Top
Subscribe to Legal Notes
* indicates required
Back office

Entries in direct marketing (3)

Friday
Dec022011

Time is running out to publish your PAIA Manual

Time is running out for private bodies to prepare and publish their Promotion of Access to Information Act manuals. The exemption the Minister of Justice and Constitutional Development granted in August 2005 will expire in just a few weeks, on 31 December 2011. From 1 January 2012, the heads of those private bodies which haven't prepared and published their Promotion of Access to Information Act manuals may be subject to a fine and imprisonment.

What is the Promotion of Access to Information Act?

The Bill of Rights includes the right of access to information, largely as a response to the previously secretive and oppressive National Party regime (a little ironic considering the controversial Protection of State Information Bill). Section 32 of the Bill of Rights provides as follows:

32 Access to information

(1) Everyone has the right of access to-

(a) any information held by the state; and
(b) any information that is held by another person and that is required for the exercise or protection of any rights.

(2) National legislation must be enacted to give effect to this right, and may provide for reasonable measures to alleviate the administrative and financial burden on the state.

The Promotion of Access to Information Act was passed in 2000 to give effect to this right. It went into effect on 9 March 2001 and the Act's stated purpose is as follows:

To give effect to the constitutional right of access to any information held by the State and any information that is held by another person and that is required for the exercise or protection of any rights; and to provide for matters connected therewith.

One of Promotion of Access to Information Act's central requirements was that public and private bodies publish manuals disclosing the types of records in their possession and how so-called "requesters" may access those records. Before going further, its worth expanding a couple defined terms in the Act.

November 13, 1942

Defined terms

Promotion of Access to Information Act refers to the "head" of a privatee body being the responsible person for Promotion of Access to Information Act compliance. The Act defined the "head" as follows:

'head' of, or in relation to, a private body means-

(a) in the case of a natural person, that natural person or any person duly authorised by that natural person;
(b) in the case of a partnership, any partner of the partnership or any person duly authorised by the partnership;
(c) in the case of a juristic person-
(i) the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer; or
(ii) the person who is acting as such or any person duly authorised by such acting person;

Given the Act's objectives, personal information held by public and private bodies becomes pretty important as this may be the sort of information a requester may require in order to "exercise or [protect] any rights". "Personal information" is defined as follows:

'personal information' means information about an identifiable individual, including, but not limited to-

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the individual;
(b) information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved;
(c) any identifying number, symbol or other particular assigned to the individual;
(d) the address, fingerprints or blood type of the individual;
(e) the personal opinions, views or preferences of the individual, except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual;
(f) correspondence sent by the individual that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the individual;
(h) the views or opinions of another individual about a proposal for a grant, an award or a prize to be made to the individual, but excluding the name of the other individual where it appears with the views or opinions of the other individual; and
(i) the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual,
but excludes information about an individual who has been dead for more than 20 years;

The personal information definition is pretty broad and one industry this potentially becomes very relevant to is the direct marketing industry which collects a lot of this personal information about people on its databases. Consumer facing businesses will also collect personal information about its customers over time and this Act is directly applicable to those businesses, particularly in light of the Consumer Protection Act.

Promotion of Access to Information Act refers to public and private bodies. I am focusing on "private bodies" for the purposes of this post and the Act defines "private bodies" as follows:

'private body' means-

(a) a natural person who carries or has carried on any trade, business or profession, but only in such capacity;
(b) a partnership which carries or has carried on any trade, business or profession; or
(c) any former or existing juristic person,
but excludes a public body;

The "private bodies" definition covers virtually all aspects of commercial enterprise ranging from sole proprietors to partnerships to companies.

When it comes to "requesters" in the context of private bodies, the Act defines a "requester" as follows:

'requester' , in relation to-

(a) a public body, means-

(b) a private body, means-

(i) any person, including, but not limited to, a public body or an official thereof, making a request for access to a record of that private body; or
(ii) a person acting on behalf of the person contemplated in subparagraph (i);

A "person", in turn, is defined as both a natural person (legalese for human beings) or a juristic person like a close corporation or company.

Railway Post Office Clerks at Work

Manuals and records disclosures

The Promotion of Access to Information Act requires private bodies to prepare and publish manuals which explain to the public what records they hold and how to access those records. The process of requesting and obtaining records is fairly clearly regulated and fees associated with requests are specified in the legislation. A substantial portion of the Act is dedicated to the manuals which public and private bodies must compile and when these must be published. The central section relating to private bodies' manuals is section 51 which provides as follows:

51 Manual

(1) Within six months after the commencement of this section or the coming into existence of the private body concerned, the head of a private body must compile a manual containing-

(a) the postal and street address, phone and fax number and, if available, electronic mail address of the head of the body;
(b) a description of the guide referred to in section 10, if available, and how to obtain access to it;
(c) the latest notice in terms of section 52 (2), if any, regarding the categories of record of the body which are available without a person having to request access in terms of this Act;
(d) a description of the records of the body which are available in accordance with any other legislation;
(e) sufficient detail to facilitate a request for access to a record of the body, a description of the subjects on which the body holds records and the categories of records held on each subject; and
(f) such other information as may be prescribed.

(2) The head of a private body must on a regular basis update the manual referred to in subsection (1).

(3) Each manual must be made available as prescribed.

Compiling a manual isn't a simple matter as it has to accommodate all "records" a private body has and which are subject to disclosure (not all records must be disclosed). The Act initially required these manuals to be prepared by early September 2001 but the Minister of Justice and Constitutional Development granted smaller private bodies a broad exemption from complying with the Act's requirement to publish a manual based on their turnover and industry. This exemption expires on 31 December 2011 and while an amendment to the Promotion of Access to Information Act limiting its application to private bodies above a certain size, this does not appear to have been passed so all private bodies will have to comply from 1 January 2012.

The South African Human Rights Commission was mandated to publish a guide to the Promotion of Access to Information Act as well as to assist with compliance with the Act or to assist persons wishing to invoke the Act's provisions. The Commission's Promotion of Access to Information Act help page contains a handy summary of section 51's requirements and what a manual should contain:

In terms of section 51 of PAIA, the head of a private body must:

  • compile a section 51 manual which is a roadmap of the company
  • submit the manual to the South African Human Rights Commission once 
  • effect material changes if any each time these occur and resubmit to the SAHRC
  • electronic submissions to the Commission are accepted, sent to dmalesa@sahrc.org.za thereafter followed by hard copy originals;
  • manuals must be submitted to SAHRC head office at the address listed below
  • update any material changes on the manual on a regular basis;
  • make the manual available as prescribed by the Act at the company offices and on their website;
  • must  annex a request form to the manual and  also make request form available on the    website and at the company premises access points;
  • there are penalties for non compliance – please see section 90 of PAIA, the Commission has not imposed fines for non compliance to date but reserves the right to do.

The manual must among others contain the following information:

  • details of the company's postal, email and street address, fax and phone of the company,
  • the description of available records generated by the company stating those which are automatically available and those that are available on request.
  • outline the request procedure in terms of PAIA;
  • state who the head of the company is (CEO is usually the  Information Officer in terms of PAIA)
  • stipulate the fees applicable as legislated by the Act which are chargeable to requesters
  • remedies available to requesters if their request for information has been refused
  • details facilitating request for access to a record etc.

Aside from the statutory obligation on all businesses to publish manuals, this legislation will be of particular interest to businesses which tend to collect a fair amount of information about other people. As I mentioned above, these businesses include direct marketing businesses (already under a spotlight with the Consumer Protection Act's marketing restrictions and the upcoming Protection of Personal Information Bill which specifically targets direct marketing activities) and consumer facing businesses, generally. That said, because requesters can be individuals and businesses and because the Promotion of Access to Information Act doesn't limit itself to consumer facing private bodies, all businesses should be working on their manuals and having them submitted before the deadline, if possible, or as close to it as they can.

It is also worth noting that, in the case of private bodies, the person responsible for Promotion of Access to Information Act compliance is generally the business' head and that is the same person who could find him or herself fined and imprisoned for non-compliance with the Act.

Once a business has published its manual, it should develop an effective procedure to handle requests for records. This procedure should include a process of assessing requests' validity, identify and locating the requested records and making those records available to the requester on payment of the prescribed fees. Ideally this procedure should be well thought out and responsible persons within the business identified to facilitate the procedure and trained on the relevant requirements.

Assistance with manual preparation and publication

Given the amount of information available about the Promotion of Access to Information Act and manuals in particular, it is possible for businesses to prepare and publish their manuals internally. It does require familiarity with the Act and its requirements and its a good idea to obtain a copy of the Commission's guide and work through that. Alternatively we are available to assist businesses with their manual's preparation, submission and publication (bear in mind the manual should be published through your website too) over the coming weeks. Contact us for more information if you require assistance.

AuthorPaul Jacobson | DateFriday, December 2, 2011 at 11:32AM | | CommentPost a Comment
in , ,
Tuesday
Nov082011

Google+ Pages off to a good start for consumers

Google released Google+ Pages for brands publicly last night (South African time) to much excitement on the Web. Google+ has, until now, been reserved for humans posting as themselves and Google has been criticized for not allowing brands to create pages and for insisting that users use their real names and not pseudonyms (Google seems to have reversed course on this and is expected to announce support for pseudonyms soon). The elephant in the room has been brands' inability to create a presence on the growing platform.

Google+ Pages have a number of similarities to personal profiles including their basic design and functionality. Businesses can publish posts, photos, videos, run Hangouts (a very appealing and engaging video conferencing solution) and participate in comment threads as the brand. I enjoy using Google+ and have seen some pretty high engagement levels there. It is a product designed for engagement.

web.tech.law - Google+

That said, there are some very interesting differences between Pages and profiles which are pretty good for consumers weary of the constant flow of direct marketing material. Susan Beebe, a Dell Corporate PR and Social Business Strategist listed a number of differences in a post on Google+:

  • Pages can’t add people to circles until the page is added first or mentioned.
  • Pages can be made for a variety of different entities whereas profiles can only be made for people.
  • The default privacy setting for elements on your page profile is public.
  • Pages have the +1 button.
  • Pages can’t +1 other pages, nor can they +1 stuff on the Web.
  • Pages can’t play games.
  • Pages don’t have the option to share to ‘Extended circles’.
  • Pages don’t receive notifications via email, text, or in the Google bar.
  • Pages can’t hangout on a mobile device.
  • Local pages have special fields that help people find the business’ physical location.

Of these differences, the most significant difference for consumers is the first in that list: Pages can’t add people to circles until the page is added first or mentioned.

Explicit opt in on Google Plus for Pages

The reason this is so significant is that consumers must explicitly and specifically add brands to their circles (or, to use Twitter terminology, follow the brands) before those brands can publish posts targeted at those consumers. Until that point brands' Pages remain publicly visible but their posts don't enter consumers' streams until they are followed. This model is similar to Twitter in that Twitter users won't see brands' tweets in their Twitter stream unless they follow the brand's Twitter profile. Like Twitter is also appears that a brand could publish a post which tags a consumer not following the brand on Google+ and get their attention that way.

It certainly appears that Google is thinking about building a product for brands that doesn't overpower consumers' streams with marketing messaging although an option requiring that consumers add brands to their circles before they can be contacted by brands would protect consumers better.

AuthorPaul Jacobson | DateTuesday, November 8, 2011 at 10:12AM | | CommentPost a Comment
in , ,
Thursday
Jun302011

Tension in the direct marketing industry over opt-in requirements

Tug of War

The Consumer Protection Act sparked quite a bit of interest in direct marketing and consumers' rights to opt-out of receiving direct marketing communications. It has also highlighted a tension between direct marketers and consumer orientated initiatives to protect and enhance consumer rights. Some of these initiatives have been undertaken by two industry bodies, the Internet Service Providers' Association and the Wireless Applications Service Provider Association which are self-regulatory bodies focused on ISPs and mobile service providers, respectively. The ISPA and WASPA Codes of Conduct contain provisions which are somewhat more stringent than the Consumer Protection Act, although more in line with the draft Protection of Personal Information Bill when it comes to regulating direct marketing.

I took a closer look at the relevant provisions in the Code as well as related provisions in the Consumer Protection Act and the current Protection of Personal Information Bill which is expected to be enacted in late 2011 in order to how these regulatory frameworks deal with direct marketing and what effect they seem to have on the industry. This post is an overview of these regulatory frameworks.

The ISPA Code

The ISPA Code binds Internet Service Providers directly, and direct marketers that use ISPs to host their services, indirectly. Section E of the ISPA Code states the following:

E. Unsolicited communications

  1. ISPA members must not send or promote the sending of unsolicited bulk email and must take reasonable measures to ensure that their networks are not used by others for this purpose. ISPA members must also comply with the provisions of section 45(1) of the ECT Act, and must not send or promote the sending of unsolicited commercial communications that do not comply with the provisions of section 45(1) of the ECT Act.
  2. ISPA members must provide a facility for dealing with complaints regarding unsolicited bulk email and unsolicited commercial communications that do not comply with the provisions of section 45(1) of the ECT Act originating from their networks and must react expeditiously to complaints received.

ISPA's members generally adopt a fairly firm approach to unsolicited bulk email for a variety of reasons, and for good reason in many instances. We are all familiar with the deluge of spam that clogs our mailboxes on an ongoing basis. Unfortunately well meaning direct marketers are often caught in the cross-fire largely because they are reliant on ISPs to operate their businesses.

The WASPA Code

WASPA is a self-regulating industry association that watches over mobile service providers. Its members include most mobile service providers and marketers in South Africa as well as a number of foreign mobile content providers. If you market to customers by SMS, the odds are you are using a WASPA member to distribute your messages.

The current version of the WASPA Code is 11.0.  The section in the Code dealing with spam is section 5 which is titled “Commercial communications”.  Section 5.1 deals with “Sending of commercial messages” and specifies certain minimum requirements such as the requirement that WASPs terminate commercial messaging services when a recipient responds to a commercial message with the “STOP” instruction or similar words such as “END”, “CANCEL”, “UNSUBSCRIBE” or “QUIT”.

The definition of “commercial message” is also relevant and it is the following:

A “commercial message” is a message sent by SMS or MMS or similar protocol that is designed to promote the sale or demand of goods or services whether or not it invites or solicits a response from a recipient.

Sections 5.2 and 5.3 deal with spam identification and prevention and are directly relevant.  These provisions state the following:

5.2. Identification of spam

5.2.1. Any commercial message is considered unsolicited (and hence spam) unless:

(a) the recipient has requested the message;

(b) the message recipient has a prior commercial relationship with the message originator and has been given a reasonable opportunity to object to direct marketing communications

(i) at the time when the information was collected; and

(ii) on the occasion of each communication with the recipient; or

(c) the organisation supplying the originator with the recipient’s contact information has the recipient’s explicit consent to do so.

5.2.2. Any commercial message is considered unsolicited after a valid opt-out request.

5.2.3. WASPA, in conjunction with the network operators, will provide a mechanism for consumers to determine which message originator or wireless application service provider sent any unsolicited commercial message.

5.3. Prevention of spam

5.3.1. Members will not send or promote the sending of spam and will take reasonable measures to ensure that their facilities are not used by others for this purpose.

5.3.2. Members will provide a mechanism for dealing expeditiously with complaints about spam originating from their networks.

When it comes to classifying a commercial message as not “spam”, the Code sets out a two part test.  A commercial message is regarded as spam if it is unsolicited except where -

  1. The recipient has either requested the message or has a prior commercial relationship with the message originator and “has been given a reasonable opportunity” to opt-out of further marketing communications from the originator (this is implicit opt-in with an opt-out requirement); or
  2. The recipient has given his or her “explicit consent” to receive the commercial message concerned.

The focus of this test is on unsolicited commercial messages and the default position is that such messages are spam and prohibited unless the originator can prove one of two scenarios (mentioned above), both of which are consent-based.  The first scenario is a combination of explicit opt-in and the second scenario involves a more implicit opt-in.  This is a departure from the current legislative position, although not necessarily of the anticipated legislative framework detailed in draft legislation.

The Consumer Protection Act

The Consumer Protection Act deals with “unwanted direct marketing” in section 11 of the Act.  Consumers’ right to pre-emptively block, refuse to accept or to require a person to discontinue direct marketing communications or approaches is specifically included in consumers’ broader right to privacy which is entrenched in the Bill of Rights.  While the Consumer Protection Act does not explicitly state that it operates on the basis of an opt-out paradigm, section 11(2) supports this conclusion:

To facilitate the realisation of each consumer’s right to privacy, and to enable consumers to efficiently protect themselves against the activities contemplated in subsection (1), a person who has been approached for the purpose of direct marketing may demand during or within a reasonable time after that communication that the person responsible for initiating the communication desist from initiating any further communication.

The direct marketing framework contemplated by the Consumer Protection Act is similar to the framework established for electronic direct marketing in the Electronic Communications and Transactions Act.  Both frameworks enable marketers to send unsolicited commercial messages (to use the basic term in the Code) directly to consumer provided they facilitate and honour requests from consumers to opt-out of receiving further commercial messages from those marketers.  The press release mentioned a Do Not Call Registry which section 11(3) of the Consumer Protection Act provides for.  This registry doesn’t exist yet, at least not in the form contemplated by the Consumer Protection Act, but such registries do exist in varying degrees.

The Direct Marketing Association of South Africa (“DMASA”) operates a National Opt Out Register which its members are bound to comply with.  This Register presently represents the closest registry of its kind to the registry contemplated in the Consumer Protection Act.  Unfortunately this Register is limited in its scope.  It binds DMASA members and its distribution is limited to those members.  It is also subject to exploitation (such an exploit was publicised in ITWeb on 30 May 2011) for illegitimate purposes in its current form although its distribution method is due to shift from email to an authenticated file transfer protocol.

Protection of Personal Information Bill

The Protection of Personal Information Bill deals with “unsolicited electronic communications” in section 66 of the current draft Bill.  This section begins with the premise than unsolicited electronic communications (including SMS and email) for direct marketing purposes are prohibited unless certain conditions are met (the Bill speaks of “processing” which has broader implications than simply sending marketing SMSes or emails but I will confine my discussion to direct marketing messages).  These conditions are, essentially, that the person whose personal information is being used (the “data subject”) has consented to receiving these commercial messages or where the data subject is a customer of the party sending the commercial messages.

This latter condition is a complex one.  In order for a business to market its products and services to a consumer under the Protection of Personal Information Bill, it must have obtained the consumer’s contact details in the context of a sale of a product or service for the purpose of directly marketing the business’s “own similar products or services” and the consumer must have been afforded opportunities to opt-out of receiving those marketing messages both at the time the contact details were collected and “on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use”.

Going further, the Protection of Personal Information Bill requires that “any communication for the purpose of direct marketing” must contain the following information:

  1. details of the identity of the sender or the person on whose behalf the communication has been sent; and
  2. an address or other contact details to which the recipient may send a request that such communications cease.

This section of the Protection of Personal Information Bill appears to shift the current opt-out paradigm to something closer to an opt-in paradigm in that a consumer’s consent is required before a business may market products and services to the consumer or the consumer must be the business’s customer and the consumer’s personal information was collected for that purpose.  The first scenario entails an express opt-in and the second an implicit opt-in with the comfort of a subsequent opt-out option.  These provisions are similar to the provisions of the Code dealt with above and represent a departure from the current paradigm the Consumer Protection Act operates under.  While the Protection of Personal Information Bill is not a final Bill yet and there is still scope for these provisions to change before its finalization and adoption by Parliament, it is worth bearing its current provisions in mind.

Where does this leave direct marketers

Direct marketers are largely dependent on either ISPs or WASPs to conduct their businesses and this presents a number of challenges. The current business model relies on an opt-out paradigm to exist and the ISPA and WASPA Codes are precursors to the Protection of Personal Information Act which shift the paradigm to an opt-in paradigm which most direct marketers probably can't easily transition to. If the ultimate Protection of Personal Information Act will have the current opt-in provisions for direct marketers then the industry will have to change the fundamental basis on which it operates starting with its database development strategy.

Some marketers have already begun exploring more innovative models based on social media. One of my recent clients, Virtuosa, sent out an email in April informing its newsletter subscribers that it was discontinuing its newsletter and invited its subscribers to follow it on Twitter, Facebook and LinkedIn:

Newsletters are old-fashioned. Research and feedback from you has shown that overall the preferred means to receive updates and engage with us is via our social profiles. We will no longer be sending regular newsletters but rather communicate with you on Social Media. Please connect and engage with us via our social media profiles.

One of the advantages of social media as a broad marketing platform is that services like Twitter, Facebook and LinkedIn are built to be opt-in and have easy opt-out mechanisms built into the platforms. In a way, this model is an ideal direct marketing model because of its higher engagement levels and opt-in basis but shifting to this model basically means discarding existing email and SMS databases in favour of a relatively young channel. Even if marketers ignore social media, they need to seriously start thinking about how they will transition to an opt-in paradigm if the current Protection of Personal Information Bill is passed in more or less the same form it is currently in. As it is, they operate in an environment that is, at least partly, fundamentally opposed to their existing business model.

Image credit: Tug of War by joshwept, licensed CC BY 2.0
AuthorPaul Jacobson | DateThursday, June 30, 2011 at 12:09PM | | CommentPost a Comment
in , , , ,