Tech Law: How POPI will change your direct marketing activities
by Paul Jacobson (@pauljacobson) The Protection of Personal Information Act has particular interest for direct marketers because of the likely substantial impact the legislation will have on consumer-facing initiatives when it goes into effect. POPI has a section that deals specifically with and introduces a consent model designed for direct marketing.
It is an interesting model and I’ll explain why in a moment. In the meantime, it is worth reading the following posts if you haven’t already:
- Tension in the direct marketing industry over opt-in requirements;
- POPI compliance is a steep, uphill climb for direct marketers;
- Processing, personal information and direct marketing under POPI; and
- Introducing POPI’s processing conditions.
Protection of Personal Information Act’s section 69 is titled “Direct marketing by means of unsolicited electronic communications”. It begins with the following general prohibition on
[t]he processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail …
If, on the other hand, the consumer (or data subject) is not the provider’s (responsible party) customer and if the consumer has not “previously withheld” consent, the provider has a once-off opportunity to send the consumer a request for the consumer’s consent to allow his or her personal information to be used for direct marketing purposes.
Shoulds and shouldn’ts
In practice, this is usually a message simply informing the consumer about the products or services the provider would like to market to the consumer and requesting consent. This once-off message shouldn’t be a marketing message because that would violate the general prohibition; it should be an information message, and its specific format may be prescribed in regulations supporting the Protection of Personal Information Act in due course.
If the consumer consents, then the provider will be entitled to use the consumer’s personal information for direct marketing purposes within the consent’s parameters. This may sound obvious but this can be a little tricky.
Can use for marketing purposes
In this scenario, the provider can use the consumer’s personal information for marketing purposes where
- the provider obtained the consumer’s personal information in the context of a sale of a product or service;
- “for the purpose of direct marketing of the [provider’s] own similar products or services”; and
- the consumer has been given “a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details” both at the time the consumer’s personal information was first collected and each time the provider communicates with the consumer for marketing purposes (and assuming the consumer didn’t refuse to consent the first time he or she was asked).
Then, lastly, the each communication for the purpose of direct marketing must contain both the provider’s identity, as well as contact details which the consumer can use to opt-out of further marketing communications.
This basic model isn’t totally new. It has existed for some time in other regulatory frameworks such as the WASPA Code of Conduct (mobile service providers will be familiar with this mechanism). It does represent a broader shift in South African law because the Protection of Personal Information Act will establish minimum requirements for practically all direct marketing communications, particularly from a consent perspective.
If you are engaged in direct marketing, this is a pretty important aspect of the Protection of Personal Information Act for you.
Not the only legislation
This isn’t the only legislation dealing with direct marketing, though, just arguably the most important from a privacy perspective.
The Consumer Protection Act, for example, deals with other issues relating specifically to direct marketing such as cooling off periods for sales made through direct marketing (there is some overlap with the Electronic Communications and Transactions Act, which also deals with cooling off periods and which Act applies will depend on what was sold and how).
Time is running out
Whatever your particular requirements may be, time is running out. The Protection of Personal Information Act has been passed by Parliament and is likely before the President waiting for his signature and then it will be implemented.
- ‘‘data subject’’ means the person to whom personal information relates. ↩
- “consent” means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information. ↩
- ‘‘responsible party’’ means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information. ↩
Express consent would be required where a consumer is approached for the first time by a provider’s representative and asked to consent to direct marketing. On the one hand, an example could be a consumer who completes a feedback form at a bookstore which includes a section requesting permission to send the consumer marketing information about book sales and specials. On the other hand, a consumer who has already bought books from the bookstore is, obviously, already a customer and the rules change somewhat.