Direct marketing to consumers is a familiar topic of frustration with consumers in the United Arab Emirates ("UAE"). Communication with individual consumers through various means including email, social media, telephone, and texting campaigns is pervasive in the market and can be seen as an invasion of privacy, particularly in the UAE, where consumer contact information appears to be freely available to businesses.
Recently, the UAE has placed a renewed focus on protecting consumer privacy and personal data with the issuance of:
- Federal Law No. 15 of 2020 on Consumer Protection (the "CPL"); and
- Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data (the "PDPL").
Companies must be aware of their obligations under each of these laws to avoid risk of penalties, including imprisonment, administrative fines, and business closure.
Consumer Protection
The CPL was issued on 10 November 2020 (with a one-year compliance grace period which expired on 9 November 2021) and has introduced updated consumer protections, replacing the previous law of the same name released in 2006.
The CPL applies to all services and products in the UAE (including free zones), and includes e-commerce transactions.
A noteworthy provision in the CPL is Article 4(5), which enumerates the protection of "privacy and security of [consumer] data" as a "consumer right" and prohibits suppliers from using consumer data for "the purposes of promotion or marketing".
Further guidance on the implementation of Article 4(5) and the CPL is not yet provided and are expected in form of the law's executive regulations which are still outstanding despite an expected issue date of May 2021. Without further context, strictly speaking, Article 4(5), indicates an explicit ban on the use of consumer personal data for promotion and marketing purposes in the UAE.
What does this mean when communicating with consumers?
Despite the clear prohibitions in Article 4(5), a complete ban on marketing communications with consumers seems unlikely to have been the intent of the legislator. It has been observed that the prevailing interpretation of this provision in market practice has – at least so far – been to require the consent of the consumer prior to commencing direct marketing communications.
Personal Data Protection
In 2021, the UAE also took steps to align with international data protection regulations with the release of the PDPL, which was issued on 20 September 2021.
Scope
With certain exceptions, the PDPL applies to the processing of personal data:
- of any data subject who resides or has a place of business in the UAE; and
- by any data controller or processor located in the UAE, or if outside the UAE, if they process the data of data subjects located inside the UAE.
Companies located in the UAE free zones subject to special legislation on personal data protection (e.g., DIFC, ADGM) are not subject to the PDPL.
Compliance
The PDPL provides a grace period of six (6) months from the date of issuance of the law's executive regulations for data controllers and processors to regularize their data processing in accordance with the provisions of the law, however; the executive regulations have not been published to date.
Consent Requirements
The PDPL has placed strict consent requirements for the use of an individual's personal data in the UAE. Personal data may not be processed without the consent of the individual (i.e., the data subject), unless an exception applies.
Consent needs to be specific, clear, and unambiguous and in a form of a clear positive statement or action. Data subjects also have the right to withdraw their consent at any time.
In respect of direct marketing specifically, the PDPL expressly provides the data subject with the right to "object to and stop the processing" if their data is being used for direct marketing purposes.
What this means when communicating with consumers
While still within the compliance grace period, it would be prudent for business to update their data protection strategies if collecting and processing personal data of persons located in the UAE.
Use of consumers' personal data for marketing purposes should be done with their prior and explicit consent. Businesses must also incorporate easily accessible opt-out mechanisms (e.g., "unsubscribe") to allow data subjects to withdraw their consent or to object to receipt of marketing communications.
Next Steps
Although we await the executive regulations to be released for each of the abovementioned laws to provide more clarity on the implementation of the concerned provisions, businesses must be cognizant of their obligations under the CPL and the PDPL when communicating with consumers in the UAE.
Originally published 27 July 2022
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.