POPI – Iconaf

Your privacy and information rights are important to us

Our PAIA manual is available here:

POPIA Q&A: Getting Consent for Direct Marketing

Do I have to display permissions predominatly?

You can do this, but the consent for direct marketing must still be explicit – many companies do this with the use of a checkbox on the form.

What Kind of Marketing do I need consent for?

Electronic direct marketing (automatic calling machines, facsimile machines, SMSs, emails, push notifications, or in-app direct messages – like a ‘DM’ on Instagram) requires consent before you send marketing.

Telemarketing, on the other hand, depends on the context. Sometimes, under POPIA, you can do direct marketing telephonically without consent. To not require consent, the data subject’s personal information must have been collected for the original purpose of telemarketing to that data subject. Here, the legal justification for processing the data subject’s personal information under POPIA can be the legitimate interest of the responsible party.

Alternatively, you will not need consent, if telemarketing to the data subject was not the original purpose of collecting the data subject’s personal information. In this case, as long as telemarketing to the data subject is compatible with the original purpose that the data subject’s personal information was collected, you do not need consent.

Can I Use Competitions to get People to Subscribe?

Yes, but you can’t hide the consent to direct marketing in the competition terms. You must be upfront about it, saying something like: “Subscribe to our newsletter and stand a chance to win an iPad.” Otherwise, ensure you have an opt-in checkbox in the competition form so your participants can choose to receive direct marketing if they want.

Just adding the direct marketing consent into the terms and conditions is not permitted.

What happens if there is a merger?

You’ll need to understand the nature of the new company. For instance:

Will they still be functioning as separate brands? If so, you don’t need to consolidate – both databases can keep functioning in their individual silos.
What communication are you sending your contacts about the merger? You can merge lists if you’re open and clear about the merger, that the branding will be changing (if relevant), and that they continue to have the chance to unsubscribe.
Think about what you’re going to do when one person is subscribed to both databases, but with different data – what will the rules be in terms of overriding data and data quality?

Do I need Consent Per Product?

It depends how similar these products are. If we’re talking a broad category like food where you want to market apples to your oranges database, then no, you won’t need separate consent. But, if you’re talking about apples and insurance, it’s best to get consent per product.

It’s best to build a preference centre, where people can customise the content they receive from you.

How can we prove that the person whose consent we receive is the actual person consenting?

There are many ways of proving who consented to what. In terms of the electronic communications and transactions act and court cases about this, you have a right to assume that the person whose signature is at the bottom of an email is the person who sent the email.

But, if you want to be certain, you can use two-factor authentication, sending them a link in an email that they must click to confirm that this person is who they say they are.

If your main brand sells other related products (e.g.: a property search website that also sells home-loan-related products), how do we know if the additional product / service falls into a similar enough category to be marketed to under the same consent?

The rule of thumb when trying to decide if you need additional consent for a different product under the same brand is: will this person be surprised to receive this messaging?

Novation Consulting suggests that you can probably argue that buying a property and financing that property could go under the same consent, as most people need home loans to finance properties that they purchase.

What about communicating via different channels (email / Telegram / WhatsApp / phone) – do I need an opt-in for each channel?

It’s unclear exactly how this must happen, but what we do know is that you must be clear on which channels you’ll be using. It’s a good idea to give people the option to select the channels they prefer, so they’re not stuck with an all-or-nothing subscription. You’re less likely to lose subscribers if they can tailor their subscription to their preferences.

Can I use gated content as a consent form?

You can do this, but the consent for direct marketing must still be explicit – many companies do this with the use of a checkbox on the form.

POPIA Q&A: Other POPIA Rules

How will POPIA affect marketing to minors?

Severely. POPIA is very strict about marketing to anyone under the age of 18. Anyone younger than this requires parental consent first. This makes it particularly difficult for tertiary institutions to market to grade 11s. Lawyers are asking the Regulator for an exemption for tertiary education, so they can market to school-leaving students. After all, access to education is a human right.

If you do market to minors, you’re going to have to do more. There are ways to get parental consent; it’s not impossible. The best way to go about the age limit is to not ask their age, but to mark on the form that they need to be over the age of 18 to subscribe.

Am I bound to the same / similar channel from which I got the information?

At the very least, you must disclose the channels on which you’ll be communicating. Some professionals believe this means consent per channel. But some believe that disclosing which channels you’ll be using is sufficient.

Do the CPA and POPIA complement each other? How and where do they overlap or contradict?

POPIA applies to all forms of marketing when you use personal information, so both will often apply.

Where they aren’t perfectly aligned is in section 69, which relates to consent. This only applies to electronic communication, excluding telemarketing, unless the telemarketer is a robot or leaves voice messages. Telemarketing doesn’t need consent but must have the option to unsubscribe.

POPIA Q&A: Marketing to Certain People Without Extra Consent

When closing a lead, can we continue to market to them? These are prospects that have come to us, but have not made a purchase, or we couldn’t contact them at the time. We typically close the lead off our system after six weeks but continue to market to them after this.

It depends how they ended up on the list. If you told them you’d be marketing to them, if the products or services you’re marketing are along the same lines of what they consented to, and if you’ve continuously given them the opportunity to opt out, then you can continue marketing to them.

When a prospect becomes a lead (e.g.: they have responded to us), can we continue to market to them if we’ve made the T&Cs and privacy policy available to them?

This depends on if you told them you’d be marketing to them, if the products or services you’re marketing are along the same lines of what they consented to, and if you’ve continuously given them the opportunity to opt out.

We’ve been seeing our customer face-to-face – do we need consent to market to them? They know who we are, but we’ve never digitally marketed to them before, so we haven’t received official consent. Do we need to get consent now?

If you told them, in the face-to-face session, that you’d eventually use their details for direct marketing, got them to sign for this so there was a record (or you kept a recording of a digital meeting), and gave them the opportunity to opt out, then no. If you didn’t do this in your face-to-face sessions, then yes, you will need consent.

What about lead nurturing, like when a prospective client contacts you for more information about your products and services and, during the discussion phase, you send them more information about your products / services in the form of testimonials / case studies, etc. – can you send these types of messages?

If you’ve been upfront that you’ll be sending these types of messages and they agree, then that is considered consent. You can nurture leads in this way. Remember the rule of thumb: would this person be surprised to receive this information?

If you communicate to a membership base regarding an element of their membership, i.e. service-related communication, must these communications have an opt out?

No, if it’s a service message you don’t need an opt-out as you want to be able to contact them about their services. Just make sure you don’t mix your service messages with direct marketing.

Can we email market to people who have enquired on a contact from on our website?

If they know that this is what you’ll be using their information for, they explicitly opt in for it, and you continuously give them the opportunity to opt out.

On ecommerce websites, users can add products to their carts, but some don't complete the checkout process. Can we send abandoned-cart emails reminding them to check out?

would argue that this is a service message and not direct marketing, in which case consent would not be required. Until POPIA is in effect, one can’t be certain, but for now, this is her position.

POPIA Q&A: Third-Party Consent for Direct Marketing

How specific must third-party consent be?

Third-party consent in Europe requires that you mention the third party by name – you can’t just say ‘other companies’. The specifics will be determined once the legislation is being enforced.

Can you get people who give you the contact details of their friends, family, co-workers, strangers, etc?

It depends. According to the Consumer Protection Act, you may not incentivise people to share other people’s information with you by offering them a reward if you end up selling to them.

For POPIA, you need to ensure that their friends have given them permission to share their information. This is hard to prove. If you want to, do it like Uber, where a contact shares a unique code with their friends. Then, when a friend signs up, they use the code, and the referrer is rewarded. This way, you don’t run the risk of having information you’re not permitted to have, and the new contact actively opts in, ensuring compliance.

POPIA doesn't mention granular consent, but in S18 it mentions that naming categories of third-party is also okay. Will mentioning third-party by name be the only way to satisfy the aspect of informed consent?

Section 18 refers to privacy notices, and yes, it stipulates sharing the category of third parties. However, according to the European Regulators, which is where South Africa is probably going, in the case of getting consent on behalf of someone else for the purpose of marketing, the third party must be mentioned by name.

Section 18 is more for general purposes. But for marketing, you’ll need to get their permission to share, in which case the consent must mention the company by name.

If you're a holding company with multiple different brands selling the same / similar items (e.g.: perfume), can you market across the brand databases?

Are these brands separate legal entities, or is it one legal entity that has a license to sell various brands? If it’s the latter, you can cross-sell. If you’re separate entities, it depends on what you told the contact when they consented to your communications. Did you tell them that they’d receive marketing from all entities in the holding company?

Use the rule of thumb: Will this person be surprised to receive this marketing? If no, go ahead, but make sure that you have a clear unsubscribe process.

In instances where you need to share client information with a third party to enable them to fulfil on the installation of an order, do we need consent?

If it’s something that you must do to fulfil the contract that the customer has with you (e.g.: buying something on Takealot and getting a third party to deliver it), you don’t need permission because they asked you to do this.

There must, however, be a written contract between you and that third-party that includes provisions for POPIA, ensuring that the third party:

Doesn’t share the information with anyone
Uses it only for the purpose that you gave it to them
Keeps it secure and confidential
Lets you know if there’s any breach on the data

When people send us a referral, can we contact the potential client and ask if we can market our product to them, or should we email them first?

You just need to be able to prove that you asked them for consent – it doesn’t really matter which channel you get the consent on. They must, however, be able to unsubscribe via the channel that they’re receiving your communications on.

Our business model has contracts with specific companies, whereby we sell products to their employess. Are we allowed to acquire data from these companies for all their employees if they get consent from their employees on our behalf?

Yes, this is third-party consent and it’s perfectly fine if the consent mentions you by name.

POPIA Q&A: Dealing with Unsubscribes from Your Direct Marketing

We represent various brands. If a person unsubscribes from one mailer, does that mean we have to opt them out for all the brands?

This will depend on how your consent and unsubscribe is worded. A granular consent and unsubscribe process ensures that contacts are more likely to stay for the content they like, rather than opting out of everything if there’s only parts of the content that they don’t want.

Can you opt everybody in by default and allow them to opt out per brand / product/ channel?

It will depend on the context, but generally, if you don’t already have a relationship with the person, you’re going to have to get them opt in first.

If you do have a relationship with them, it’ll depend on what consent they gave you, if you gave them the opportunity to unsubscribe, and if you’re still giving them the opportunity to unsubscribe. This is where a preference centre comes in handy as it enables the contact to be specific about the types of communication they want to receive from you.

compliance.

What are the rules on opting out free of charge?

This comes from the Consumer Protection Act. You can’t charge for an opt-out from direct marketing and the process must be easy.

What about unsubscribe on email if they're using their data to reply or respond to the email. On SMS, we give people the option to SMS to a short code to opt out which is free of charge. but if they reply to the marketing SMS, standard rates apply.

Data cost hasn’t been spoken about at the CPA. People usually only get into trouble if there’s an additional charge and for the costs of an SMS. It’s not impossible, but it’s rare.

POPIA Q&A: Are There Loopholes to Data Privacy Laws?

Can i collect and store personal information on the basis that it's in the legitimate interest of the business?

This is technical and controversial. What we know from overseas Regulators is that they generally don’t accept legitimate-interest arguments for the buying and selling of personal information or for scraping public sources / the internet. We believe our Regulator will probably follow a similar approach.

If you use a system to randomly generate cell numbers, not collecting / buying it somewhere, will that still be deemed personal information, and would we need consent to market to those numbers?

The cell phone on its own doesn’t reveal a person’s identity, but there are ways to reverse-lookup the data using the number. So, even though you don’t have the person’s name, this does still count as personal information. POPIA, therefore, does apply in this case.

At any event, you’ll probably contact the person using this number, which is marketing. So, if you’re sending SMSs, you’ll need to ask for consent to contact them, and for telemarketing you’ll need to respect their request to opt out of your calls if they ask.

compliance.

Is there any way to continue to market via SMS and email to a prospect base of about 1.5 million consumers if we can prove that we’ve marketed to them many times before POPIA with the brand shown and a clear unsubscribe process?

You’re good to go if:

You got the leads in the context of them purchasing your goods or services.
You told them you’d use their information for direct marketing.
You’ve always given them the opportunity to reliably opt out.
It’s the same or similar goods or services that you’re marketing to them.

If you can’t meet all these, decide if you’re prepared to take a risk-based approach. If your opt-out process is water-tight, your list may not be 100% POPIA complaint, but your chances of people complaining is significantly lower. And you’ll have a base from which you can discuss with the Regulator if they do.

POPIA Q&A: Data Privacy Laws in Other Countries

What applies in the case where data is potentially leaving SA? For example, onboarding client lists into Facebook or Google?

There’s a lot in POPIA about trans-border information flow. The problem with privacy legislation is that it’s country by country, but information flows everywhere. Most of us are storing information overseas if we’re using the big tech providers. This is okay if they say in their T&Cs that they observe data protection levels like POPIA.

It’s usually not a problem using the cloud or tech providers from overseas where your data is being stored in other parts of the world. If you do so, make sure you:

Make sure your contract with the tech provider contains data-protection clauses.
Put the fact that the data is stored overseas in your privacy notice.

Our head office is based in SA, but we have customers and offices in multiple countries. Do we have to be POPIA and GDPR compliant?

If you’re doing data processing in South Africa, you will need to be POPIA complaint.

As for the GDPR and data privacy legislation in other countries, if you’re targeting individual customers who are physically in Europe and the other countries, you may have to comply with the GDPR or the legislation relevant to them in their country.

Just storing the information in another country doesn’t usually require you to comply to the data privacy laws, however the legislation does vary from country to country.

We encourage you to speak to a legal representative to assess this.

Do we need to treat international data subjects according to POPIA? E.g.: Do we really need opt-in consents (for direct marketing OR cookies) if the laws applicable in the data subject's country don’t require it?

POPIA will apply to you if there’s data processing happening in South Africa. It’s likely that a complex web of data privacy laws will apply to your data if you’re marketing to people in other countries and processing data here.

Usually, the way this is handled, is you apply a global set of laws and you have deviations per country.

POPIA Q&A: Harvesting Data from the Internet & Social Media

Can you harvest personal information from social media and the internet to use in marketing?

You should, wherever possible, get information directly from the person – unless that person made the information deliberately public. But, even if you get that information from a public place, like a person’s website, you still have to contact them to explain where you got their information.

You will also need a legal justification under section 11 of POPI to process the person’s information for direct marketing purposes. Depending on what channel you are doing the direct marketing by (e.g. electronic direct marketing versus telemarketing), consent or the legitimate interest of the responsible party will be the appropriate legal justification to use it.

If you go about harvesting data from the internet, you’ll need carefully worded consent that includes:

Where you got their details and the permission to have it.
Transparency around what you want to use the information for, requesting permission to do so.

Something that’s extremely problematic is when recruitment agents connect with someone on LinkedIn and harvest their contact data from their LinkedIn profiles without asking. This practice is illegal and will require consent as noted above.

Could we take followers from social platforms and target them through email or SMS?

Not without getting their permission first. Just because someone follows you on social media doesn’t mean they want direct marketing from you. People also complain a lot about people harvesting their data from social media, so if you do this, you’re more likely to be reported to the Regulator.

Do you need to get consent from a client list first if you plan on uploading the list to social media for ad targeting?

It depends on what you told them when they signed up. Did you tell them that you’d display ads to them on social media? If the list was compiled via a transaction, like when a client purchases a product from you, you can position this as an opt-out kind of consent. i.e.: “Let us know if you don’t want to receive ads from us on social media.”

How will POPIA affect social media advertising, pay per click, and pay per impression?

Unless you’re collecting identifiable personal information, it doesn’t affect any of these. POPIA doesn’t have any specific provision on cookies yet, so if you’re uncertain, look at the Regulator’s cookie notice as an example of what’s acceptable.

If you harvest information from the internet and use it to enrich a database you already have, is that allowed?

Updating or enriching your existing data is allowed and encouraged by POPIA, but there are some risks involved. If you’re just verifying the data you already have and not adding new data, this should be fine.

However, if you decide to do this, you must only override data that is incorrect. If someone subscribes using one email address, for instance, you may not enrich the data with another email address unless the email address that you have is incorrect. If someone subscribes with an active email address, it’s usually because that’s where they want the mail to go.

POPIA Q&A: Data Collection, Privacy & Storage

What about WhatsApp groups where people can see other people’s contact details, but they have opted in for that group?

This is a problem as it discloses everyone’s details – this is a data breach. You’ll need to create a WhatsApp group that doesn’t expose everyone’s data.

We usually create a WhatsApp group for our events, so we can share information and pictures from the events with clients who have attended. How does POPIA affect us?

WhatsApp is fine if you’re not displaying everyone’s phone numbers to the group – there are settings for this.

Photographs, however, are private information. The question you have to ask yourself when deciding if you can share these is: did the people in these photos have an expectation of privacy or is it expected that someone would be taking photos at the event?

Overseas Regulators are calling for a common-sense approach. So, if you’re at a public event and there are photographers, an attendee can probably assume that their picture will be taken. Our Regulator is yet to clear this up, but the European regulations may be a good indicator of what’s to come in South Africa.

For how long can we keep contact information?

You can and must keep information for as long as the purpose remains valid. So, start thinking about how long you may need this information.

In marketing, some people request that their information be deleted from your database. The problem with this is that if you delete the information, you run the risk of contacting them again if their information finds its way onto your list again. You will have to keep at least the email address or mobile number to ensure that you know who Not to contact.

If a client gives us their ID number to make a booking, can we keep this on file for the next time they book, or do we need to ask them for this again every time?

According to POPIA, you can keep information for as long as the reason for keeping it is valid. If there’s a transaction involved, you’ll need to keep the information for a while for tax reasons.

If you want to keep it for convenience, ask the client. Offer them the option for you to keep the information for their convenience next time they want to use your services, so they don’t have to fill in the information again. Then ensure you keep the information secure.

Can we ask customers for personal information like hobbies, family, etc. or are there regulations that prevent marketers from obtaining this information?

In general, there’s no regulation that prevents you from obtaining this info, particularly if you’re obtaining it from the person directly and the sharing of this info is voluntary. However, it must only be collected if it’s necessary and for a valuable purpose.

If you go this route, indicate to the client that this is voluntary, what the effect would be if they don’t give it to you, and that they can opt out at any time.

POPIA Q&A: Who's Responsible for POPIA & What will Happen if they don't Comply?

If the marketing department sends marketing to leads gathered by other departments and it turns out there wasn’t an opt in, who will get into trouble?

Your Information Officer, which is your CEO – the company could also get heavily fined. If you’re receiving new leads from another department, it’s your responsibility to determine where the leads came from, what they’ve given permission for, and whether they’ve been given the opportunity to opt out.

Can information officers be fined in their personal capacity?

It is possible if they completely ignore the Regulator and their POPIA duties. Usually, the organisation is fined. It’s also very rare to be imprisoned – this may only happen if someone outright ignores the Regulator, doesn’t respond to information to requests, or similar.

But all circumstances are different; it’s best to seek legal advice for clarity.

I’m getting someone else’s statements by accident (15 to 20 per week). I have tried everything to get them to correct their email address, but to no avail. Now I’m just dumping them. Who is responsible?

The company that is sending you these statements is responsible and they can get into huge trouble – that is a data breach.

As an agency, where does the responsibility lie? If the client has guaranteed the compliance of their database to which the agency markets, can the agency take them at their word?

POPIA distinguishes between the Responsible Party and an Operator or Data Processor. An agency, in this example is a Data Processor – they’re doing what the Responsible Party tells them to do.

In this context, the agency isn’t responsible for the compliance of the database. All the agency is required to do is to act on behalf of the responsible party and keep the information secure. This scenario is different if the agency is building the database for the client. Then, the agency will also be responsible for ensuring its compliance.

Make sure your contracts with your clients are clear on this to manage expectations.

If we are sending on behalf of a client, who is responsible for the protection of the data?

From a security perspective, you’re responsible. From a privacy standpoint, you may not be. It is up to the client to ensure that they have permission from that contact to receive communications.

POPIA Q&A: What is Direct Marketing?

Are messages related to our services considered direct marketing?

You don’t need consent to send information to existing customers relating to their services (i.e.: notifications about their accounts), if they’re related to the services you do for them.

There are some cases where companies are marketing to customers via their account statements. This won’t be permitted, as you need permission to market to people, but people can’t opt out of something like a credit card statement.

Is marketing through social media considered direct marketing?

There are two ways, essentially, of marketing via social media. The one way is by targeting people of certain demographics with certain interests – these are people you don’t know. The other way is by uploading the contact details of the specific people you want to show ads to on social media – these are people you do know.

POPIA applies to the second case, when you do know the people you’re marketing to. This is direct marketing as you’re targeting specific individuals who are known to you.

Is a product-recommendation email from a government also considered direct marketing?

The South African government is subject to data-privacy laws and must comply just like everyone else. Whether the laws in a foreign country apply to their government will depend on their legislation.

POPIA Q&A: What You can do before POPIA Becomes Enforceable

Since we have until July 2021 to comply, could one use a message via email or SMS to ask contacts for their consent or to opt in for future marketing?

Yes, you can. But you’ll need to ensure that the request follows all the POPIA guidelines of being voluntary, specific, and transparent about content and channels.

When building a client database, do we have to comply with POPIA requirements now, or will these clients be considered opted in by default when the Act becomes effective in 2021?

If you’ve followed all the POPIA requirements, you will not need to get additional consent when POPIA is enforceable in 2021.

Can I contact my previous employer’s clients until POPIA is in effect?

Preferably not as contacting clients from a previous employer is unethical. And in any case, the people on the list will need to opt in by the time POPIA is in effect anyway. It’s recommended that you start following POPIA practices now to ensure you’re compliant by the time the legislation is enforceable.

POPIA Q&A: Don't throw the database out with the bath water

1. What is Direct Marketing?

According to the POPIA, direct marketing is ‘electronic’ communication that is directed at a person and that promotes or offers to supply any goods or services, or requests donations from that person.

Examples of direct marketing include:

emails
SMS messages
direct messages sent via social media platforms
advertising sent to a custom audience via social media platforms (where you know exactly who you are targeting by name)

Once you have established that it is direct marketing you want to send out, your next step is to establish whether you need to get an opt-in consent from the person before you start marketing to them.

What about telemarketing? Section 69 (direct marketing by means of unsolicited electronic communications) does not apply, but the rest of POPIA still does. More about that in section 6 below.

2. When Do You Need Consent & What Must it Look Like?

If you are contacting a person for the first time, you will need to obtain consent for any unsolicited electronic marketing. In other words, where you want to contact a person for the first time with marketing communication that they didn’t ask for, you must obtain consent before sending your marketing.

The consent must:

be a voluntary, specific, and informed expression of will.

Voluntary means that the consent must be a genuine choice.
Specific and informed means that it must be clear what direct marketing the person is consenting to.
Expression of will means that the person must give consent through a clear, unambiguous affirmative act. The use of pre-ticked opt-in boxes, or double negatives are not allowed.

be an opt-in, which means that if the person does nothing (i.e. does not tick the box), that person will not receive marketing.
contain the identity and contact information of the marketer as well as a person designated to act on behalf of the marketer (usually the information officer or the deputy information officer).
contain the full name of the person who gives consent.
be signed in person or electronically.
Include:

the date and location where consent is given
the goods or services that will be marketed (in general terms or classes of goods)
the method of communication (e.g., email, SMS).

Some important good news: You don’t need to use the Regulator’s form 4 word for word. Just make sure that the form you use is clear, understandable, and substantially similar.

3. And When Don’t You Need Consent?

There will be many instances when you don’t need an opt-in consent for electronic direct marketing. In general, if the person you want to market to has an existing relationship with you, it won’t be necessary to get consent. For instance, if the person applied for your products or services already, they subscribed to your newsletter before, or they asked you for more information.

Direct marketing consent is not required from a person if

you collected the person’s personal information while they were enquiring about or purchasing your goods or services,
the person was told that their personal information would be used to send marketing communications,
you only send marketing communication for your own goods or services, and those goods or services are similar to the ones the person contacted you about or purchased,
the person is given an opportunity to unsubscribe at the time their information was collected (i.e. they were given an opportunity to opt out), and
the person can unsubscribe every time they receive marketing communications from you.

You need to comply with all of the above requirements. If any of the requirements are not met, an opt-in consent must be obtained before marketing communications can be sent.

To avoid having to get an opt-in consent, you need to comply with all the requirements we’ve listed, and you must be able to prove that you comply. This means that you need to know where you got the information in your database, the circumstances under which you got it, and what privacy notices or terms and conditions were in place at the time and that you have an ironclad unsubscribe process in place.

4. Where did you get my information?

On that note, where you got the lead from in the first place is very important.

Here is a typical list of where direct marketers get information from and what the implications are from a POPIA perspective:

You have already sold something to this client and you are marketing similar products provided by the same entity.

If you told the person that they would get direct marketing and always gave them the opportunity to unsubscribe, you can carry on marketing to them.

You have no idea where the lead came from.

If you can’t prove where the lead came from and the circumstances under which you got it, POPIA requires that you notify the person that you have their information and ask for consent to continue marketing to them.

You already sold something to this client, but now you are cross-selling a completely different product provided by the same entity.

You got the lead from another entity in the same group of companies.

You will need the person’s consent to market to them. You may even need their consent before the information is shared between entities in the group.

You got the lead from a credit bureau or another entity unrelated to you.

You will need the person’s consent to market to them. The entity sharing the information with you may even need their consent before the information is shared.

If the entity sharing the information is asking for consent for direct marketing on your behalf (a third party consent), you need to be mentioned by name for that consent to be valid.

You scraped the information from the internet or from a public record.

You will need the person’s consent to market to them. You may even need their consent just to have their information.

5. What About Telemarketing?

Yes, it is true that you don’t need consent to do direct marketing via the telephone (unless you are a robot or you leave a message). However, the reason why you obtained the information will still matter. You may still need consent, unless the telephone number:

was given to you by the person, so you could call them for purposes of direct marketing, or
you got the telephone number from a public record administrated by a public body (so, not the internet), or
you can prove that the person deliberately made their telephone number public.

If none of these three things apply, you will still need to obtain consent to use that telephone number for direct marketing, because it will be seen as further processing. For the lawyers, go read section 15. So, telemarketing is not that different to electronic marketing after all.

6. To Re-Consent your base, or not Re-Consent your database

Please do not throw the database out with the bath water. Some of you may know exactly where your data came from and have a database that already complies with POPIA. See paragraph 4 above.

For those of you who are not that privileged, you still need to think long and hard before you decimate your database with a re-consent campaign. We recommend that you take a risk-based approach. If your database is driving enough sales, maybe taking a risk is okay? We recommend this when:

Your ROI on marketing to this base is high
They gave you their personal information themselves for another reason (i.e. they know what you have their information)
You have marketed to them before, so they know to expect marketing from you
You are going to send them the same type of marketing as before, about products they expect to receive marketing about
You have always given them the opportunity to unsubscribe easily, and you listen to them when they do
You have sent them a message to say ‘POPIA is coming, here is our new privacy notice. We will miss you, but please let us know if you don’t want to hear from us again.’
No one has ever complained to you about having their personal information and using it for direct marketing

Teeeeechnically, there is an argument to be made that you don’t comply with section 69(3) and should have re-consented your base. What is the worst that can happen? Most people will just unsubscribe if you irritate them. Worse case scenario, someone complains to the Information Regulator and they tell you to stop and might fine you, but if the ROI justifies the risk? At least have the conversation.

POPIA Q&A: Keeping your database POPI Compliant

Data privacy is a worldwide concern for many businesses – especially with regulations like the GDPR and POPI (the Protection of Personal Information Act) coming into effect. And direct marketers (like those who contact people directly over email and SMS) will be the most affected. How can you keep your database POPI compliant? Read this.

Marketing Before POPI

Currently, it’s common for email marketing to be done on an opt-out basis. This means that you’re free to email anyone if you give that person a clear way to opt out of your communications. But this won’t be the case under POPI. Once the legislation is in effect, everyone on your database must have opted in to keep your database POPI compliant.

But what exactly does this mean?

What it means to Opt in

Once POPI’s in effect, every new contact will have to expressly opt in to each messaging thread by checking an opt-in box or filling out a form on your website or landing page. This means two major things:

If you send different communications for different audiences / purposes, the people in each database will have to have opted in for each one. For instance, just because someone’s opted in for Discovery Vitality emails doesn’t mean that Discovery Insure can send them emails too – Discovery will have to keep two separate databases for these two separate audiences.
Any bought databases (where the contacts haven’t given their consent to have their data sold) or prechecked / hidden subscriptions will be illegal.

But what about the contacts you’ve already got on your database?

According to Novation Consulting’s Elizabeth De Stadler, the transition to POPI, for most organisations, shouldn’t be a big adjustment. If you follow direct-marketing ethical practices, like sending good content, adding value, limiting the number of messages you deliver, and offering a solid way for contacts to unsubscribe, you should be okay.

This unsubscribe feature is particularly important; it’s what Elizabeth refers to as a soft-opt-in, where the contact has declined the clear and free opportunity to opt out.

Clear about Unsubscribes

For the unsubscribe process on your database to be POPI complaint, it must be clear, easy, free of any penalisation or cost, and in the same channel as the communication. For instance, if you send an email, the opt-out process must also be email or internet-based – it isn’t acceptable to ask them to send an SMS for this.

The same goes for SMSs: opt-outs must be SMS-based. This can get tricky, because opting out also can’t cost the contact anything to process. Luckily, Elizabeth explains that there are SMS short codes you can create that enable contacts to send opt-out messages completely free of charge.

It’s important that you manage unsubscribes regularly and effectively to keep your database POPI compliant – something that can get laborious as your database grows (unless you use Everlytic, of course – we manage unsubscribes automatically for you).

Collecting Data with POPI

Consent that keeps your database POPI compliant is clear, ethical, and transparent. To do this, Novation Consulting recommends ensuring your request for consent is:

Specific: You must collect every piece of information for a specific purpose (like a name and email address for a digital newsletter) – not just in case you need it.
Informative: You must give the individual enough information about what you’re using their information for before they decide whether to consent to it, including your company’s details and any third parties you’ll be sharing the information with.
Explicit: The contact must give consent through a clear, specific, and affirmative act (like filling in an online form).
Distinct: The consent must be distinct from any other action (i.e.: not hidden in a purchasing contract).
In opt-in format: Steer clear of any pre-ticked boxes or any kind of default consent.
Written in plain language: The kind of language we use to talk to people on the street every day – no legalese or complex jargon.
Flexible: Give people the ability to consent separately for different purposes and adapt their preferences when it comes to mail frequency and the type of content they receive.
Transparent: Give contacts access to the data you’ve collected on them.

Follow these guidelines and you’ll be set to grow and keep your database POPI compliant.

Raising the bar in marketing

POPI and the other international data privacy laws are considered a burden for many organisations, but they also offer an opportunity to raise the bar on digital marketing. And that’s great news for all of us. Can you imagine if all the marketing you received added value to your life instead of just noise? This is another reason why it’s so important to keep your database POPI complaint.

In other words: Level up on your digital marketing. Get creative, add value, strive for excellence, and build ethics and privacy compliance into everything you do. Not only will this attract, engage, and keep the right clients – it’ll establish your reputation as a trusted competitor in the field. And that’s something an illegally bought database can never do.

info@iconaf.com

16 York Street Kensington B

Randburg 2194

7 West Quay Road, V&A Waterfront,

Cape Town, 8001