POPIA Q&A: Harvesting Data from the Internet & Social Media

Can you harvest personal information from social media and the internet to use in marketing?

You should, wherever possible, get information directly from the person – unless that person made the information deliberately public. But, even if you get that information from a public place, like a person’s website, you still have to contact them to explain where you got their information.

You will also need a legal justification under section 11 of POPI to process the person’s information for direct marketing purposes. Depending on what channel you are doing the direct marketing by (e.g. electronic direct marketing versus telemarketing), consent or the legitimate interest of the responsible party will be the appropriate legal justification to use it.

If you go about harvesting data from the internet, you’ll need carefully worded consent that includes:

  • Where you got their details and the permission to have it.
  • Transparency around what you want to use the information for, requesting permission to do so.

Something that’s extremely problematic is when recruitment agents connect with someone on LinkedIn and harvest their contact data from their LinkedIn profiles without asking. This practice is illegal and will require consent as noted above.

Could we take followers from social platforms and target them through email or SMS?

Not without getting their permission first. Just because someone follows you on social media doesn’t mean they want direct marketing from you. People also complain a lot about people harvesting their data from social media, so if you do this, you’re more likely to be reported to the Regulator.

Do you need to get consent from a client list first if you plan on uploading the list to social media for ad targeting?

It depends on what you told them when they signed up. Did you tell them that you’d display ads to them on social media? If the list was compiled via a transaction, like when a client purchases a product from you, you can position this as an opt-out kind of consent. i.e.: “Let us know if you don’t want to receive ads from us on social media.”

How will POPIA affect social media advertising, pay per click, and pay per impression?

Unless you’re collecting identifiable personal information, it doesn’t affect any of these. POPIA doesn’t have any specific provision on cookies yet, so if you’re uncertain, look at the Regulator’s cookie notice as an example of what’s acceptable.

If you harvest information from the internet and use it to enrich a database you already have, is that allowed?

Updating or enriching your existing data is allowed and encouraged by POPIA, but there are some risks involved. If you’re just verifying the data you already have and not adding new data, this should be fine.

However, if you decide to do this, you must only override data that is incorrect. If someone subscribes using one email address, for instance, you may not enrich the data with another email address unless the email address that you have is incorrect. If someone subscribes with an active email address, it’s usually because that’s where they want the mail to go.

To find out more about the rules and regulation: Click here.