26 August 2020 by , and Technology, Media & Telecommunications Alert

Direct marketing practices in the midst of South Africa’s new era of data protection

Direct marketing has been legislatively regulated in South Africa since 2002. Before the commencement of the operative provisions of the Protection of Personal Information Act 4 of 2013 (POPIA) on 1 July 2020, direct marketing was already regulated under the Electronic Communications and Transactions Act 25 of 2002, the National Credit Act 34 of 2005 and the Consumer Protection Act 68 of 2008 (CPA). While most businesses engaging in direct marketing practices are likely to have already come to grips with these pre-POPIA laws, such businesses will now need to make some adjustments before the POPIA enforcement deadline on 30 June 2021.

Direct marketing provisions under POPIA

General requirements

Under POPIA, responsible parties (i.e. direct marketers) are prohibited from processing personal information for the purposes of direct marketing, unless the following requirements are complied with:

  • consent is obtained or the processing falls within the scope of one of the other lawful bases for the processing of personal information as set out under section 11 of POPIA;
  • the direct marking communication contains details of the identity of the direct marketer or the person on whose behalf the communication has been sent (section 69(4) of POPIA); and
  • the direct marketing communication contains an address or other contact details to which the relevant data subject (consumer) may send an objection to the processing of his personal information (section 69(4) of POPIA).

Direct marketing carried out by means of unsolicited electronic communications

However, where the direct marketing is specifically carried out by means of unsolicited electronic communications (including by way of automated calling machines, SMSs, fax machines or e-mails), such direct marketing will, in terms of section 69(1) of POPIA, be unlawful unless:

  • the consumer is a customer of the direct marketer; or
  • the consumer is not a customer of the direct marketer but has consented to the processing of his personal information.
  • Even if the direct marketing by means of unsolicited electronic communications complies with the provisions of section 69(1) above, the following further conditions will also apply:
  • Where the consumer is not the customer of the direct marketer, POPIA follows an “opt-in” approach, in terms of which the direct marketer must obtain the consent of the consumer before sending a direct marketing communication to such person. In this situation, the direct marketer may only approach the consumer (who must not have previously withheld consent) on one occasion in order to obtain the necessary consent (so as to prevent the consumer being harassed for consent) (section 69(2) of POPIA).
  • Where the consumer is a customer of the direct marketer, POPIA follows an “opt-out” approach, in terms of which the direct marketer must give the relevant customer the opportunity to object to the processing of his personal information (section 69(3) of POPIA). In this situation, the direct marketer may only send a direct marketing communication to the customer if:
  • the direct marketer obtained the customer’s contact details in the context of the sale of a product or service;
  • such contact details were obtained for the purpose of direct marketing in relation to the direct marketer’s own products or services that are of a similar nature; and
  • the customer is provided with a reasonable opportunity to object to the processing of his personal information. In this regard, the opportunity to object should be provided to the customer at the time when the personal information is collected and, if the customer has not objected to this at the time of collection, the direct marketer must provide such opportunity on every occasion when a direct marketing communication is sent to the customer.

In this regard, it is important to note that ‘unsolicited electronic communications’ under POPIA do not include telephone calls. Direct marketing via telephone is, however, already regulated under the CPA – which follows an “opt-out” approach. Although direct marketing via telephone will not need to comply with all of the direct marketing provisions in POPIA, the direct marketer will still need to generally process the personal information of the relevant consumers in accordance with the provisions of POPIA.

Requirements under the POPIA Regulations

Regulation 6 of the Regulations Relating to the Protection of Personal Information, 2018 (POPIA Regulations) provides that a direct marketer who wishes to process personal information of a data subject (consumer) for the purpose of direct marketing by way of electronic communications must do so in terms of the prescribed form (Form 4). The form requires, amongst other things, that:

  • the direct marketer sign the request for the consumer’s consent; and
  • the consent provided by the consumer be linked to: (i) specified goods and/or services; and (ii) specified means of electronic communication (i.e. fax, email, SMS or other).

The direct marketer must, however, note that the POPIA Regulations are not currently in force and will commence on a date to be determined by the Information Regulator by proclamation in the Government Gazette.

Commencing the compliance process

Now that section 69 of POPIA is in effect and the commencement of the POPIA Regulations is imminent, it is advisable that direct marketers begin to plan how they are going to achieve compliance with such provisions, and do so as soon as possible. Postponing the compliance process until 30 June 2021 may result in direct marketers becoming vulnerable to penalties for non-compliance with POPIA.

download PDF

The information and material published on this website is provided for general purposes only and does not constitute legal advice.

We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter.

We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages.

Please refer to the full terms and conditions on the website.

Copyright © 2020 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com

You may also be interested in