The Information Regulator recently published its Guidance Note on Direct Marketing (“Guidance Note”), providing clarity on how personal information can be lawfully processed under the Protection of Personal Information Act (“POPIA”). The Guidance Note offers actionable steps for organizations to align their marketing practices with these principles, fostering responsible marketing that complies with both the letter and spirit of the law.
In this blog, we briefly examine POPIA’s rules on direct marketing, and some of the key highlights from the Guidance Note.
How Direct Marketing is Regulated under POPIA
POPIA regulates direct marketing by establishing strict conditions for the lawful processing of personal information. It requires “responsible parties” (more commonly known as ‘controllers’) to ensure that personal data is collected and used transparently, fairly, and only for a specific, legitimate purpose.
For direct marketing:
- Consent is the default requirement for unsolicited electronic communications (e.g., emails, SMSs, and automated calls). Section 69 of POPIA explicitly prohibits such communications unless the data subject has given prior consent or is an existing customer under specific conditions.
- Legitimate interests may only serve as a justification for non-electronic direct marketing (e.g., postal mail or in-person promotions) under section 11, provided the responsible party conducts a legitimate interest assessment and complies with all conditions for lawful processing.
These rules emphasize data subjects’ control over their personal information, highlighting the importance of consent and the right to object.
Key Highlights from the Guidance Note
- Types of Direct Marketing Covered
POPIA distinguishes between:
- Non-electronic direct marketing: Such as postal mail and in-person promotions.
- Unsolicited electronic communications: Including emails, SMSs, and telephone calls.
The processing of personal data for these purposes must comply with strict consent and notification requirements, ensuring data subjects retain control over their information.
- Consent is King
Organizations must obtain informed, voluntary, and specific consent before using personal data for direct marketing. The first interaction with a data subject should primarily focus on seeking this consent, and organizations are permitted only one such request if consent has not been previously withheld.
- Legitimate Interest Assessments
When relying on “legitimate interests” as a basis for processing data for non-electronic direct marketing, businesses must undertake a three-stage test:
- Purpose Test: Is the processing necessary and lawful?
- Necessity Test: Is there no less intrusive way to achieve the objective?
- Balancing Test: Does the organization’s interest override the individual’s rights and freedoms?
Businesses cannot lawfully process personal data under this justification without successfully meeting these criteria,
- Rights of the Data Subject
Data subjects have the right to:
- Object to direct marketing at any time.
- Withdraw previously given consent.
- Lodge complaints with the Information Regulator.
Importantly, once a data subject objects, organizations must cease processing their information for direct marketing purposes and maintain a database to ensure compliance.
- Enhanced Consumer Protections
The Guidance Note aligns with section 69 of POPIA, requiring that all unsolicited electronic communications:
- Clearly identify the sender.
- Provide an accessible way for recipients to opt out of future communications.
- Integration with the Consumer Protection Act, 2008
Data subjects may also preemptively block marketing communications by registering with the preemptive block registry under the Consumer Protection Act. POPIA reinforces this protection by emphasizing that organizations cannot bypass consent even if such blocks are absent.
Implications for Businesses
The Guidance Note offers a roadmap for compliant marketing practices, with a strong emphasis on transparency and accountability. Organizations should:
- Regularly conduct comprehensive audits of their direct marketing practices.
- Implement systems for obtaining and managing consent.
- Train staff to ensure compliance with the conditions for lawful processing.
Failure to adhere to these rules may lead to severe penalties and reputational harm, making it essential for businesses to align their practices with POPIA.
* * *
If you have questions about handling data privacy compliance matters, please contact Dan Cooper at dcooper@cov.com, Ben Haley at bhaley@cov.com, Deon Govender at dgovender@cov.com, Mosa Mkhize at mmkhize@cov.com, Ahmed Mokdad at amokdad@cov.com. This article is intended to provide general information. It does not constitute legal advice.