In depth

South African consumers are set to gain better control over their personal information, as relevant regulators ramp up efforts to curb invasive direct marketing. On 27 February 2024, the Information Regulator issued a public statement of its first enforcement notice against non-compliance with the direct marketing provisions of the Protection of Personal Information Act 4 of 2013 (POPIA). The Department of Trade, Industry and Competition also published the proposed amendments to the Consumer Protection Act Regulations, 2011 ("CPA Regulations"). The public consultation closed on 15 January 2025. These proposed amendments provide for the establishment of an opt-out registry, which will enable consumers to pre-emptively block unsolicited electronic communication from direct marketers. One of the most significant developments is the publication of the much-anticipated Guidance Note on Direct Marketing under POPIA ("Guidance Note") on 3 December 2024. Given these developments, staying informed and compliant is now more crucial than ever for businesses in navigating this evolving landscape of direct marketing regulation.

Electronic vs non-electronic

The Guidance Note clearly distinguishes between electronic and non-electronic direct marketing, each subject to different legal requirements. Electronic direct marketing includes communications via telephone, email, SMS, automated calling systems, fax, push notifications, social media messaging and cookies. Non-electronic methods, on the other hand, cover post, hand-delivered mail, letterbox drops, and in-person marketing. Notably, the Information Regulator (contrary to some telemarketing industry views) classifies telephone calls as electronic communication, meaning telemarketing is considered a form of electronic direct marketing due to the digital nature of modern phone systems.

Consent and legitimate interest

Section 69 of POPIA prohibits processing personal information for electronic direct marketing without consent in the prescribed form or an existing customer relationship. However, for non-electronic direct marketing, the responsible party can process personal information without consent by relying on the legitimate interests of the data subject, the responsible party, or a third party (whichever is applicable), in terms of section 11 of POPIA. With respect to this, the Guidance Note outlines what constitutes legitimate interest and provides for a three-stage assessment to be completed by a responsible party before the processing based on legitimate interest commences.

Right to object and record-keeping

A data subject can, free of charge and at any time, object to non-electronic direct marketing based on legitimate interest. Following such objection, the responsible party must stop processing and refrain from further contacting the data subject. For electronic direct marketing, a non-customer can only be approached once to obtain consent and can withhold or withdraw such consent at any time. Existing customers must be given a reasonable opportunity to object to electronic direct marketing when their information is collected and with each electronic direct marketing communication (if the data subject has not initially objected to such processing). The responsible party is also required to maintain records of consents obtained from data subjects for direct marketing purposes and further compile a database of those data subjects who have withheld consent or objected, ensuring they are not contacted again.

The opt-out registry

The Department of Trade, Industry and Competition has proposed amendments to the CPA Regulations. A key feature of the proposed amendments is the establishment of an opt-out registry, which will enable consumers to block unwanted electronic direct marketing communication. In relation to this, the Guidance Note clarifies that even if a person who is not a customer of a responsible party has not registered a pre-emptive block, consent is still required for electronic direct marketing in accordance with section 69 of POPIA.

Lead generation

The Guidance Note acknowledges that while lead generation is not defined in POPIA, it is a direct marketing practice that involves collecting personal information through methods like sign-up forms, pop-ups, landing pages, and social media posts. These methods enable the generation of lists of contact details that are shared among responsible parties in the context of direct marketing. The Guidance Note states that such practices must comply with the relevant provisions of POPIA.

Staying compliant

While the Guidance Note is not legally binding, it serves as an advisory document, providing responsible parties with guidance on the dos and don'ts when it comes to processing of personal information for direct marketing purposes, to ensure compliance with POPIA. This is important, as non-compliance with the direct marketing provisions of POPIA could result in fines of up to ZAR 10 million or imprisonment for up to ten years (or both) for responsible parties. Similarly, although the proposed amendments to the CPA Regulations are not yet in force, if enacted, failure to comply with its provision could lead to substantial fines of up to 10% of the direct marketer's annual turnover during the preceding financial year or ZAR 1 million (whichever is greater).

For businesses, staying compliant and up to date with these developments is crucial to avoid hefty fines and to build and maintain customer trust.