POPIA Q&A: Third-Party Consent for Direct Marketing

How specific must third-party consent be?

Third-party consent in Europe requires that you mention the third party by name – you can’t just say ‘other companies’. The specifics will be determined once the legislation is being enforced.



Can you get people who give you the contact details of their friends, family, co-workers, strangers, etc?

It depends. According to the Consumer Protection Act, you may not incentivise people to share other people’s information with you by offering them a reward if you end up selling to them.

For POPIA, you need to ensure that their friends have given them permission to share their information. This is hard to prove. If you want to, do it like Uber, where a contact shares a unique code with their friends. Then, when a friend signs up, they use the code, and the referrer is rewarded. This way, you don’t run the risk of having information you’re not permitted to have, and the new contact actively opts in, ensuring compliance.


POPIA doesn’t mention granular consent, but in S18 it mentions that naming categories of third-party is also okay. Will mentioning third-party by name be the only way to satisfy the aspect of informed consent?

Section 18 refers to privacy notices, and yes, it stipulates sharing the category of third parties. However, according to the European Regulators, which is where South Africa is probably going, in the case of getting consent on behalf of someone else for the purpose of marketing, the third party must be mentioned by name.

Section 18 is more for general purposes. But for marketing, you’ll need to get their permission to share, in which case the consent must mention the company by name.


If you’re a holding company with multiple different brands selling the same / similar items (e.g.: perfume), can you market across the brand databases?

Are these brands separate legal entities, or is it one legal entity that has a license to sell various brands? If it’s the latter, you can cross-sell. If you’re separate entities, it depends on what you told the contact when they consented to your communications. Did you tell them that they’d receive marketing from all entities in the holding company?

Use the rule of thumb: Will this person be surprised to receive this marketing? If no, go ahead, but make sure that you have a clear unsubscribe process.


In instances where you need to share client information with a third party to enable them to fulfil on the installation of an order, do we need consent?

If it’s something that you must do to fulfil the contract that the customer has with you (e.g.: buying something on Takealot and getting a third party to deliver it), you don’t need permission because they asked you to do this.

There must, however, be a written contract between you and that third-party that includes provisions for POPIA, ensuring that the third party:

  • Doesn’t share the information with anyone
  • Uses it only for the purpose that you gave it to them
  • Keeps it secure and confidential
  • Lets you know if there’s any breach on the data

When people send us a referral, can we contact the potential client and ask if we can market our product to them, or should we email them first?

You just need to be able to prove that you asked them for consent – it doesn’t really matter which channel you get the consent on. They must, however, be able to unsubscribe via the channel that they’re receiving your communications on.


Our business model has contracts with specific companies, whereby we sell products to their employess. Are we allowed to acquire data from these companies for all their employees if they get consent from their employees on our behalf?

Yes, this is third-party consent and it’s perfectly fine if the consent mentions you by name.

You can find more information on the Popi act: Click here.