How to deal with stalkers taking photos of you

I spoke to Kieno Kammies on 567 CapeTalk radio this morning about a troubling trend. As you can hear from the segment, below, the concern is partly about people being photographed in suspicious ways in public. One example is a person following women around shooting video of them or taking photos without their knowledge. This isn’t so much about a person taking a photograph of a scene that happens to include women walking past but actually targeting those women.

Whether this is a privacy issue depends very much on the subject matter and the context. In this respect it comes down to legitimate expectations of privacy in the case of adults and appropriate consent when it comes to children (at least in terms of the Protection of Personal Information Act). The law that is likely to be more appropriate here is the Protection from Harassment Act which targets forms of harassment which the Act defines as follows:

harassment” means directly or indirectly engaging in conduct that the 5 respondent knows or ought to know-

(a) causes harm or inspires the reasonable belief that harm may be caused to the complainant or a related person by unreasonably-

(i) following, watching, pursuing or accosting of the complainant or a related person, or loitering outside of or near the building or place where the complainant or a related person resides, works, carries on business, studies or happens to be;

(ii) engaging in verbal, electronic or any other communication aimed at the complainant or a re.lated person, by any means, whether or not conversation ensues; or

(iii) sending, delivering or causing the delivery of letters, telegrams, packages, facsimiles, electronic mail or other objects to the complainant or a related person or leaving them where they will be found by, given to. or brought to the attention of, the complainant or a related person; or

(b) amounts to sexual harassment of the complainant or a related person;

<

p>The harm the Act protects against may be “any mental, psychological, physical or economic harm”.

This Act is designed to be user friendly and the Regulations describe which forms to use for which steps and who to approach at each step. The Department of Justice and Constitutional Development has a comprehensive page with links to the Act, the Regulations and the various forms. The process was designed in such a way that you don’t need an attorney to assist you (although you can have one helping you) and you need not know the harasser’s identity either. The Act creates a mechanism whereby the police may be instructed to investigate and identify the suspected harasser.

This legislation can be used for a various activities which fall into the “harassment” definition including stalkers like the ones described in the segment as well as cyber-bullying and more.

EU and US data protection regimes compared

Phil Lee at the Privacy and Information Law Blog has a great comparison of European and American data protection regimes which is worth reading. This is particularly relevant to South Africa as the Protection of Personal Information Act places some emphasis on transferring personal information to countries with compatible data protection systems.

POPI compliance and your plan to fail

Unfortunately many companies may have left their preparation too late, especially the larger companies, and have not yet established a complete set of practices and processes to ensure their compliance with POPI’s many requirements. Although companies will likely have a year before many of POPI’s compliance requirements go into effect, a year is simply not enough time to prepare adequately. Compliance isn’t just a matter of writing a privacy policy and publishing that. In order to comply with POPI, organisations have to ensure that all their underlying processes are aligned with POPI’s requirements. In this sense a privacy policy is really more of a description of a series of data protection practices which have been implemented throughout the organisation. If there is a disconnect between your organisation’s practices and processes and what the privacy policy describes, the consents you are hoping to obtain through the privacy policy will amount to little more than lip service to the legislative framework it serves.

Nokia Lumia launch-9 railing

The Protection of Personal Information Act has been in the pipeline for so long I keep expecting someone to develop a drinking game around “POPI” mentions in conferences (every time a speaker says “POPI”, everyone takes a drink). The Bill was passed by Parliament and the President has signed it into law as the Protection of Personal Information Act (No. 4 of 2013). The next step is POPI’s commencement date in a government gazette and the final countdown to its implementation and a compliance deadline. A copy of the Act is at the bottom of this post for your reading pleasure.

Unfortunately many companies may have left their preparation too late, especially the larger companies, and have not yet established a complete set of practices and processes to ensure their compliance with POPI’s many requirements. Although companies will likely have a year before many of POPI’s compliance requirements go into effect, a year is simply not enough time to prepare adequately. Compliance isn’t just a matter of writing a privacy policy and publishing that. In order to comply with POPI, organisations have to ensure that all their underlying processes are aligned with POPI’s requirements. In this sense a privacy policy is really more of a description of a series of data protection practices which have been implemented throughout the organisation. If there is a disconnect between your organisation’s practices and processes and what the privacy policy describes, the consents you are hoping to obtain through the privacy policy will amount to little more than lip service to the legislative framework it serves.

Something else to bear in mind is that a data gold rush before POPI comes into effect may amount to a waste of time, money and effort. Some of my colleagues have advised their clients that POPI will not have retrospective effect so anything done before POPI goes into effect will not be affected by POPI’s more stringent restrictions. They are likely correct about POPI not having retrospective application but POPI’s compliance requirements will almost certainly not be waived just because you collected personal information before POPI’s implementation date. If, for example, you don’t obtain adequate consent for your intended personal information uses before POPI is implemented, I doubt very much that this will be excused once POPI goes into effect and you could find your shiny data treasure trove is tainted, must be discarded and you will have to start again and do the work you should be doing now (if you haven’t done it already).

The bottom line, so to speak, is that if you haven’t prepared for POPI you may not have much time left. As the saying goes, your failure to plan for POPI is, effectively, your planned failure to comply.

That said, here are a couple next steps in your road to compliance:

  1. Review your processes which touch on personal information collection and processing. The best data protection policies are useless if your underlying processes are not going to comply with POPI’s requirements. Your marketing teams, in particular, need to understand how POPI affects them and must assess their databases, marketing initiatives and other personal information-related activities. Don’t forget to include internal data processing in your review. You will have to apply similar principles to the personal information you process internally so your human resources people need to be involved too.
  2. Align your marketing initiatives with your organisation’s compliance requirements and your underlying processes. Marketing campaigns rely on personal information and they have to be supported by the day to day data processing workflows and, in turn, support essential policy frameworks. Don’t just leave this up to your marketing teams, you need people who understand POPI’s impact and can mediate between Marketing/Communications and Legal/Compliance imperatives.
  3. Take into account industry regulatory frameworks like the WASPA Code of Conduct. It is now backed by a law and could have a fundamental impact on any mobile initiatives you are running. Failure to comply with WASPA’s Code and its Advertising Rules can behead a mobile campaign that relies on mobile short codes, for example.
  4. Develop and implement clear and practical privacy or data protection policy frameworks. These policy frameworks must be supported by the practical realities of how your teams handle personal information every day. A policy framework in a process vacuum is pretty ineffective and a pretty short road to reputational harm and regulatory attention.

Preparing for POPI is not a quick and easy process and I’m not saying this because this is one of my focus areas, the more you delve into the law the more you realise what a mammoth undertaking it is. Call me if you could use some help. Alternatively, read the Direct Marketing Legalities Survival Guide I published earlier this week. I explain many of the compliance requirements in POPI and other legislation like the Electronic Communications and Transactions Act and Consumer Protection Act as well as WASPA and ISPA Hall of Shame considerations.

Looking to tobacco advertising restrictions for guidance on proposed alcohol advertising restrictions

The Tobacco Products Control Act emerged from a complex social and health policy framework and although the Control of Marketing of Alcohol Products Bill may not have quite the same overhead, we could see similar advertising restrictions imposed (this is pure speculation as we will likely only have clarity on the regulatory framework once the Bill approaches its final form). If these restrictions resemble those in the Tobacco Products Control Act, we could see virtually every means of advertising or promoting alcohol beverages being prohibited.

The Social Development (Update: I incorrectly referred to Minister Dlamini as the Health Minister) Minister, Bathabile Dlamini, gave a briefing on the proposed Control of Marketing of Alcohol Beverages Bill, in September 2013 which began with the following introduction:

On Wednesday, 18 September 2013, Cabinet approved that the Control of Marketing of Alcohol Beverages Bill should be gazetted for public comment. The intention of the Bill is to reduce the exposure to the advertising and promotion of alcohol.

The harmful use of Alcohol has significant negative impacts on individuals, families, communities, the economy and the country as a whole.

The State has a responsibility to protect the health and well-being of all South Africans. Section 27 of the Constitution requires the state takes reasonable legislative and other measures to protect the health and wellbeing of everyone.

Research indicates that alcohol advertising influences behaviour negatively. It fosters positive beliefs about drinking and encourages young people to drink alcohol sooner and in great quantities. A study of 20 countries over 26 years found that alcohol advertising bans do decrease the consumption of alcohol.

A Lancet review of effectiveness of interventions to reduce alcohol-related harm lists comprehensive advertising ban on alcohol as one of the three most effective methods to reduce alcohol-related harm.

This proposed legislation has many in the liquor industry concerned for a variety of reasons which include the impact on the industry itself as well as on areas where the industry have an impact, a significant area being sports-related advertising. The Bill doesn’t seem to have been released for public comment yet so it isn’t possible to assess the Bill’s likely impact or regulatory framework but legislation governing tobacco products advertising may present a useful preview of what could lie ahead.

The Tobacco Industry May Be a Helpful Comparison

The Tobacco Products Control Act (as amended) established a fairly restrictive framework within which the tobacco industry has been forced to become fairly innovative in order to maintain public awareness of important issues regarding their products. To a large extent they are simply not permitted to market their products so the emphasis has shifted themes that are largely independent of their products. It is a fascinating space because the challenge is complying with the legislation which leaves very little room for doubt while exploring themes which they may not have considered previously.

The key section of the Tobacco Products Control Act is section 3(1)(a) which states the following:

TPCA definitions.002

This section includes two key terms which you have to understand to appreciate the section’s scope: “advertisement” and “promotion”. I prepared a couple slides to explain how these two core terms are defined:

Here is another way of presenting the parameters:

TPCA definitions.010

Failure to comply with these prohibitions is a criminal offence and is accompanied by a fine of up to R1 million.

In the 2012 British American Tobacco South Africa (Pty) Ltd v Minister of Health case, the Supreme Court of Appeal was asked to permit British American Tobacco South Africa to engage in certain one to one communications:

The appellant, a tobacco manufacturer conducting business as part of the British American Tobacco Group, which has a business presence in 180 countries throughout the world, was concerned about the impact the amendment would have on its ability to communicate one-to-one with consenting adult consumers of tobacco products, if the impugned provision were interpreted as extending to one-to-one communications between itself on the one hand, and consenting adult consumers of its products, on the other.

The information the appellant wished to impart to consenting adult consumers of its tobacco products includes the following:

a. packaging changes, which communication will generally be aimed at ensuring that the consumer is aware that the changes to the package are authentic and that an illicit trade package is not being purchased;

b. brand migrations when a product line is discontinued (ie the brands that are most similar in taste and other characteristics to the discontinued product);

c. product developments, which may, for example, be driven by legislative requirements (eg reductions in tar or nicotine levels) or may be made in order to ensure that the product is protected against illicit trade;

e. the launch of new products and new types of products, such as snus;

e. that a particular tobacco product is less harmful than another tobacco products; and

f. other distinguishing features of a particular tobacco product.

The Court considered a number of constitutional challenges to the legislation’s broad prohibitions and upheld them, rejecting BATSA’s appeal from a lower court. This case is a fascinating read. It explores commercial free expression and policy considerations as grounds for legislation such as this. It also raises a number of factors which could distinguish tobacco advertising bans from alcohol product advertising bans in a hypothetical constitutional challenge to the Control of Marketing of Alcohol Beverages Bill down the line.

What this means is that tobacco companies simply can’t advertise or promote their products at all. There isn’t much room for interpretation or any loopholes to exploit. It also means that tobacco companies have to shift their emphasis to communications which don’t reference their products, product branding or anything along those lines. So what are these companies talking about if they can’t talk about their products? We’re seeing more emphasis on community development through sustainable tobacco farming practices and rural community upliftment in the process. Interestingly, there is also quite a bit of information about the risks of smoking and the products’ composition (these companies can reference tobacco products as long as they don’t mention branded products, brand elements or encourage tobacco use).

In many ways, the legislation appears to have achieved many of its goals. We see tobacco companies becoming more transparent about the risks smokers (and potential smokers) face and how smokers can stop. They highlight the industry’s positive impact on small communities that engage in related farming activities (certainly designed to improve perceptions about the industry but still beneficial to communities that rely on income from their farming activities) and they help smokers understand how the legislation works and what it prohibits.

An interesting theme that has emerged from discussions I’ve had with representatives from one of the tobacco companies is an adult’s right to make an informed choice to smoke and to be ok with that. This is more than a little controversial because it implicitly encourages an adult’s choice to smoke but it is a valid consideration. I am not smoker and I am probably hypersensitive to smoking and do whatever I can to keep my children away from smokers to avoid the impact of second hand smoke but, as a former girlfriend once pointed out to me, many adults are aware of the risks and make a conscious choice to smoke and their right to choose should be respected. A sense of guilt seems to blanket many tobacco company employees and many smokers. The legislations forces smokers to huddle outside more than 20 metres from an entrance to a building. Modern smokers are implicitly ostracised and that may be an unstated goal of the legislation. In its affidavit supporting the Department of Health’s response to British American Tobacco South Africa’s appeal, the Minister pointed out that the legislation’s objectives are as follows:

  1. First, to stem and prevent the growing incidence of tobacco usage, particularly by youth;
  2. Second, to reduce the numbers of existing smokers;
  3. Third, to ensure that those who had stopped smoking, did not begin smoking again; and
  4. Fourth, to protect non-smokers from being exposed to second hand smoke.

Perhaps a sense of being ostracised is instrumental in achieving some of these objectives but I wonder at what point consenting smokers’ right to dignity overrides such an approach?

What Could This Mean for the Alcohol Industry?

The Tobacco Products Control Act emerged from a complex social and health policy framework and although the Control of Marketing of Alcohol Products Bill may not have quite the same overhead, we could see similar advertising restrictions imposed (this is pure speculation as we will likely only have clarity on the regulatory framework once the Bill approaches its final form). If these restrictions resemble those in the Tobacco Products Control Act, we could see virtually every means of advertising or promoting alcohol beverages being prohibited.

What does this leave the liquor industry with? For one thing it means no more sponsorships and branded events, let alone lifestyle advertisements implying how sophisticated, cool or attractive consumers will be if they purchase and consume these beverages. Will the liquor industry be able to point to how vineyards in the Cape help boost local communities as the tobacco companies have pointed to local tobacco farmers? Perhaps. What interests me is whether respect for consumers’ informed choice to consume alcohol could come to the fore and whether consumers could find themselves similarly ostracised, even implicitly, and whether the liquor industry will find a voice as an advocate for informed choices made by competent adults? Much of this will likely be shaped by the nature of the proposed regulations going forward.

Another interesting question is what role social media could play in helping the liquor industry remain relevant in a more intensely regulated environment on the social Web? I suspect that the social Web will be instrumental for the liquor industry going forward but it will have to shape its engagement with consumers very carefully bearing in mind the regulatory environment it is about to find itself in. This is one area where digital agencies developing campaigns and strategies for liquor companies are going to have to integrate very tightly with their legal teams to develop new compliant campaigns. Digital agencies simply won’t be able to function effectively if they are divorced from meaningful and informed legal and compliance input. The alternative may be missed opportunities to engage with consumers in potentially different ways which may not be apparent to digital marketers ignorant of legal and compliance nuances.

<

p>The only thing that is clear at the moment is that this is going to be a fascinating space to watch.

Consent for Direct Marketing Under POPI

The Protection of Personal Information Act has particular interest for direct marketers because of the likely substantial impact the legislation will have on consumer-facing initiatives when it goes into effect. POPI has a section that deals specifically with and introduces a consent model designed for direct marketing. It is an interesting model and I’ll explain why in this post.

The Protection of Personal Information Act has particular interest for direct marketers because of the likely substantial impact the legislation will have on consumer-facing initiatives when it goes into effect. POPI has a section that deals specifically with and introduces a consent model designed for direct marketing. It is an interesting model and I’ll explain why in a moment. In the meantime, it is worth reading the following posts if you haven’t already:

Protection of Personal Information Act’s section 69 is titled “Direct marketing by means of unsolicited electronic communications”. It begins with the following general prohibition on –

The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail …

unless the data subject [1] either consents[2] or, importantly, is the “responsible party’s[3]” customer.

If, on the other hand, the consumer (or data subject) is not the provider’s (responsible party) customer and if the consumer has not “previously withheld” consent, the provider has a once-off opportunity to send the consumer a request for the consumer’s consent to allow his or her personal information to be used for direct marketing purposes. In practice this is usually a message simply informing the consumer about the products or services the provider would like to market to the consumer and requesting consent. This once-off message should not be a marketing message because that would violate the general prohibition. It should be an information message and its specific format may be prescribed in regulations supporting the Protection of Personal Information Act in due course.

If the consumer consents then the provider will be entitled to use the consumer’s personal information for direct marketing purposes within the consent’s parameters. This may sound obvious but this can be a little tricky. The best way to obtain the quality consent the Protection of Personal Information Act contemplates (take another look at the consent definition[2]) is through a sufficiently detailed privacy policy document. This is a privacy policy’s role. It is the foundation of a compliant direct marketing campaign so do it properly!

If the consumer doesn’t give express consent through a privacy policy but is a provider’s customer[4] already, the consumer’s consent is essentially implied by virtue of the consumer being a customer who is already interested in learning more about the provider’s products or services. In this scenario, the provider can use the consumer’s personal information for marketing purposes where –

  1. the provider obtained the consumer’s personal information in the context of a sale of a product or service;
  2. “for the purpose of direct marketing of the [provider’s] own similar products or services”; and
  3. the consumer has been given “a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details” both at the time the consumer’s personal information was first collected and each time the provider communicates with the consumer for marketing purposes (and assuming the consumer didn’t refuse to consent the first time he or she was asked).

Then, lastly, the each communication for the purpose of direct marketing must contain both the provider’s identity as well as contact details which the consumer can use to opt-out of further marketing communications.

This basic model isn’t totally new. It has existed for some time in other regulatory frameworks like the WASPA Code of Conduct (mobile service providers will be familiar with this mechanism). It does represent a broader shift in South African law because the Protection of Personal Information Act will establish minimum requirements for practically all direct marketing communications, particularly from a consent perspective.

If you are engaged in direct marketing, this is a pretty important aspect of the Protection of Personal Information Act for you. This isn’t the only legislation dealing with direct marketing, though, just arguably the most important from a privacy perspective. The Consumer Protection Act, for example, deals with other issues relating specifically to direct marketing such as cooling off periods for sales made through direct marketing (there is some overlap with the Electronic Communications and Transactions Act which also deals with cooling off periods and which Act applies will depend on what was sold and how?).

In the meantime, it is worth taking some time to explore how your direct marketing activities may need to change to accommodate the Protection of Personal Information Act’s compliance requirements. You may not need to make substantial changes, only make sure you have an adequate privacy policy framework and the back-end systems to properly process opt-ins and opt-outs. Whatever your particular requirements may be, time is running out. The Protection of Personal Information Act has been passed by Parliament and is likely before the President waiting for his signature and then it will be implemented.


  1. ‘‘data subject’’ means the person to whom personal information relates.  ↩
  2. consent” means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.  ↩
  3. ‘‘responsible party’’ means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.  ↩
  4. Express consent would be required where a consumer is approached for the first time by a provider’s representative and asked to consent to direct marketing. An example could be a consumer who completes a feedback form at a bookstore which includes a section requesting permission to send the consumer marketing information about book sales and specials. On the other hand, a consumer who has already bought books from the bookstore is, obviously, already a customer and the rules change somewhat.  ↩

The Path to the spam Dark Side is paved with lawyers’ wishful thinking

Planning for the Protection of Personal Information Act is not a small endeavour and taking shortcuts to preserve current business models may turn out to be disastrously short-sighted in the year or two ahead. My colleagues may be correct in their approach and their clients may be able to adopt a relatively liberal interpretation of the Protection of Personal Information Act and its implementation. I have a different take on how the Act will apply, especially given its broader role as substance for the Constitutional right to privacy. Going beyond the Act’s interpretation and application by the proposed Regulator and Courts, the risk of being too careless with consumers’ personal information could have even more dire consequences for brands than legal non-compliance. 

The path of the righteous man is beset on all sides by the inequities of the selfish and the tyranny of evil men. Blessed is he who, in the name of charity and good will, shepherds the weak through the valley of darkness, for he is truly his brother’s keeper and the finder of lost children. And I will strike down upon thee with great vengeance and furious anger those who attempt to poison and destroy my brothers. And you will know my name is the Lord when I lay my vengeance upon thee.

This quote from the movie Pulp Fiction is a colourful reminder to direct marketers intent on taking liberties with consumers’ personal information. The self-proclaimed “personal network”, Path, has recently come under a considerable amount of scrutiny due to its apparent practice of spamming users’ contacts through its mobile apps. According to an article in The Verge, “Path is spamming address books with unwanted texts and robocalls — again”

Path, the photo-centric social network that just hit 10 million users yesterday, has been getting some heat for what some users say are spammy tactics to recruit new users. Digital marketer Stephen Kenwright downloaded the app earlier this week, tried it out, uninstalled it, and went to bed. When he woke up, he found that Path had gone on a rogue mission early in the morning, texting and robocalling an unknown number of his contacts, including his grandparents.

By the time Kenwright got to work, it became clear that Path had gotten in touch with his entire phone book. Coworkers, friends, and family were asking him about the text or phone call they’d received from Path, which stated that Kenwright wanted to share photos with them.

Path’s Dave Morin defended Path’s privacy practices in an interview with AllThingsD. Mike Isaac’s article, Dave Morin Talks About the Hyper-Growth Pains of Path examines Morin’s claims, particularly his assertion that “Path does not spam users”. Morin insisted that –

Invites on Path are never sent without a user’s consent — any allegations to the contrary are false.

This may be technically correct but, as Isaac notes –

Here’s the big issue: During the invitation process, check-boxes are automatically marked to send messages to your friends, which means you have to uncheck them in order not to send out invites. Technically it’s an opt-in process to send out those invites, as the user must tap a button to send them out. But for the average user who is not paying close attention and just wants to get to the app, it’s easily something that could be missed — and, ultimately, could feel like Path has spammed your network of friends.

What this model ignores is that the personal information being used to reach out to your contact through the app to promote Path is not the user’s, it belongs to the user’s contacts. As I pointed out in our previous post titled “Processing, personal information and direct marketing under POPI“, the definition of “personal information” is pretty broad:

‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person

Take this a step further and consider whose consent is required. The Protection of Personal Information Bill defines consent as follows:

any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information

Consider that the personal information Path uses to reach out to users’ contacts belongs to those contacts and those contacts are probably not current Path users who have consented to Path contacting them and the result is that Path has violated their privacy. When a Path user taps the button to send the messages out to his or her contacts, that isn’t consent from those contacts to Path, that is, at best, the Path user indicating to Path that the contacts probably won’t mind being contacted. Perhaps the messages are sent with the user’s consent, as Morin insists, but that is largely irrelevant.

Path services integration screenshot - iPad

What is interesting about this story is that it highlights a mindset local marketers seem to be latching on to. Path is relying on some pretty technical explanations for why its promotional practices are not “spammy” by pointing to consents given and choices made by users. To a large extent, this is a valid model when applied at scale and is in fairly widespread use. Users consent to privacy policies all the time without being particularly mindful of having done so. It is a flawed model but the alternative is just not practical. What is problematic is when marketers forget the broader context within which they operate. Simple, technical consent may be fine from a legal perspective (with the appropriate privacy policy framework in place). That isn’t particularly comforting to consumers who are alarmed when they discover precisely what they have consented to and lash out at the provider. This controversy over Path’s approach is the latest of a long line of case studies.

As the Protection of Personal Information Act approaches (theoretically), many of my colleagues are adopting technically correct, although short-sighted, approaches to privacy law compliance. The latest example I read recently is an article explaining the current legal requirements for consent in a marketing context. The thoughtful articles reviews applicable legislation and points out that the current paradigm is still largely opt-out. Changes to the Electronic Communications and Transactions Act will alter that position when it comes to electronic communications. Until the Protection of Personal Information Act comes into effect, the general paradigm remains “opt-out” and this is what my colleagues are pointing out to marketers who are, rightfully, concerned that Protection of Personal Information Act threatens their survival unless they take decisive action soon to adapt.

What my colleagues don’t point out is that it isn’t just about the legislation in place. They also have to consider the WASPA and ISPA Codes of Conduct if they use SMS or email for their campaigns. More importantly, my colleagues don’t seem to be pointing out the big downside for marketers who adopt a strictly self-serving approach to their campaigns and treat their consumers like commodities. Reputational harm could be devastating to marketers who don’t take their consumers’ interests into account. Marketers may be acting in compliance with current legal requirements when they send unsolicited marketing materials to consumers and then rely on opt-out mechanisms when consumers complain but how does that assist them when outraged consumers revolt and take their frustrations online?

Another difficulty with the “make hay while the sun shines” approach to direct marketing is that it doesn’t take into account the possible retrospective effect of the Protection of Personal Information Act when it goes into effect. I had a few thoughts about this last week:

Planning for the Protection of Personal Information Act is not a small endeavour and taking shortcuts to preserve current business models may turn out to be disastrously short-sighted in the year or two ahead. My colleagues may be correct in their approach and their clients may be able to adopt a relatively liberal interpretation of the Protection of Personal Information Act and its implementation. I have a different take on how the Act will apply, especially given its broader role as substance for the Constitutional right to privacy. Going beyond the Act’s interpretation and application by the proposed Regulator and Courts, the risk of being too careless with consumers’ personal information could have even more dire consequences for brands than legal non-compliance.

<

p>Consumer activism is swift and brutal and doesn’t pay much heed to legal technicalities.

Introducing POPI’s processing conditions

There is a lot more to the anticipated Protection of Personal Information Act and, in this post, I’d like to introduce you to what are known as “Conditions for lawful processing of personal information”. These conditions effectively operate as processing parameters and will have a relatively subtle but substantial impact on direct marketing because they limit the scope of what personal information can be processed and for how long.

I touched on consent as a key consideration in the Protection of Personal Information Act (expected to be passed shortly) in our recent post titled “POPI is a steep, uphill climb for direct marketers”. As I pointed out in that post, the consent issue, while critical, just scratches the surface. I took this further in a subsequent post titled “Processing, personal information and direct marketing under POPI” where I explored two further fundamental terms, namely “personal information” and “processing” which have interesting implications for marketers in particular. The recording below is an overview of that post and the implications of those two terms.

There is a lot more to the anticipated Protection of Personal Information Act and, in this post, I’d like to introduce you to what are known as “Conditions for lawful processing of personal information”. These conditions effectively operate as processing parameters and will have a relatively subtle but substantial impact on direct marketing because they limit the scope of what personal information can be processed and for how long.

An Overview of the Processing Conditions

The Protection of Personal Information Act will have 8 processing conditions:

  1. Accountability
  2. Processing limitation
  3. Purpose specification
  4. Further processing limitation
  5. Information quality
  6. Openness
  7. Security Safeguards
  8. Data subject participation

In this post I’ll introduce you to the first two processing conditions, namely Accountability and Processing limitation.

Accountability

This condition essentially requires that the “responsible party” ensure that the various processing conditions are met and –

are complied with at the time of the determination of the purpose and means of the processing and during the processing itself

In other words, the responsible party is required to ensure the conditions are met at all times. So who or what is the responsible party? The “responsible party” means –

a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information

A “responsible party” is not to be confused with an “operator”, though. They are different parties in the context of this legislation.

Processing Limitation

This condition is divided into 4 distinct requirements:

  1. Lawfulness of processing
  2. Minimality
  3. Consent, justification and objection
  4. Collection directly from the data subject

Lawfulness of Processing

This requirement is fairly self-explanatory and entails ensuring that personal information is not just processed “lawfully” but also reasonably in a way that doesn’t infringe the data subject’s “privacy”. This second part both a little circular because the Protection of Personal Information Act goes a long way to unpacking privacy as a legal concept and also establishes a broad reasonableness requirement for personal information processing.

Minimality

This requirement is linked to the Purpose specification condition and states that, in addition to processing personal information for its specific purpose, it may only be processed if that is “adequate, relevant and not excessive”. It is an overarching limitation on top of the Purpose specification condition and serves as an additional layer of protection for data subjects against overreaching, even within the confines of the Purpose specification condition.

Consent, justification and objection

As this section’s name suggests, this is all about consent or, where there isn’t adequate consent, when it processing personal information is justified and what the data subject can object to.

The starting point is that consent from a data subject is always the best option from the perspective that it incorporates informed and specific permission to process the personal information. Where the data subject is a child, you will need the child’s “competent person” to consent to processing the child’s personal information (there are a couple additional restrictions later in the Bill regarding children’s personal information). Who is a “competent person”? According to the Bill, “competent person” means –

any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child;

Consent isn’t the sole requirement to allow a party to process personal information. Other justifications include –

  • processing necessary to conclude or perform in terms of a contract the data subject is a party to;
  • where the processing is compliant with a legal obligation imposed on the responsible party (the party collecting the personal information);
  • where processing the personal information would protect the data subject’s legitimate interest (this is pretty vague and bound to be the subject of much debate);
  • where “processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied” (this is potentially even broader than the previous justification and isn’t constrained by the data subject’s interests).

Where a responsible party contends it/he/she received consent to process a data subject’s personal information, that responsible party will have to prove that. This means that documenting that consent is essential and preserving that documentation correctly is similarly essential. The requirements for data retention and preservation as evidence are spelt out in the Electronic Communications and Transactions Act and worth reading very carefully when designing your data retention systems. Not being able to present admissable evidence of consents obtained could leave you in breach of the Act and subject to its penalties.

Consent isn’t irrevocable under the Protection of Personal Information Bill. A data subject can withdraw consent at any time but doing that doesn’t invalidate processing prior to withdrawing consent. Going further, a data subject can also object to his or her personal information being processed under the various justifications on “reasonable grounds”, although not where legislation requires that personal information processing. An example here is a law requiring a mobile network provider to collect consumers’ personal information under the Regulation of Interception of Communications and Provision of Communication-related Information Act. A consumer can’t object to personal information being collected in that context because the statute requires it.

Section 69 of the Protection of Personal Information Bill deals with direct marketing using electronic communications and includes provisions enabling consumers to object or withdraw consent to direct marketing. We’ll go into that section in more detail in a subsequent post.

Interestingly, this section of the Bill also provides that where a data subject has objected to personal information processing, the responsible party “may no longer process the personal information”. This section doesn’t seem to require that the objection be confirmed as valid, just that an objection halts the processing activity. The responsible party would presumably then have to establish that the objection wasn’t reasonable or was required by law to continue.

Collection directly from the data subject

This processing limitation, as its name suggests, requires that responsible parties collect personal information directly from the data subject. There are some exceptions to this requirement where, for example, the information is “contained in or derived from a public record or has deliberately been made public by the data subject”; where the data subject is a child and a competent person has consented to the child’s personal information being collected from “another source” as well as wearing collecting the personal information from another source “would not prejudice a legitimate interest of the data subject”.

They are also a number of exceptions to this requirement based on necessity. These include law-enforcement requirements, steps taken to ensure compliance with legal obligations or to enforce legislation, for the conduct of legal proceedings, the interest of national security or to maintain the legitimate interests of the responsible party or of a third party to whom the information is supplied. Even further exceptions include situations where compliance would “prejudice a lawful purpose of the collection” or where compliance is “not reasonably practicable in the circumstances of the particular case”.

This limitation applies more to scenarios that do not include some sort of law enforcement requirement all where either the data subject’s all responsible party’s “legitimate interest” are involved. The “legitimate interests” concept is pretty broad and is not defined in the Bill. Where this limitation does have a real impact is on marketers who have, historically, been in the habit of aggregating marketing databases using multiple sources, many of which have been traded, enriched and expanded without much reference to the individuals concerned.

<

p>It is also worth bearing in mind that collection is distinct from other processing conditions such as the requirement for consent and purpose specification (which we will deal with in a subsequent post). In other words, simply being able to collect the personal information does not automatically grant the responsible party the right to make use of the personal information for any particular purpose. A number of other processing conditions deal with what can be done with that personal information once it is collected.

Processing, personal information and direct marketing under POPI

Consent, while critical, just scratches the surface of the Protection of Personal Information Bill. There is a lot more to the anticipated Protection of Personal Information Act and, in this post, I’d like to give you an overview of two further important terms used in the Protection of Personal Information Bill, namely “personal information” and “processing”.

I touched on consent as a key consideration in the Protection of Personal Information Act (expected to be passed shortly) in our recent post titled “POPI is a steep, uphill climb for direct marketers“. As I pointed out in that post, the consent issue (the video above summarises consent as a key concept and why it is so important in direct marketing), while critical, just scratches the surface. There is a lot more to the anticipated Protection of Personal Information Act and, in this post, I’d like to give you an overview of two further important terms used in the Protection of Personal Information Bill, namely “personal information” and “processing”.

Personal Information and Processing

Before you can understand the conditions, you need to understand two further terms used in the Protection of Personal Information Bill, namely “personal information” and “processing”. The “personal information” definition is pretty broad. It includes all the usual categories of personal information and a great deal more:

‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

I highlighted some of the interesting aspects of “personal information” because these categories of personal information are not always recognised as such. For example, “any identifying number, symbol” or “online identifier” could include a Twitter handle or pseudonym (assuming it could be associated with an identity). “Personal opinions, views or preferences” covers a wide range of questions marketers often ask people in surveys and competitions. Add to this other people’s “views or opinions” about your data subject and you’re now dealing with personal information about person A which you obtain from person B and which is also person B’s personal information so you potentially need to obtain consent from both people.

The next important term is “processing”. This is the term used for a variety of activities pertaining to how personal information is handled. It is also fairly broad:

‘‘processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—

(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;

This definition basically categorises virtually any action relating to personal information as “processing” and subject to consent by the data subject. As the definition’s lead-in indicates, this covers both single actions and groups of actions or, as the definition puts it: “any operation or activity or any set of operations”. Like I said, it is broad, very broad.

<

p>Both of these terms form part of the foundation of an adequate privacy model that direct marketing businesses should have in place already or, at the very least, should be actively developing. We will explore more POPI themes in an upcoming series of posts about the processing conditions in this anticipated legislation in more detail. The processing conditions establish a series of parameters that will shape direct marketing campaigns and other activities that make use of personal information for quite some time to come.