Skip to content
Log InGet Started
KYC Best Practices06 Mar 2023

The Intersection of Privacy and User Engagement: A look into user data privacy

Rachael Wambua

Content Marketing Manager

Digital usage is increasing in many African countries, with millions of people going online for the first time each year. But as these users learn more about the digital world, they become increasingly conscious of the dangers of sharing personal information online. This has made people more aware of how vital user data privacy is and how it relates to user onboarding and engagement. In this post, we'll look at data policies and what businesses can do to provide a seamless customer experience while adhering to governing rules.

Businesses ask their customers or clients for personal information during standard KYC processes. This data can include name, address, date of birth, email address, phone number, and government-issued identification numbers that can be used to verify a customer's identity, ensure compliance with regulatory requirements, or provide personalized services or products. When users consent and provide this information, they expect their personal information to be protected and used responsibly and transparently.

When businesses use the data they receive from their users for activities that were not explicitly consented to, it can erode trust in both the platform and the business. For example, if a user grants consent for phone book access, but the business uses that information to contact guarantors regarding delayed payments without the user's consent, it can create a sense of mistrust that may carry over to other platforms the user interacts with in the future.

This has brought up the need for laws such as the General Data Protection Regulation (GDPR) in the EU and the Protection of Personal Information Act (POPIA) in South Africa, which require companies to obtain explicit consent from users before collecting and processing their personal data. Data protection laws aim to safeguard individuals' privacy and personal information. Let's have a look at some data privacy laws around the continent.

Some countries that have enacted Data Protection laws in Africa

In Uganda, the Data Protection and Privacy Act was passed in 2019 as a stand-alone law that oversees the protection of personal data in the Country. The Act also requires consent before personal data is collected or processed. In addition, the Act requires data controllers and processors to be registered in Uganda. The Act created the Personal Data Protection Office (PDPO), an independent office tasked with overseeing the implementation and enforcement of the Act. They launched a new data protection and privacy portal with SMS and USSD functionality last year, in collaboration with the United Nations Capital Development Fund (UNCDF), to simplify the process of reporting, processing, and resolving data protection and privacy complaints and breaches.

In Ghana, The Data Protection Commission of Ghana administers the Ghana Data Protection Act of 2012. The Act requires data controllers and processors to register with the Commission. The Data Protection Act provides a comprehensive framework for processing the data of Ghanaians and persons resident in Ghana. A legal basis for processing data is mandatory, while prior consent before processing personal data is generally required.

In Nigeria, the Data Protection Regulation (DPR) was introduced in January 2019 to regulate public and private organizations' collection, use, storage, and disclosure of personal data. The DPR sets out various obligations for data controllers and processors, including obtaining consent from data subjects, implementing security measures to protect personal data, and reporting data breaches.

South Africa has had data protection legislation in place since 1998 in the form of the Protection of Personal Information Act (POPIA). POPIA aims to protect personal data and requires businesses to implement appropriate technical and organizational measures to safeguard personal information. The law also sets out several conditions that data controllers must meet when collecting, using, or disclosing personal data, including obtaining consent and providing individuals with access to their data.

In Kenya, the Data Protection Act was passed in November 2019 to regulate public and private organizations' processing of personal data. It is the primary regulation governing the collection and processing of personal data in Kenya. This Act requires user consent for processing the personal data of Kenyans and aliens living in Kenya. In addition, the Act requires any business collecting personal information to register as a data controller and anyone processing data to be a registered processor.

Ways businesses can get explicit user consent.
As businesses continue to collect and analyze more customer data, the demand for clear and effective communication about data privacy and usage has grown. Consent screens, privacy policies, and user agreements are critical tools for organizations to adopt to inform their users about their data collection practices and get their consent.

Consent screens
Consent screens are typically the first point of contact between a business and its users. They provide a brief overview of the information that will be collected, how it will be used, and an opportunity for the users to opt in or out of data collection.

In Nigeria, for example, the Nigeria Inter-Bank Settlement System (NIBSS) has introduced a new consent layer called iGree. This layer intends to confirm that BVNs are being used and shared only by their owners and always with a digital audit trail of explicit user consent. With the introduction of iGree, users will now receive an OTP (One Time Password) that they can use to agree to a transaction confirming their consent for their BVN data to be shared with that particular business.

Privacy policies
On the other hand, privacy policies provide more detailed information about a company's data collection practices, including what types of data are collected, how they are collected, and how they are used and shared. For a good user experience and to ensure the user is well informed, the privacy policy should be easy to find and written in clear, non-technical language that all users can understand.

Cookie Policies
A cookie policy typically provides information about the types of cookies: small data files stored on a user's device when they visit a website, how a website or application uses them, and how users can control or disable them. Cookies are often used to help websites remember what users like, keep track of how they use the site, and make the content and ads more relevant to each user.

Users are more likely to engage with companies that care about their privacy because it shows that the company is honest, open, and responsible about using personal information.

Benefits of ethical data practice on user engagement.

Improved user trust
Building trust with your customers is critical for business success. Keeping your users informed about your policies and promptly updating them when changes occur helps improve their confidence in your company. In addition, when users clearly understand what to expect from a business, they are more likely to view it as trustworthy and credible.

Increased user loyalty
Users are likelier to stay loyal to a company if they feel their data is safe and used ethically. This can also add to the users being ambassadors for the business, helping increase their customer base.

Enhanced user experience
Users who trust a business are likelier to share more information with them. With more data at their disposal, businesses can create personalized information that makes their users' experience on their platform more engaging and valuable.

Improved brand perception
Companies that prioritize data privacy are viewed more positively by users. This increases their reputation and makes them a top-of-mind brand for users who are security conscious.

At Smile Identity, we take data privacy seriously and work with different authorities across the continent to ensure privacy policies are implemented to build a more trusted world. We adhere to these regulations in various countries and constantly update our practices to comply with changing requirements. Our recent State of KYC report highlighted the different data protection laws and how we adhere to them. 

Contact us to learn how we can help you meet your KYC needs while effectively complying with relevant data protection laws.

Ready to get started?

We are equipped to help you level up your KYC/AML compliance stack. Our team is ready to understand your needs, answer questions, and set up your account.