Should a company use information of an individual for the purposes of marketing (e.g. marketing through SMS, email, direct mail and telephone), the company will be processing personal data about an individual in respect of a commercial transaction. In respect of such personal data, the company (“Data User”) must comply with the Personal Data Protection Act 2010 (“PDPA”).
The General Principle (Obtaining Consent)
The mere calling, texting or emailing an individual on his mobile/phone number or email address without his consent would technically amount to a breach of the PDPA. The PDPA requires a Data User to obtain the consent of the individual prior to processing the individual’s personal data. As such, if the Data User does not have the consent of the individual, the Data User may not use the individual’s personal data to contact the individual for marketing purposes.
The Personal Data Protection Commission (“PDPC”) issued a proposal paper in respect of dealing with direct marketing under the PDPA (“Proposal Paper No. 1/2014”). The Proposal Paper No. 1/2014 expressly provides that one needs the consent of the individual prior to using their personal data for direct marketing purposes. Whilst the Proposal Paper No.1/2014 was published to solicit feedback on personal data in respect of direct marketing and has not yet been gazetted into law, it provides an insight of the position taken by the PDPC presently and that is that consent must be obtained prior to using any personal data for direct marketing.
The Right Of An Individual To Stop A Data User From Using His Personal Data For Marketing
Worth noting is Section 43 of the PDPA which addresses the subject of direct marketing – it states that an individual can, at any time, send a written notice to a Data User to stop the Data User from using his personal data for direct marketing. “Direct marketing” is defined as the communication by whatever means of any advertising or marketing material which is directed to particular individuals.
If the Data User fails to comply with the individual’s written notice, the individual may submit an application to the PDPC to require the Data User to stop using the individual’s personal data for direct marketing. The PDPC may then require the Data User to take such steps for complying with the individual’s request. Failure of a Data User to comply with the requirement of the PDPC is an offence and attracts a fine of up to RM 200,000 and/or imprisonment of up to 2 years.
Form Of Consent
It is advisable that a company send a written privacy notice to the individual (Notice & Choice Principle) and obtain an express written consent prior to marketing to the individual.
Regulation 3 of the Personal Data Protection Regulations 2013 (“PDPA Regulations”) stipulates that consent obtained must be in any form that such consent can be recorded and maintained properly by the Data User. Consent that can be recorded includes written consent and audio recordings of the consent.
If written consent cannot be obtained, an alternative would be for the company to call the individual to obtain consent before proceeding with the marketing. If the individual does not give consent, the company must not proceed to market and must end the call immediately. If the individual gives consent, the company may proceed to market to the individual, and the individual’s consent should be recorded as evidence of it having been given. That being said, this method of obtaining consent through the phone, is not ideal. As consent must be in a recordable form, the company must as soon as practicable after the call, provide a written privacy notice to the individual and obtain an express written consent.
It is also common for companies to use an “opt-out method” of obtaining consent, whereby a company gives the option to an individual (e.g. by SMS or written notice) to not receive marketing messages and if the individual does not opt-out, the company proceeds to market to the individual. Obtaining consent by opt-out methods may not be permissible, given that the PDPA Regulations require consent to be recordable.
For marketers, the biggest challenge in respect of complying with the PDPA is getting consent and providing written privacy notice to individual customers. What needs to develop further is guidance on whether other types of consent such as opt-out consent is acceptable under the PDPA.
About the author: Jane Tan is an associate in the corporate practice group of Donovan & Ho. She graduated with a LLB (Hons) from the University of London and is an advocate and solicitor of the High Court of Malaya. She regularly advises clients on personal data protection, telecommunications, media and technology law. She has also written articles for the Sun newspaper.