry.

Just how effective the Protection of Personal Information Act will be as a privacy framework remains to be seen, as does the Regulator’s effectiveness in enforcing the Act but what is already clear is that the Protection of Personal Information Act will create a new set of structures and frameworks around privacy law and data protection which South Africa has lacked until now.

First National Bank and its marketing consent problem

Little cakes on stick things-14

Innovative bank, FNB, has a consent problem. Jason Elk published a blog post over the weekend titled “FNB, what on earth are you doing to your customers?” in which he took issue with a consent mechanism FNB has been making use of or some time now. Essentially, this consent mechanism requires that customers agree to receive marketing information from the FirstRand Group in order to remain eligible to receive many of the benefits FNB gives its customers and which may have attracted many of its customers in the first place.

2012-10 FNB Consent model

Jason’s concern is essentially as follows:

The nutshell version is that FNB is instructing me to say YES to receiving marketing of “other products and services”, or “forfeit any current reward programs (I’m) participating in and be excluded from programs (I) may qualify for in the future”. These include eBucks, fuel rewards and airtime rewards.

So hang on. I’m switching my bond account to FNB, adding the biggest asset I own to my existing portfolio that includes my car, credit facilities, call accounts, savings accounts, cheque accounts, cards and other accounts and services, and because I don’t want to receive marketing messages I will be excluded from eBucks and other rewards immediately and in the future? So instead of rewarding me further, I’m being punished for bringing even more business to the bank. Not the ‘do more’ bank I thought I knew.

FNB’s CEO, Michael Jordaan, responded to Jason on Twitter and, essentially, indicated to him that FNB requires the consent in order to communicate useful information about its products and services to customers. It had no intention of making use of the consent for “blanket marketing” which Jordaan professed a dislike for:

While I understand the need for a consent in order to communicate useful information to customers, FNB’s consent model, in this case, is problematic. The Protection of Personal Information Bill (likely to become the Protection of Personal Information Act before the end of this year) defines “consent” as follows:

any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information

The key terms here are “voluntary, specific and informed”. This means that a consent given in terms of the Protection of Personal Information Act can’t be a “dumb” consent. The person giving the consent has to clearly understand what he or she is consenting to, must be consenting to that action voluntarily (in other words, without that consent being coerced) and that consent must be fairly focused on particular activities that the person is informed about.

This is reinforced by several “Conditions for Lawful Processing of Personal Information” which are set out in Chapter 3 of the Protection of Personal Information Bill. These conditions include a processing limitation intended to moderate the extent to which personal information is processed as well as a Purpose Specification condition which requires that personal information be, among other things, collected for a very specific purpose.

Section 10, which forms part of the processing limitation condition, states that –

Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.

Section 13 of the Protection of Personal Information Bill includes the following:

Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.

<

p>In the case of FNB’s consent model, there appears to be a disconnect between FNB’s apparent intention behind the consent and what the consent of wording actually allows for. As you can see from the consent wording, it is a fairly broad consent to receive information about the FirstRand Group’s products and services”. The consent mechanism goes further –

… current or future participation in FirstRand rewards programs … is dependent on you having granted the Bank consent to market other products and services to you. By processing a “No” instruction you will forfeit any current reward programs you are participating in and will be excluded from programs you may qualify for in future.

If no selection is made, marketing consent will default to “No”

This consent wording is a little contradictory in the sense that the mechanism itself is legally correct in that the Bank has requested an opt in from its customers and, in the absence of this opt in, the Bank will assume that the customer does not wish to be marketed to. The difficulty is that the consent required for what is essentially products and services related information is couched as a consent to receive marketing information about products and services from the FirstRand Group. The scope of the marketing consent required relative to what FNB appears to require, as its CEO clarified on Twitter, is very different.

The FirstRand Group includes a number of other entities, aside from FNB. Consenting to receive marketing information about the FirstRand Group’s products and services may well encompass far more than specific information about FNB products and services which a customer may be utilising. This could be a violation of the processing limitation condition in the Protection of Personal Information Bill. If so, this would render the consent sought to broad.

The concern Jason highlights in his blog post goes to the definition of consent in the first place. It is probably fair to say that many of FNB’s customers were attracted to the bank by its rewards programs and requiring a seemingly broad consent to receive marketing about potentially unrelated products and services in exchange for eligibility for these rewards programs may well undermine the “voluntary” requirement in the consent definition.

What this all means is that FNB’s consent mechanism may not obtain the appropriate consent required by the Protection of Personal Information Act. This consent mechanism is simply too blunt an instrument for what the bank appears to require. One option is for the bank to split the consents required into a mandatory consent to receive product and services related information pertaining to the products and services the customer is making use of from a consent to receive marketing information regarding the FirstRand Group’s products and services, generally. Because these consents may have to be accompanied by an opt out mechanism, they should also be accompanied by appropriate waivers from the customer in the event the customer elects not to receive product and services related information and either misses out on an opportunity or incurs costs due to not taking advantage of something communicated to the customer, for example.

While the suggestion probably will not be welcome news to FNB’s marketing team, it may be a necessary adjustment to the consent model in order to bring it into line with the Protection of Personal Information Act. Of course this is dependent on these provisions being interpreted on the basis I have suggested and a more flexible interpretation may allow for this consent mechanism to remain in place going forward.

A consequence of this, though, is that FNB may be facing a reputational storm from customers accustomed to the bank’s innovative approach to customer service now facing a somewhat overbearing approach to obtaining consent for marketing purposes. The effects of this may be less desirable than the consequences of changing the consent mechanism.