POPIA and the regulation of direct marketing

Feb 15, 2021

Introduction:

Under South African law, direct marketing is not solely regulated by the Protection of Personal Information Act 4 of 2013 (“POPIA” / “Act”) but is affected by other pieces of legislation too. “Direct marketing” means to approach a person, either in person or by mail or electronic communication, for the direct or indirect purpose of (a) promoting or offering to supply, in the ordinary course of business, any goods or services to the person; or (b) requesting the person to make a donation of any kind for any reason.[1]

Generally, direct marketing includes methods of approaching consumers such as, telesales, in-person communications / door-to-door marketing, e-mail, SMS, fax, wireless computer access and/or any other form of technological communication.

Direct marketing in South Africa is, at present, mainly regulated by the Consumer Protection Act 68 of 2008 (the “CPA”) and the Electronic Communications and Transactions Act 25 of 2002 (the “ECTA”). In addition, the governance of direct marketing is also overseen by codes and independent bodies which, in certain instances, are industry specific. Examples of such codes and/or bodies include, the Banking Code, the Code of Advertising Standards, the Advertising Standards Authority of South Africa (ASA) and the Independent Communications Authority of South Africa (ICASA).

Upon POPIA becoming fully effective and enforceable, from 1 July 2021, the regulation of direct marketing by way of electronic communication shall be regulated by POPIA’s provisions and the provisions of both the CPA and the ECTA shall then, in as far as they relate to the governance of electronic direct marketing, be amended to co-align with POPIA. To this end, direct marketing practises are defined in POPIA to include, inter alia, online services, emails, SMSs, faxes, telephone and/or automatic calling machines.

In essence, the CPA and the ECTA, provide for direct marketing to lawfully take place by way of an “opt-out” method, which means that direct marketing may take place until such time that the recipient of such marketing withdraws his/her or its consent to receiving same (i.e. the person “opts-out” or unsubscribes from the direct marketing communications).

CPA:

The CPA, amongst other things, aims to protect persons who are covered under its provisions (to this end, there are instances where the CPA does not apply to a transaction and such instances will need to be considered in the relevant circumstances. The exempt transactions go beyond the scope of this discussion), from unsolicited direct marketing communications. In this regard, the CPA protects both natural persons (i.e. living human) and also juristic persons (e.g. legal entities such as companies and trusts) where a juristic person’s annual turnover is below two million Rand (the current threshold set by the Minister responsible for consumer protection matters).

The CPA enables a consumer to refuse to accept direct marketing communications from someone in person or, in the case of an approach other than in person, to pre-emptively block any approach or communication to that person, if the approach of communication is primarily for the purposes of direct marketing. Other than just enabling a consumer to refuse to accept direct marketing communications, the CPA also provides for recommendations to limit or stop direct marketing communications (section 11), by providing that:

  • a person who is the subject of direct marketing communication may demand that the person responsible for initiating the communication cease any further communication;
  • the Commissioner of the National Consumer Commission (NCC) may establish a registry in which any person may register a pre-emptive block, either generally or for specific purposes, against any communication that is primarily for the purpose of direct marketing (“Registry”) (the Regulations published to the CPA contain more details about the establishment of this Registry);
  • a person authorising, directing or conducting any direct marketing must implement appropriate procedures to facilitate the receipt of demands to pre-emptively block and not direct or permit any person associated with that activity to direct or deliver any communication for the purpose of direct marketing to a person who has made a demand to pre-emptively block or has registered a pre-emptive block on the Registry; and
  • no person may charge a consumer a fee for making a demand to pre-emptively block direct marketing communications, or to have a pre-emptive block registered.

However, the Registry has not yet been established and consumers are therefore, unable to pre-emptively block their details from use by direct marketers. As an alternative, at this stage, there currently exists a non-profit company named, Direct Marketing Association of South Africa (DMASA). DMASA is dedicated to the “protection and development of the Interactive and Direct Marketing (IDM) industry.”

DMASA has established a pre-emptive block list where consumers can register to not receive direct marketing communication. This refusal is however, only effective against DMASA members and not all businesses operating within South Africa’s borders. DMASA’s member directory does however, contain a number of large organisations such as South Africa’s banks, certain retail groups and prominent local advertising agencies. To register, DMASA’s website can be visited and thereafter, the prompts can be followed to the DMA National OPT-OUT Database.

The CPA[2] furthermore, sets a limitation on the times that a consumer may be contacted for purposes of direct marketing providing that, consumers may not be contacted during the following times and/or days:

  • Sundays or Public holidays;
  • Saturdays before 09h00 and after 13h00; and
  • all other days between the hours of 20h00 and 08h00 the following day.

Therefore, in terms of the CPA, direct marketing is currently regulated by an “opt-out” structure whereby, if a consumer does not wish to receive direct marketing, he/she/it is to request the supplier to remove their contact details and/or cease contacting them (i.e. unsubscribe).

ECTA:

The ECTA, on the other hand, concerns itself with direct marketing by way of electronic communication methods. The ECTA contains, amongst other things, provisions to assist data subjects (any natural person) against unsolicited direct marketing by way of electronic communications.

The ECTA defines, “electronic communications” as communications by means of data messages. “Data messages” means data generated, sent, received or stored by electronic means and includes (a) voice, where the voice is used in an automated transaction and (b) a stored record. “Data” means electronic representations of information in any form. Therefore, “electronic communications” includes a wide range of communications such as, SMSs, telephone communications, emails and website.

Similarly to the CPA, the ECTA provides for an “opt-out” method for lawful direct marketing via electronic communications, meaning that direct marketing by way of electronic communication may take place until the data subject unsubscribes (i.e. withdraws his or her consent). In this regard, sections 45, 50 and 51 of ECTA regulate the sending of unsolicited electronic direct marketing- better known as “spam”.

In terms of section 45 of ECTA, (1) any person who sends unsolicited electronic commercial communications to consumers[3], must provide the consumer— (a) with the option to cancel his or her subscription to the mailing list of that person (b) and with the identifying particulars of the source from which that person obtained the consumer’s personal information, on request of the consumer. Furthermore, (2) no agreement will be deemed to be concluded where a consumer has failed to respond to an unsolicited communication.

Any person who fails to comply with the aforesaid provisions of section 45(1) is guilty of an offence and liable, on conviction, to the penalties prescribed and any person who sends unsolicited commercial communications to a person who has advised the sender that such communications are unwelcome, is guilty of an offence and liable, on conviction, to the penalties prescribed (i.e. to a fine or imprisonment for a period not exceeding 12 months).

Sections 50 and 51 of the ECTA regulate the scope of protection of personal information in as far as such information is captured in terms of electronic communications. Section 50 indicates that a data controller[4] may voluntarily subscribe to the principles outlined in section 51 by recording such fact in any agreement with a data subject in which case, the data controller must subscribe to all the principles outlined in section 51 and not merely to parts thereof, and the rights and obligations of the parties in respect of the breach of the principles outlined in section 51 will then be governed by the terms of any agreement between the data controller and data subject.

Section 51 accordingly sets-out the principles for electronically collecting personal information of data subjects and provides that:-

  • A data controller must have the express written permission of the data subject for the collection, collation, processing or disclosure of any personal information on that data subject unless he or she is permitted or required to do so by law.
  • A data controller may not electronically request, collect, collate, process or store personal information on a data subject which is not necessary for the lawful purpose for which the personal information is required.
  • The data controller must disclose in writing to the data subject the specific purpose for which any personal information is being requested, collected, collated, processed or stored.
  • The data controller may not use the personal information for any other purpose than the disclosed purpose without the express written permission of the data subject, unless he or she is permitted or required to do so by law.
  • The data controller must, for as long as the personal information is used and for a period of at least one year thereafter, keep a record of the personal information and the specific purpose for which the personal information was collected.
  • A data controller may not disclose any of the personal information held by it to a third party, unless required or permitted by law or specifically authorised to do so in writing by the data subject.
  • The data controller must, for as long as the personal information is used and for a period of at least one year thereafter, keep a record of any third party to whom the personal information was disclosed and of the date on which and the purpose for which it was disclosed.
  • The data controller must delete or destroy all personal information which has become obsolete.
  • A party controlling personal information may use that personal information to compile profiles for statistical purposes and may freely trade with such profiles and statistical data, as long as the profiles or statistical data cannot be linked to any specific data subject by a third party.

Come the effective date of POPIA, the ECTA’s sections 45, 50 and 51, shall be repealed and replaced to the extent that such sections will then co-align with the provisions of POPIA’s Chapter 8, which regulates direct marketing by means of unsolicited electronic communications. Furthermore, to the extent that the CPA’s provisions regulate direct marketing by way of electronic communication, it is expected that the CPA shall apply concurrently with the provisions of POPIA.

 POPIA:

Eight conditions for lawfully processing of personal information:

POPIA’s eight conditions for lawful processing of personal information, as set out in Chapter 3 of POPIA, apply to direct marketing by means of unsolicited electronic communication. In summary, POPIA’s eight conditions are:

  • Accountability – the responsible party takes full responsibility for how a data subject’s personal information is processed;
  • Processing Limitation – the processing of personal information is limited to the consent of the data subject or allowed by law;
  • Purpose Specification – due to the responsible party being limited to the confines of the consent granted, the purpose for why personal information is required must be identified;
  • Further Processing Limitation – there are restrictions on the further distribution of personal information to anyone else or to use the personal information for any other purpose;
  • Information Quality – POPIA places an obligation on a business to ensure that the personal information remains correct and up to date;
  • Openness – the responsible party must inform the data subject in the event of a breach of their personal information, what personal information you have on them; how and where it is stored;
  • Security Safeguards – physical and digital security measures to protect personal information must be put in place; and
  • Data Subject Participation – respecting the rights of every data subject to have access to and control over their personal information.

POPIA and an “opt-in” method for direct marketing via electronic communication:

POPIA essentially replaces the current “opt-out” method established in terms of the CPA and ECTA, with an “opt-in” method. What this means is that direct marketing via unsolicited[5] electronic communications shall not be allowed unless the consent of the data subject is obtained. Section 69(1), to this extent, prohibits the processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communications, including automatic calling machines, fax, SMSs or e-mail, unless:

  • the data subject has given their consent to the processing; or
  • the data subject is already a customer of the responsible party (and has had a reasonable opportunity to object to the direct marketing).

Therefore, the position concerning electronic direct marketing under POPIA, may in our view be understood as:

  • New Potential Clients/Customers: A responsible party (e.g. a business) will first need to obtain the data subject’s consent prior to using electronic direct marketing, to contact them and if the data subject withdraws his/her/its consent, cease such direct marketing which was directed to such data subject; and
  • Existing Clients/Customers: A responsible party may continue to send direct marketing, by electronic communication methods, to the existing data subject who is a customer/client, provided the data subject’s initial consent was obtained and such data subject has not since withdrawn their consent.

However, when it comes to existing clientele / customers, same is understood to further be subject to the responsible party being able to reasonably prove, in the circumstances, that:

  • the data subject’s personal information was collected at the time that the data subject enquired about the responsible party’s goods and/or services;
  • the data subject was informed that their personal information may be used for marketing purposes;
  • the responsible party limits the direct marketing to his/her/its own goods and/or services and such goods and/or services are similar the goods and/or services which the data subject contacted the responsible party about, or actually purchased, in the first instance (e.g. a business uses a third party marketing agency to assist in the marketing of its goods and/or services and this marketing agency, over and above attending to electronically market the business’ goods/services to the business’ customer list, further electronically markets its own goods and/or services to the persons on such list. Unless the persons on the list consented to such third party marketing, the lawfulness shall be questionable under the provisions of POPIA); and
  • the data subject is always able to unsubscribe from receiving the direct marketing (i.e. at the time of collection of the personal information and each time the responsible party sends direct marketing communications. E.g., allow the data subject to unsubscribe).

In the case of existing clients or customers, if all of the above cannot be confirmed by the responsible party, he/she/it will need to consider whether obtaining consent afresh will be pursued or risk a compliant being lodged by a disgruntled data subject and/or a potential encounter with the Information Regulator (supervisory authority).

Withdrawal of consent:

In general, a data subject has the right to withdraw their consent at any time, in relation to their own personal information being processed.[6] However, this withdrawal right is subject to the processing of the data subject’s personal information which took place prior to such withdrawal, not being impacted and the processing lawfully continuing, in the absence of consent, based on another recognised justification.[7] POPIA however, does not directly provide for the withdrawal of consent for purposes of direct marketing.

Objection to processing:

A data subject may of course, object to the processing of his/her/its personal information at any time. In this regard, POPIA recognises the general right of the data subject to object to the processing of his/her/its personal information where processing is based on protecting the legitimate interest of the data subject, the proper performance of a public law duty by a public body and/or pursuing the legitimate interest of the responsible party or of a third party to whom the information is supplied.[8] Such objection is required to be made on reasonable grounds and in the prescribed manner (The Regulations Relating to the Protection of Personal Information (“POPIA Regulations”) prescribes Form 1).[9]

Apart from the aforesaid, a data subject may also specifically object to the processing of his/her/its personal information for purposes of direct marketing by means of unsolicited electronic communication. In terms of this objection, a data subject, who is a customer of the responsible party, must be given a reasonable opportunity to object, free of charge and in manner free of unnecessary formality, to the use of his/her/its electronic details for direct marking purposes, at the time when the information was collected and each time thereafter, when direct marketing electronic communication is sent (unless the data subject has already initially refused).[10]

Obtain consent once and use of prescribed form:

Importantly, under the provisions of POPIA, the responsible party is limited to one approach to obtain consent of the data subject and the data subject’s consent is required to be requested in the prescribed manner and form. The POPIA Regulations, prescribe a form for purposes of obtaining the necessary consent required from a data subject to enable the responsible party to lawfully engage in electronic direct marketing with such data subject. Regulation 6 of the POPIA Regulations provides that a responsible party who wishes to process personal information of a data subject for the purpose of direct marketing by electronic communication must in terms of section 69(2) of the Act, submit a request for written consent to that data subject on Form 4.

A responsible party’s request for consent to electronic direct marketing, directed to the data subject, need not look exactly like Form 4 but must substantially comply therewith. In other words, as long as the consent acquired from such a data subject, duly informed the data subject that the consent given (in whatever form, for instance by a click of a button or clicking, “I agree”) constitutes consent as is contemplated in terms of Form 4 as provided  for in POPIA and complies with all its requirements.

Conclusion:

POPIA therefore, does not outlaw the use of direct marketing however, does to an extent level the playing fields by providing for an opt-in method to direct marketing by electronic communication, as opposed to an opt-out method.

[1] Sections 1 of POPIA & CPA.

[2] Section 12(2) of CPA.

[3] ECTA defines “consumer” as any natural person who enters or intends entering into an electronic transaction with a supplier as the end user of the goods or services offered by that supplier.

[4]     In terms of ECTA, “data controller” means any person who electronically requests, collects, collates, processes or stores personal information from or in respect of a data subject

[5] “unsolicited communications” refers to communication where there is no prior relationship between the sender and the recipient and the recipient has not consented to receiving the communication and/or the recipient may have attempted to stop the sending of this bulk communication by requesting the sender to remove their contact details.

[6] Section 11 of POPIA.

[7] Section 11(1)(b)-(f) of POPIA (e.g. the law requires processing to continue).

[8] Sections 11(1)(d)-(f) & 11(3)(a) of POPIA.

[9] Section 11(3)(a) of POPIA.

[10] Section 69(33)(c) of POPIA

Related Posts

#POPIpack™ Packs

The core minimum documents included in our different Packs are geared to help your organisation address its POPIA compliance from a legal documents standpoint. No matter the Pack or, if preferred, if separate legal documents are bought, every document has been carefully considered and drafted by legal professionals and is geared to provide the core minimum legal agreements.