Direct marketers who are working towards bringing their businesses into line with the Protection of Personal Information Bill, which is expected to be finalised and put to a vote by 6 March 2013, may have a lot of work ahead of them. What is worrying is that many direct marketers don’t really appreciate just how much work they have to do. Ignorance isn’t bliss, it is a recipe for disaster.
We’ve been working with clients on bringing their direct marketing businesses into line with the Protection of Personal Information Act. The first step is understanding what the business’ current degree of compliance is and, more often than not, there are usually compliance gaps big enough to float a cruise liner through. The first thing that direct marketers need to understand is that the starting point is not the direct marketer’s current systems and processes but rather its database’s origins and the consents which were given to compile the database the direct marketing business is based on.
As a general rule, personal information must be collected directly from the data subject (where I refer to a consumer in this post, I am referring to a consumer as a data subject) who must also consent to how the personal information will be “processed”. We’ve seen letters from data suppliers simply stating that consumers have “consented” or “opted in” to their personal information being collected, added to the databases they have supplied and for the purposes those databases are to be used. That just isn’t enough of an indication of what the consumers have given their consents for.
Consent is not just some generic approval for some personal information to be collected and used for marketing purposes. The consent has to be very specific. It has to be –
any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information
If you break that down, consent, under the Protection of Personal Information Bill –
- can’t be taken from the data subject involuntarily (this sounds obvious but how many campaigns purport to take a consent without the data subject being aware that he or she is giving consent for anything?);
- has to be specific and must relate to specific uses and conditions instead of a general purpose consent for vague uses under the umbrella term “marketing purposes”;
- has to be informed (this ties in with the specificity requirement) so the data subject is well aware of what personal information is being collected; what that personal information is going to be used for; how the personal information will be handled and under which circumstances the personal information will be disclosed to whom?
A consumer must also give consent explicitly. This is borne out by the phrase “expression of will” which implies some sort of express act and not an implicit understanding that consent is required for some or other purpose.
Once you have that understanding of consent as a fundamental requirement for personal information to be processed and that obtaining that consent from the data subject directly is required for any subsequent personal information processing. In essence, that consent applies to subsequent use of the data subject’s personal information and if those subsequent uses are not adequately covered by the original consent, those subsequent uses will probably infringe the data subject’s privacy rights and fall foul of the Protection of Personal Information Act.
As a direct marketer, your entire business rests on the quality and scope of the consents that relate to each and every record in your database. Those consents must cover aspects such as –
- what personal information is being processed (can you use the data subject’s name, phone number and email or did the data subject only consent to you using a phone number, for example?);
- which personal information can be processed for which campaign or use (did the data subject consent to receive marketing information about cars and you are marketing furniture?);
- have you received consent to process the data subjects’ personal information or was consent only given to your source (if consent was not given to you, specifically, you may still be permitted to process the personal information depending on your relationship with the party that received the consent).
Another problematic practice is enriching databases using 3rd party data sources. Firstly, this can only be done under the Protection of Personal Information Act with the Regulator’s consent and you also have to take into account that the requisite consents must have been given to the parties you obtain the additional personal information from to add it to your databases and then process that additonal personal information in the manner in which you intend to process it.
Of course there are also specific provisions in the Protection of Personal Information Bill that deal with direct marketing which impose additional requirements on direct marketers when it comes to the forms of consents required in different contexts. The Electronic Communications and Transactions Act is also about to be amended to support the opt-in requirements for so-called “electronic communications” and I expect the Consumer Protection Act will be amended to close the opt-out loophole too.
This only really just scratches the surface of the analysis that has to take place just to determine how much work a direct marketing business has ahead of it to bring it into line with the Protection of Personal Information Act when it goes into effect (if everything stays on track, this could be around March 2014). The process of identifying the gaps can take months, the process of changing a business model to adapt to the necessary changes could take longer. We and other lawyers in this space have been talking about the need to perform the necessary analysis and introduce the necessary changes for some time now. It is a long and complex process.
The Protection of Personal Information Act is going to have a radical impact on the direct marketing industry and a number of direct marketing businesses are going to shut down because they won’t be able to adapt and remain viable, especially if they don’t take action right away. If you don’t have a direct marketing business that is already based on a truly consensual business model (bearing in mind the consent model in the Protection of Personal Information Bill), you simply can’t afford to waste any more time.
As we mentioned at the beginning of our post, we are working with clients to help them adapt to the coming changes. We have developed a detailed and comprehensive compliance gap analysis and review model which we use to gain a detailed understanding of our clients’ businesses and give specific advice on how to close the gaps.
if you would like us to assist you.
- Section 12 of the Protection of Personal Information Bill ↩
- Defined as “the person to whom personal information relates” ↩
- ‘‘processing’’ means any operation or activity or any set of operations, whether or
not by automatic means, concerning personal information, including—
- (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
- (b) dissemination by means of transmission, distribution or making available in any other form; or
- (c) merging, linking, as well as restriction, degradation, erasure or destruction of information ↩
- Section 57(1)(ii) ↩
- Section 69 ↩