Your privacy and information rights are important to us
Your privacy and information rights are important to us
You can do this, but the consent for direct marketing must still be explicit – many companies do this with the use of a checkbox on the form.
Electronic direct marketing (automatic calling machines, facsimile machines, SMSs, emails, push notifications, or in-app direct messages – like a ‘DM’ on Instagram) requires consent before you send marketing.
Telemarketing, on the other hand, depends on the context. Sometimes, under POPIA, you can do direct marketing telephonically without consent. To not require consent, the data subject’s personal information must have been collected for the original purpose of telemarketing to that data subject. Here, the legal justification for processing the data subject’s personal information under POPIA can be the legitimate interest of the responsible party.
Alternatively, you will not need consent, if telemarketing to the data subject was not the original purpose of collecting the data subject’s personal information. In this case, as long as telemarketing to the data subject is compatible with the original purpose that the data subject’s personal information was collected, you do not need consent.
Yes, but you can’t hide the consent to direct marketing in the competition terms. You must be upfront about it, saying something like: “Subscribe to our newsletter and stand a chance to win an iPad.” Otherwise, ensure you have an opt-in checkbox in the competition form so your participants can choose to receive direct marketing if they want.
Just adding the direct marketing consent into the terms and conditions is not permitted.
You’ll need to understand the nature of the new company. For instance:
It depends how similar these products are. If we’re talking a broad category like food where you want to market apples to your oranges database, then no, you won’t need separate consent. But, if you’re talking about apples and insurance, it’s best to get consent per product.
It’s best to build a preference centre, where people can customise the content they receive from you.
There are many ways of proving who consented to what. In terms of the electronic communications and transactions act and court cases about this, you have a right to assume that the person whose signature is at the bottom of an email is the person who sent the email.
But, if you want to be certain, you can use two-factor authentication, sending them a link in an email that they must click to confirm that this person is who they say they are.
The rule of thumb when trying to decide if you need additional consent for a different product under the same brand is: will this person be surprised to receive this messaging?
Novation Consulting suggests that you can probably argue that buying a property and financing that property could go under the same consent, as most people need home loans to finance properties that they purchase.
It’s unclear exactly how this must happen, but what we do know is that you must be clear on which channels you’ll be using. It’s a good idea to give people the option to select the channels they prefer, so they’re not stuck with an all-or-nothing subscription. You’re less likely to lose subscribers if they can tailor their subscription to their preferences.
You can do this, but the consent for direct marketing must still be explicit – many companies do this with the use of a checkbox on the form.
Severely. POPIA is very strict about marketing to anyone under the age of 18. Anyone younger than this requires parental consent first. This makes it particularly difficult for tertiary institutions to market to grade 11s. Lawyers are asking the Regulator for an exemption for tertiary education, so they can market to school-leaving students. After all, access to education is a human right.
If you do market to minors, you’re going to have to do more. There are ways to get parental consent; it’s not impossible. The best way to go about the age limit is to not ask their age, but to mark on the form that they need to be over the age of 18 to subscribe.
At the very least, you must disclose the channels on which you’ll be communicating. Some professionals believe this means consent per channel. But some believe that disclosing which channels you’ll be using is sufficient.
POPIA applies to all forms of marketing when you use personal information, so both will often apply.
Where they aren’t perfectly aligned is in section 69, which relates to consent. This only applies to electronic communication, excluding telemarketing, unless the telemarketer is a robot or leaves voice messages. Telemarketing doesn’t need consent but must have the option to unsubscribe.
It depends how they ended up on the list. If you told them you’d be marketing to them, if the products or services you’re marketing are along the same lines of what they consented to, and if you’ve continuously given them the opportunity to opt out, then you can continue marketing to them.
This depends on if you told them you’d be marketing to them, if the products or services you’re marketing are along the same lines of what they consented to, and if you’ve continuously given them the opportunity to opt out.
If you told them, in the face-to-face session, that you’d eventually use their details for direct marketing, got them to sign for this so there was a record (or you kept a recording of a digital meeting), and gave them the opportunity to opt out, then no. If you didn’t do this in your face-to-face sessions, then yes, you will need consent.
If you’ve been upfront that you’ll be sending these types of messages and they agree, then that is considered consent. You can nurture leads in this way. Remember the rule of thumb: would this person be surprised to receive this information?
No, if it’s a service message you don’t need an opt-out as you want to be able to contact them about their services. Just make sure you don’t mix your service messages with direct marketing.
If they know that this is what you’ll be using their information for, they explicitly opt in for it, and you continuously give them the opportunity to opt out.
would argue that this is a service message and not direct marketing, in which case consent would not be required. Until POPIA is in effect, one can’t be certain, but for now, this is her position.
Third-party consent in Europe requires that you mention the third party by name – you can’t just say ‘other companies’. The specifics will be determined once the legislation is being enforced.
It depends. According to the Consumer Protection Act, you may not incentivise people to share other people’s information with you by offering them a reward if you end up selling to them.
For POPIA, you need to ensure that their friends have given them permission to share their information. This is hard to prove. If you want to, do it like Uber, where a contact shares a unique code with their friends. Then, when a friend signs up, they use the code, and the referrer is rewarded. This way, you don’t run the risk of having information you’re not permitted to have, and the new contact actively opts in, ensuring compliance.
Section 18 refers to privacy notices, and yes, it stipulates sharing the category of third parties. However, according to the European Regulators, which is where South Africa is probably going, in the case of getting consent on behalf of someone else for the purpose of marketing, the third party must be mentioned by name.
Section 18 is more for general purposes. But for marketing, you’ll need to get their permission to share, in which case the consent must mention the company by name.
Are these brands separate legal entities, or is it one legal entity that has a license to sell various brands? If it’s the latter, you can cross-sell. If you’re separate entities, it depends on what you told the contact when they consented to your communications. Did you tell them that they’d receive marketing from all entities in the holding company?
Use the rule of thumb: Will this person be surprised to receive this marketing? If no, go ahead, but make sure that you have a clear unsubscribe process.
If it’s something that you must do to fulfil the contract that the customer has with you (e.g.: buying something on Takealot and getting a third party to deliver it), you don’t need permission because they asked you to do this.
There must, however, be a written contract between you and that third-party that includes provisions for POPIA, ensuring that the third party:
You just need to be able to prove that you asked them for consent – it doesn’t really matter which channel you get the consent on. They must, however, be able to unsubscribe via the channel that they’re receiving your communications on.
Yes, this is third-party consent and it’s perfectly fine if the consent mentions you by name.
This will depend on how your consent and unsubscribe is worded. A granular consent and unsubscribe process ensures that contacts are more likely to stay for the content they like, rather than opting out of everything if there’s only parts of the content that they don’t want.
It will depend on the context, but generally, if you don’t already have a relationship with the person, you’re going to have to get them opt in first.
If you do have a relationship with them, it’ll depend on what consent they gave you, if you gave them the opportunity to unsubscribe, and if you’re still giving them the opportunity to unsubscribe. This is where a preference centre comes in handy as it enables the contact to be specific about the types of communication they want to receive from you.
This comes from the Consumer Protection Act. You can’t charge for an opt-out from direct marketing and the process must be easy.
Data cost hasn’t been spoken about at the CPA. People usually only get into trouble if there’s an additional charge and for the costs of an SMS. It’s not impossible, but it’s rare.
This is technical and controversial. What we know from overseas Regulators is that they generally don’t accept legitimate-interest arguments for the buying and selling of personal information or for scraping public sources / the internet. We believe our Regulator will probably follow a similar approach.
The cell phone on its own doesn’t reveal a person’s identity, but there are ways to reverse-lookup the data using the number. So, even though you don’t have the person’s name, this does still count as personal information. POPIA, therefore, does apply in this case.
At any event, you’ll probably contact the person using this number, which is marketing. So, if you’re sending SMSs, you’ll need to ask for consent to contact them, and for telemarketing you’ll need to respect their request to opt out of your calls if they ask.
You’re good to go if:
If you can’t meet all these, decide if you’re prepared to take a risk-based approach. If your opt-out process is water-tight, your list may not be 100% POPIA complaint, but your chances of people complaining is significantly lower. And you’ll have a base from which you can discuss with the Regulator if they do.
There’s a lot in POPIA about trans-border information flow. The problem with privacy legislation is that it’s country by country, but information flows everywhere. Most of us are storing information overseas if we’re using the big tech providers. This is okay if they say in their T&Cs that they observe data protection levels like POPIA.
It’s usually not a problem using the cloud or tech providers from overseas where your data is being stored in other parts of the world. If you do so, make sure you:
If you’re doing data processing in South Africa, you will need to be POPIA complaint.
As for the GDPR and data privacy legislation in other countries, if you’re targeting individual customers who are physically in Europe and the other countries, you may have to comply with the GDPR or the legislation relevant to them in their country.
Just storing the information in another country doesn’t usually require you to comply to the data privacy laws, however the legislation does vary from country to country.
We encourage you to speak to a legal representative to assess this.
POPIA will apply to you if there’s data processing happening in South Africa. It’s likely that a complex web of data privacy laws will apply to your data if you’re marketing to people in other countries and processing data here.
Usually, the way this is handled, is you apply a global set of laws and you have deviations per country.
You should, wherever possible, get information directly from the person – unless that person made the information deliberately public. But, even if you get that information from a public place, like a person’s website, you still have to contact them to explain where you got their information.
You will also need a legal justification under section 11 of POPI to process the person’s information for direct marketing purposes. Depending on what channel you are doing the direct marketing by (e.g. electronic direct marketing versus telemarketing), consent or the legitimate interest of the responsible party will be the appropriate legal justification to use it.
If you go about harvesting data from the internet, you’ll need carefully worded consent that includes:
Something that’s extremely problematic is when recruitment agents connect with someone on LinkedIn and harvest their contact data from their LinkedIn profiles without asking. This practice is illegal and will require consent as noted above.
Not without getting their permission first. Just because someone follows you on social media doesn’t mean they want direct marketing from you. People also complain a lot about people harvesting their data from social media, so if you do this, you’re more likely to be reported to the Regulator.
It depends on what you told them when they signed up. Did you tell them that you’d display ads to them on social media? If the list was compiled via a transaction, like when a client purchases a product from you, you can position this as an opt-out kind of consent. i.e.: “Let us know if you don’t want to receive ads from us on social media.”
Unless you’re collecting identifiable personal information, it doesn’t affect any of these. POPIA doesn’t have any specific provision on cookies yet, so if you’re uncertain, look at the Regulator’s cookie notice as an example of what’s acceptable.
Updating or enriching your existing data is allowed and encouraged by POPIA, but there are some risks involved. If you’re just verifying the data you already have and not adding new data, this should be fine.
However, if you decide to do this, you must only override data that is incorrect. If someone subscribes using one email address, for instance, you may not enrich the data with another email address unless the email address that you have is incorrect. If someone subscribes with an active email address, it’s usually because that’s where they want the mail to go.
This is a problem as it discloses everyone’s details – this is a data breach. You’ll need to create a WhatsApp group that doesn’t expose everyone’s data.
WhatsApp is fine if you’re not displaying everyone’s phone numbers to the group – there are settings for this.
Photographs, however, are private information. The question you have to ask yourself when deciding if you can share these is: did the people in these photos have an expectation of privacy or is it expected that someone would be taking photos at the event?
Overseas Regulators are calling for a common-sense approach. So, if you’re at a public event and there are photographers, an attendee can probably assume that their picture will be taken. Our Regulator is yet to clear this up, but the European regulations may be a good indicator of what’s to come in South Africa.
You can and must keep information for as long as the purpose remains valid. So, start thinking about how long you may need this information.
In marketing, some people request that their information be deleted from your database. The problem with this is that if you delete the information, you run the risk of contacting them again if their information finds its way onto your list again. You will have to keep at least the email address or mobile number to ensure that you know who Not to contact.
According to POPIA, you can keep information for as long as the reason for keeping it is valid. If there’s a transaction involved, you’ll need to keep the information for a while for tax reasons.
If you want to keep it for convenience, ask the client. Offer them the option for you to keep the information for their convenience next time they want to use your services, so they don’t have to fill in the information again. Then ensure you keep the information secure.
In general, there’s no regulation that prevents you from obtaining this info, particularly if you’re obtaining it from the person directly and the sharing of this info is voluntary. However, it must only be collected if it’s necessary and for a valuable purpose.
If you go this route, indicate to the client that this is voluntary, what the effect would be if they don’t give it to you, and that they can opt out at any time.
Your Information Officer, which is your CEO – the company could also get heavily fined. If you’re receiving new leads from another department, it’s your responsibility to determine where the leads came from, what they’ve given permission for, and whether they’ve been given the opportunity to opt out.
It is possible if they completely ignore the Regulator and their POPIA duties. Usually, the organisation is fined. It’s also very rare to be imprisoned – this may only happen if someone outright ignores the Regulator, doesn’t respond to information to requests, or similar.
But all circumstances are different; it’s best to seek legal advice for clarity.
The company that is sending you these statements is responsible and they can get into huge trouble – that is a data breach.
POPIA distinguishes between the Responsible Party and an Operator or Data Processor. An agency, in this example is a Data Processor – they’re doing what the Responsible Party tells them to do.
In this context, the agency isn’t responsible for the compliance of the database. All the agency is required to do is to act on behalf of the responsible party and keep the information secure. This scenario is different if the agency is building the database for the client. Then, the agency will also be responsible for ensuring its compliance.
Make sure your contracts with your clients are clear on this to manage expectations.
From a security perspective, you’re responsible. From a privacy standpoint, you may not be. It is up to the client to ensure that they have permission from that contact to receive communications.
You don’t need consent to send information to existing customers relating to their services (i.e.: notifications about their accounts), if they’re related to the services you do for them.
There are some cases where companies are marketing to customers via their account statements. This won’t be permitted, as you need permission to market to people, but people can’t opt out of something like a credit card statement.
There are two ways, essentially, of marketing via social media. The one way is by targeting people of certain demographics with certain interests – these are people you don’t know. The other way is by uploading the contact details of the specific people you want to show ads to on social media – these are people you do know.
POPIA applies to the second case, when you do know the people you’re marketing to. This is direct marketing as you’re targeting specific individuals who are known to you.
The South African government is subject to data-privacy laws and must comply just like everyone else. Whether the laws in a foreign country apply to their government will depend on their legislation.
Yes, you can. But you’ll need to ensure that the request follows all the POPIA guidelines of being voluntary, specific, and transparent about content and channels.
If you’ve followed all the POPIA requirements, you will not need to get additional consent when POPIA is enforceable in 2021.
Preferably not as contacting clients from a previous employer is unethical. And in any case, the people on the list will need to opt in by the time POPIA is in effect anyway. It’s recommended that you start following POPIA practices now to ensure you’re compliant by the time the legislation is enforceable.
According to the POPIA, direct marketing is ‘electronic’ communication that is directed at a person and that promotes or offers to supply any goods or services, or requests donations from that person.
Examples of direct marketing include:
Once you have established that it is direct marketing you want to send out, your next step is to establish whether you need to get an opt-in consent from the person before you start marketing to them.
What about telemarketing? Section 69 (direct marketing by means of unsolicited electronic communications) does not apply, but the rest of POPIA still does. More about that in section 6 below.
If you are contacting a person for the first time, you will need to obtain consent for any unsolicited electronic marketing. In other words, where you want to contact a person for the first time with marketing communication that they didn’t ask for, you must obtain consent before sending your marketing.
The consent must:
Some important good news: You don’t need to use the Regulator’s form 4 word for word. Just make sure that the form you use is clear, understandable, and substantially similar.
There will be many instances when you don’t need an opt-in consent for electronic direct marketing. In general, if the person you want to market to has an existing relationship with you, it won’t be necessary to get consent. For instance, if the person applied for your products or services already, they subscribed to your newsletter before, or they asked you for more information.
Direct marketing consent is not required from a person if
You need to comply with all of the above requirements. If any of the requirements are not met, an opt-in consent must be obtained before marketing communications can be sent.
To avoid having to get an opt-in consent, you need to comply with all the requirements we’ve listed, and you must be able to prove that you comply. This means that you need to know where you got the information in your database, the circumstances under which you got it, and what privacy notices or terms and conditions were in place at the time and that you have an ironclad unsubscribe process in place.
On that note, where you got the lead from in the first place is very important.
Here is a typical list of where direct marketers get information from and what the implications are from a POPIA perspective:
You have already sold something to this client and you are marketing similar products provided by the same entity.
If you told the person that they would get direct marketing and always gave them the opportunity to unsubscribe, you can carry on marketing to them.
You have no idea where the lead came from.
If you can’t prove where the lead came from and the circumstances under which you got it, POPIA requires that you notify the person that you have their information and ask for consent to continue marketing to them.
You already sold something to this client, but now you are cross-selling a completely different product provided by the same entity.
You got the lead from another entity in the same group of companies.
You will need the person’s consent to market to them. You may even need their consent before the information is shared between entities in the group.
You got the lead from a credit bureau or another entity unrelated to you.
You will need the person’s consent to market to them. The entity sharing the information with you may even need their consent before the information is shared.
If the entity sharing the information is asking for consent for direct marketing on your behalf (a third party consent), you need to be mentioned by name for that consent to be valid.
You scraped the information from the internet or from a public record.
You will need the person’s consent to market to them. You may even need their consent just to have their information.
Yes, it is true that you don’t need consent to do direct marketing via the telephone (unless you are a robot or you leave a message). However, the reason why you obtained the information will still matter. You may still need consent, unless the telephone number:
If none of these three things apply, you will still need to obtain consent to use that telephone number for direct marketing, because it will be seen as further processing. For the lawyers, go read section 15. So, telemarketing is not that different to electronic marketing after all.
Please do not throw the database out with the bath water. Some of you may know exactly where your data came from and have a database that already complies with POPIA. See paragraph 4 above.
For those of you who are not that privileged, you still need to think long and hard before you decimate your database with a re-consent campaign. We recommend that you take a risk-based approach. If your database is driving enough sales, maybe taking a risk is okay? We recommend this when:
Teeeeechnically, there is an argument to be made that you don’t comply with section 69(3) and should have re-consented your base. What is the worst that can happen? Most people will just unsubscribe if you irritate them. Worse case scenario, someone complains to the Information Regulator and they tell you to stop and might fine you, but if the ROI justifies the risk? At least have the conversation.
Data privacy is a worldwide concern for many businesses – especially with regulations like the GDPR and POPI (the Protection of Personal Information Act) coming into effect. And direct marketers (like those who contact people directly over email and SMS) will be the most affected. How can you keep your database POPI compliant? Read this.
Currently, it’s common for email marketing to be done on an opt-out basis. This means that you’re free to email anyone if you give that person a clear way to opt out of your communications. But this won’t be the case under POPI. Once the legislation is in effect, everyone on your database must have opted in to keep your database POPI compliant.
But what exactly does this mean?
Once POPI’s in effect, every new contact will have to expressly opt in to each messaging thread by checking an opt-in box or filling out a form on your website or landing page. This means two major things:
But what about the contacts you’ve already got on your database?
According to Novation Consulting’s Elizabeth De Stadler, the transition to POPI, for most organisations, shouldn’t be a big adjustment. If you follow direct-marketing ethical practices, like sending good content, adding value, limiting the number of messages you deliver, and offering a solid way for contacts to unsubscribe, you should be okay.
This unsubscribe feature is particularly important; it’s what Elizabeth refers to as a soft-opt-in, where the contact has declined the clear and free opportunity to opt out.
For the unsubscribe process on your database to be POPI complaint, it must be clear, easy, free of any penalisation or cost, and in the same channel as the communication. For instance, if you send an email, the opt-out process must also be email or internet-based – it isn’t acceptable to ask them to send an SMS for this.
The same goes for SMSs: opt-outs must be SMS-based. This can get tricky, because opting out also can’t cost the contact anything to process. Luckily, Elizabeth explains that there are SMS short codes you can create that enable contacts to send opt-out messages completely free of charge.
It’s important that you manage unsubscribes regularly and effectively to keep your database POPI compliant – something that can get laborious as your database grows (unless you use Everlytic, of course – we manage unsubscribes automatically for you).
Consent that keeps your database POPI compliant is clear, ethical, and transparent. To do this, Novation Consulting recommends ensuring your request for consent is:
Follow these guidelines and you’ll be set to grow and keep your database POPI compliant.
POPI and the other international data privacy laws are considered a burden for many organisations, but they also offer an opportunity to raise the bar on digital marketing. And that’s great news for all of us. Can you imagine if all the marketing you received added value to your life instead of just noise? This is another reason why it’s so important to keep your database POPI complaint.
In other words: Level up on your digital marketing. Get creative, add value, strive for excellence, and build ethics and privacy compliance into everything you do. Not only will this attract, engage, and keep the right clients – it’ll establish your reputation as a trusted competitor in the field. And that’s something an illegally bought database can never do.
16 York Street Kensington B
7 West Quay Road, V&A Waterfront,
Cape Town, 8001
© 2021 IconAF.