Kenyan citizen Dennis Gathara prevailed in his case before the Office of the Data Protection Commissioner (ODPC) against GoodTimes Africa for sending him unsolicited marketing texts without an opt-out button. The ODPC ordered the company to pay KES 700,000 in compensation and delete the complainant’s personal data within 14 days.

This is one of many sanctions against organisations that breach Kenya’s Data Protection Act. Last week, ODPC ordered Bolt to pay KES 500,000 in compensation to its driver for violating data protection rights.

The complaint, which was made on June 1, 2024, bordered on GoodTimes Africa’s persistently sending unsolicited promotional message, failing to provide a legally mandated opt-out button, and ignoring the complainant’s demands to remove his data and cease communications.

Read also: Kenya’s AI ecosystem fortified by joint UK-Kenya initiative for ethical innovation

The ODPC discovered that GoodTimes Africa had violated several provisions of the Data Protection Act 2019, including the rights of the complainant to object to processing and data erasure, the unlawful processing of personal data without consent (Section 30), and the unauthorised commercial use of personal data (Section 37).

The enforcement action was as a result of GoodTimes Africa’s failure to provide proof of remedial measures, such as an SMS opt-out feature and updates to terms and conditions, or to demonstrate that it had obtained initial consent for the marketing messages.

ODPC fined Bolt KES 500,000 for data privacy breach

In a similar case concerning unauthorised access to a driver’s account, the Office of the Data Protection Commissioner (ODPC) ruled against Bolt Operations OU and Bolt Support Kenya Limited and ordered the corporation to pay KES 500,000 in compensation for infringing data protection rights.

According to the case, which Kennedy Wainaina Mbugua filed on March 19, 2024, Bolt’s customer support team failed to appropriately handle and escalate the incident under established protocols after unauthorised parties gained access to his Bolt driver account, carried out 17 fraudulent trips totalling KES 26,250, and changed account details.

The ODPC determined that Bolt was responsible for infringing the complainant’s rights under Kenya’s Data Protection Act, including the right to access personal data and the right to have inaccurate information corrected, even though the firm blamed the event on a phishing attempt and social engineering.

Significant procedural errors were found during the investigation, including incorrect account change verification procedures, a failure to perform mandatory Data Protection Impact Assessments (DPIA) for its account management systems, and a failure to notify the Data Commissioner of the breach within the allotted 72 hours, which resulted in the enforcement notice and compensation order.

Read also: Metrofile Kenya, KARMA partner to digitise records, drive economic efficiency

The need for organisations to adhere to data protection regulations 

Following the ODPC’s decision against GoodTimes Africa, companies must manage opt-out options according to best practices to comply with data protection regulations and preserve customer confidence.

Important steps include making sure these procedures demand little work from the data subject and offering easy-to-follow opt-out instructions, like including unsubscribe buttons in promotional emails. Accessibility is improved by providing several avenues for opt-out requests, such as dedicated email addresses or customer support hotlines. It’s also critical that consumers can opt out for free or at a small cost.

To stop future unsanctioned communications, organisations should also keep track of all requests for opt-out or consent withdrawal. Additionally, they should update marketing databases frequently to reflect current consent choices. Adopting these procedures promotes a courteous and reliable relationship with customers in addition to guaranteeing legal compliance.