FYI!
This article is the second of a series of pieces on PDPA compliance for marketing processes in Malaysia. Click to read Part 1: PDPA and Marketing in Malaysia and continue with Part 3: Managing Customer Databases for PDPA Compliance.Marketing activities place individuals in frequent and direct contact with emails, messages, calls, advertisements, and promotions, sometimes through automated systems.
As a result, marketing is one of the areas where individuals are most likely to feel that their personal data is being misused, overused, or processed without proper control.
Under the Personal Data Protection Act 2010 (PDPA), individuals are given specific rights to control how their personal data is used for marketing purposes, particularly the ability to opt out of direct marketing and withdraw consent.
Right to prevent processing for direct marketing
Under Section 43 of the PDPA, a data subject can require the business to cease processing their personal data for direct marketing purposes. Once a data subject exercises this right:
- the business must stop using the individual’s personal data for direct marketing within a reasonable period; and
- marketing communications must not resume unless fresh consent has been obtained
Where a business fails to comply, the data subject may submit a complaint to the Personal Data Protection Commissioner, who may in turn require the business to take steps to comply with the opt-out request, failing which the business will face potential fines of up to RM200,000, imprisonment for up to two years, or both.
Businesses should make it easy for individuals to opt out of marketing communications and ensure that opt-out requests are properly recorded and acted upon.
Withdrawal of consent
Section 38 of the PDPA allows data subjects to withdraw consent to the processing of their personal data at any time. Key points businesses should be aware of:
- withdrawal of consent does not require justification
- once consent is withdrawn for marketing purpose, marketing activities must stop
- the business may still process personal data for contractual or legal obligations, but not for marketing purposes
For example, a customer may withdraw consent to receive promotional emails but may still receive transactional communications such as invoices, service notifications, or account-related updates.
Businesses should take care not to include marketing content within such transactional communications after consent has been withdrawn as failure to comply is punishable by a fine of up to RM100,000, imprisonment for up to 1 year, or both.
Let ELP be your PDPA legal advisors
Businesses in Malaysia must recognise that under the PDPA, individuals have enforceable rights to opt out of direct marketing and withdraw consent at any time and failure to respect these rights may escalate from dissatisfaction to severe penalties.
If your organisation requires assistance reviewing marketing consent practices, updating privacy notices, or assessing PDPA compliance risks, feel free to reach out for a consultation.
