MasiboLaw LLP

Book a Consultation

Marketing in the Age of Privacy: What your Business needs to know

Published by

masibolaw

on

By Tracy Gakii

Have you ever wondered how a business you visited once suddenly started sending you promotional text messages? In Kenya, this isn’t just annoying—it might also be illegal. The recent ruling by the Office of the Data Protection Commissioner (ODPC) in EKL v AGC Tenwek Hospital serves as a wake-up call for organizations handling personal data.

The Case: From Medical Bills to Marketing Texts

The dispute began when a patient provided his phone number to AGC Tenwek Hospital specifically for registration and paying medical bills. Soon after, the hospital began sending him unsolicited marketing messages.

The complainant argued that his data was being misused because he never agreed to receive promotional content. When the ODPC investigated, the hospital failed to respond, leaving the allegations uncontested.

Legal Principles Every Organization Must Know

The ODPC’s decision was grounded in the Data Protection Act, 2019 and Article 31 of the Constitution of Kenya, which protects your right to privacy.

1. The “Purpose Limitation” Rule

Personal data collected for one specific reason (like billing) cannot be used for a different reason (like marketing) without the person’s knowledge and consent. The ODPC found that Tenwek Hospital violated this principle by repurposing the phone number for an unrelated promotional use.

2. The Right to Be Informed

Under Section 26 of the Data Protection Act, individuals have a statutory right to know exactly how their data will be used. In this case, the patient was never told his number would be added to a marketing list, depriving him of the choice to opt out.

3. Marketing Requires “Explicit Consent”

Organizations cannot assume that because they have your contact details for service delivery, they have a green light to send advertisements. Direct marketing requires prior, clear disclosure and lawful consent.

Compliance Checklist for Businesses

To avoid regulatory action and maintain public trust, businesses should:

  • Respect the Purpose: Only use data for the specific reason it was collected.
  • Update Privacy Notices: Clearly inform customers at the point of collection how you intend to use their info.
  • Get the “Yes”: Ensure individuals explicitly agree to receive marketing messages.
  • Act Quickly: If the ODPC contacts you regarding a complaint, respond immediately to defend your position.

Protect Your Business with Masibo Law LLP

Data protection is no longer optional—it is a cornerstone of modern business accountability. Failing to implement a robust data governance framework can lead to heavy fines and a loss of customer confidence.

At MasiboLaw LLP, we specialize in helping organizations navigate the complexities of the Kenya Data Protection Act. Whether you need to draft comprehensive privacy policies, conduct data audits, or train your staff on compliance, we are here to safeguard your operations.

Don’t wait for a regulatory complaint. Secure your data practices today.

Contact Us: 🌐 info@masibolaw.co.ke

Leave a Reply

Previous Post
Next Post

Discover more from MasiboLaw LLP

Subscribe now to keep reading and get access to the full archive.

Continue reading