How will POPI affect direct marketing in South Africa?
The Protection of Personal Information Act (the “POPI Act” or “POPIA”) was signed into law in November 2013. Certain sections of the Act relating to the establishment of an Information Regulator and the development of Regulations to the Act have since commenced, and South Africa is now waiting for the commencement date of the Act to be published. Once the POPI Act commences, businesses will only have one year to ensure full compliance with the Act.
The POPI Act applies to all Processing of personal Information, for whatever reason. It seeks to regulate every step of how Personal Information must be handled from the moment it is collected until the moment it is destroyed.
One of the many areas which the POPI Act seeks to regulate is direct marketing through electronic communications. The POPI Act contains specific provisions relating to direct marketing that will regulate the industry in conjunction with the Consumer Protection Act, No 68 of 2008 (the “CPA”).
What does the CPA and POPI Act say about direct marketing and Data Subject consent?
At present, the legal position in South Africa regarding direct marketing is governed by the CPA and the Electronic Communications and Transaction Act, No 25 of 2002 (the “ECTA”). Once the POPI Act comes into effect, the provisions of the ECTA relating to direct marketing will be repealed. Due to the impending repeal of the direct marketing provisions in the ECTA once the POPI Act comes into effect, only the applicable provisions of the CPA and the POPI Act in relation to direct marketing communications will be discussed in this article.
In terms of the CPA, an opt-out system of direct marketing communication has been established. This means that businesses can effectively directly market to consumers until they opt-out (i.e. the consumer will continue to receive marketing communications until they expressly indicate otherwise), for example opt-out or unsubscribe links at the bottom of email communications or reply “No” to stop receiving these communications for SMS marketing.
The definition of direct marketing in the POPI Act is almost identical to that of the CPA, however the POPI Act’s distinctive feature is that Section 69(1) of the POPI Act limits the application of the Act to direct marketing through any form of electronic communication, including automatic calling machines, fax, SMS or email. So, while the CPA regulates all forms of direct marketing, the POPI Act is limited to direct marketing by electronic communication, which it defines as any text, voice, sound or image message sent over an electronic communications network, which is stored in the network or in the recipient’s terminal equipment until collected by the recipient.
The POPI Act gives all Data Subjects the right to object to their personal information being processed for the purposes of direct marketing. In addition, Section 69 of the Act provides that direct marketing is only permitted if:
- the Data Subject has given consentfor his or her personal information to be processed for direct marketing purposes, or
- the Data Subject is an existing customer of the Responsible Party and the Responsible Party has obtained his or her details through the sale of a product or service or where the marketing communication is for the purpose of directly marketing similar products or services of the Responsible Party and the Data Subject has been given the opportunity to object, free of charge and unnecessary formality, to the use of his or her Personal Information at the time of collection and on each occasion of direct marketing (unless consent has already been refused).
A Responsible Party is also only allowed to approach a Data Subject for consent to receive direct marketing communications once, and as long as the Data Subject has not previously withheld consent.
The Data Subject’s consent to receive direct marketing communications must also be requested in the prescribed manner and form. Clarity on what the prescribed manner and form should be, is expected in the Regulations to the POPI Act. The draft Regulations to the POPI Act, which have not yet been finalised and published, contained specific provisions around the appropriate form of Data Subject consent required for direct marketing by means of unsolicited electronic communications. In terms of draft Regulation 6, a Responsible Party will be required to request the Data Subject’s written consent on a Prescribed Form that would have to be completed by the Data Subject and physically emailed, faxed, posted or hand delivered back to the Responsible Party. The draft Regulations do not however make provision for any form of electronic acceptance to direct marketing through web-based businesses.
Prior to the draft Regulations, it was anticipated that an opt-in consent to receive direct marketing communications on a website would be a sufficient mechanism of consent, however, based on the draft Regulations, this is now unclear.
The draft Regulations have been through a process of public comment but have not yet been finalised. The Information Regulator had planned to finalise the draft Regulations by the end of April 2018, but to date nothing further has been published.
Accordingly, while the Consumer Protection Act envisages or permits an “opt-out” form of direct marketing, the POPI Act specifically requires the consent of the Data Subject to receive direct electronic marketing communications, thereby requiring an “opt-in” consent mechanism for direct marketing communications. The POPI Act also limits the number of times a Data Subject may be approached to consent to receiving direct marketing electronic communications. The POPI Act’s requirements relating to direct marketing should therefore be considered in conjunction with the existing direct marketing requirements contained in the CPA, which already regulate direct marketing communications.
Recent developments around direct marketing and the POPI Act
The relationship between Data Privacy Laws and direct marketing communications has been considered by businesses across the world quite extensively, especially over the past year with the General Data Protection Regulations (GDPR) coming into effect in May this year, and the question of what can or cannot be done through direct marketing in relation to the applicable Data Privacy laws is always a contentious and complex matter.
The provisions relating to direct marketing and the POPI Act are no different, and have recently been a topic of engagement between the Information Regulator, as the regulatory body mandated to monitor and enforce compliance with the POPI Act, and the Direct Marketing Association of Southern Africa (DMASA), a Not for Profit company responsible for self-regulation of the direct marketing industry in South Africa, following an article that was published by IT Web on 25 July 2018 titled “Direct marketers slam POPI ‘opt-in’ provisions”.
Briefly, this article stated that the DMASA wants the “opt-in” regulation of the draft regulations to the POPI Act to be “deferred by at least three years”, on the basis that it would “negatively impact the direct marketing industry”, “have the potential to damage the direct marketing industry quite significantly” and is “not suitable for a developing economy such as South Africa”. The three year deferment was recommended by the DMASA in order to “give the direct marketing industry time to undertake the necessary educational drive and put effective opt-in provisions in place”. (The article can be found here).
In response to the article, the Information Regulator published a media statement on 27 July 2018, in which it stated that it has requested a meeting with the DMASA to discuss the concerns that were raised in the article. The media statement went on to differentiate between “opt-out” and “opt-in” in the context of direct marketing and in relation to the provisions of Section 69 of the POPI Act. In the media statement the Information Regulator stated its views on the provisions and importance of section 69 of the POPI Act and gave a firm opinion that the direct marketing provisions in section 69 of the POPI Act are in the best interests of Data Subjects, are fair and on par with international best practices. The media statement also indicated that the Information Regulator was working hard to ensure that the POPIA Act becomes fully effective before the end of this year.
In a draft joint statement that was then published by the Information Regulator on its website on 16 August 2018, the Information Regulator noted that it had met with the DMASA for the purposes of exchanging views and interacting on the POPI Act, particularly as it relates to electronic direct marketing and that both organisations have reaffirmed their commitment to work together to ensure that citizens are protected against unscrupulous marketers, while being mindful of the need to ensure that all businesses have the ability to adhere to the provisions of the POPI Act within the context of the need to promote economic activity within South Africa. (The media statements published by the Information Regulator can be found here)
Where to from here?
We are still waiting for the Information Regulator to publish the final Regulations to the POPI Act, and it will be interesting to see what changes have been made around the direct marketing requirements of the POPI Act in the Regulations, considering the potentially onerous nature of the initial draft Regulations on how consent must be obtained for the purposes of electronic direct marketing communications. In addition, with much speculation about when the POPI Act will actually become fully effective, it will be interesting to see whether the Information Regulator is able to have the Act fully effective before the end of 2018.
Natasha has a BCom LLB and was admitted as an attorney in 2008. She rose to the level of senior associate at Hogan Lovells before leaving to join Deloitte Legal as a senior manager and subsequently the Life Healthcare Group as Senior Legal Counsel and then Deputy-Head Legal. Natasha left to focus on her commercial practice and joined Caveat in 2017.
Natasha provides specialised legal services on Information Privacy and the POPI Act. With over 4.5 years of POPI experience, she is well placed to assist your business, small, medium or large, with all your POPI compliance needs including awareness, training, legal advice around POPI compliance, implementation advice and assistance, and drafting of Privacy related documents, policies and agreements. Please contact us for more information about the POPI training and awareness programmes Natasha offers and for more information about how we can walk you through your businesses POPI compliance journey.