Reasonably practicable compliance with POPI is not enough

When considering how much you should do to comply with legislation like the Protection of Personal Information Act, you have three choices:

  1. Do as little as possible and see what you can get away with;
  2. Calculate the degree of “reasonably practicable” compliance required and stick with that;
  3. Adopt a more holistic approach to compliance.

Of the three options, the first is clearly a recipe for disaster. The only questions are when disaster will strike and how devastating will it be?

The second option is a popular one. To begin with, it is a practical solution because it takes into account what the law requires of you in order to meet the law’s standard so you limit your potentially significant investment in a compliance program without a corresponding quantitative benefit. Makes sense, right? In a way, yes, but what it doesn’t take into account is that your primary compliance risk is increasingly not regulators (at least not in South Africa where regulators often lack the capacity to respond very quickly), but rather the people who are directly affected by your decisions.

In other words, complying with laws like the Consumer Protection Act and Protection of Personal Information Act is not a quantitative exercise where you empirically (or as close to empirically as a legal compliance assessment can be) calculate your desired degree of compliance and work to that standard. Instead compliance is qualitative.

John Giles published a terrific post on the Michalsons blog titled “Only do what is reasonably practicable to comply with POPI” in which he explains POPI’s baseline compliance standard which is based on reasonableness and how this translates into what is likely an effective quantitative approach to compliance. It is worth saving the article because it is a handy reference for when you need to understand what the law means by “reasonably practicable”.

I don’t believe that this is enough, though. If anything, the question of what is reasonably practicable should only be part of your assessment of what you should do. The next, and arguably more important, question should be “What should we do to ensure not only compliance with the law but also to earn our customers’ trust?”. No, I’m not suggesting you drink the “rainbows and unicorns” energy drink and incur real money complying with some nebulous standard because your customers will like you more. Well, not entirely. What I am suggesting is that there is another dimension to compliance with legislation that affects people in very personal ways.

When you look at recent privacy controversies involving services like Facebook, Google and SnapChat, one theme that emerges from each of these controversies is not that these companies handled users’ personal information in ways they necessarily concealed from users. Their privacy policies describe what they do with users’ personal information in varying degrees. What really upsets users is that they weren’t expecting these companies to do the things they did because users tend to develop a set of expectations of what to expect from their providers which is typically not informed by privacy policies (because few people read them). These expectations are informed by what these companies tell them in marketing campaigns, what other users and the media tell them, what their friends share with them and their experiences with the services themselves.

When a provider steps outside its users’ collective expectations, mobs form and there is chaos in the metaphorical streets. The fact that these companies stuck to their published privacy policies and terms and conditions is largely irrelevant because users are not wholly rational and analytical. They don’t go back to the legal documents, read them quietly and go back to their daily lives when they realise that they mis-read or misunderstood the legal terms and conditions. No, they are outraged because the companies violated the trust users placed in these companies based on users’ expectations.

You may not have the same number of customers as Facebook, Google or SnapChat and your business may be different but if you are considering Protection of Personal Information Act or Consumer Protection Act compliance, you are dealing with the same people: consumers who have expectations and perceptions which you influence but certainly don’t control. If you violate the trust they place in you, the response will be swift and the consequences from a reputational perspective could be severe.

Fountain Square in Downtown Cincinnati Is a Public Square That Works for the City and Its People in a Myriad of Ways: Tyler Davidson Fountain 05/1973

When you develop your compliance program, assess what is reasonably practicable and set that as your commercial baseline. Then, consider how transparent you can be with your customers about what you intend doing with their personal information?

I remember reading a discussion about partners cheating on each other and at one point in the article the writer said that cheating isn’t just about the act but also the thoughts that precede it. If you have thoughts about another person which you don’t want to share with your partner, that is probably a good indication you are contemplating something you shouldn’t be doing. Apply that to your compliance program and ask yourself if you are comfortable disclosing what you intend doing with your customers’ personal information to them? If you are, be transparent about it in your privacy statement/policy and in your communications with your customers.

If you don’t feel comfortable being transparent about how you intend using your customers’ personal information and, instead, intend hiding behind technical legal compliance with the law to justify your data use, you may be setting yourself up for a bitter divorce and a costly battle with your customers. By the time the regulators arrive to assess your compliance, the damage will already have been done and the reasonably practicable thing to do will be to pick up the pieces of your reputation (and possibly your business) and start earning your customers’ trust again.

POPI compliance and your plan to fail

Unfortunately many companies may have left their preparation too late, especially the larger companies, and have not yet established a complete set of practices and processes to ensure their compliance with POPI’s many requirements. Although companies will likely have a year before many of POPI’s compliance requirements go into effect, a year is simply not enough time to prepare adequately. Compliance isn’t just a matter of writing a privacy policy and publishing that. In order to comply with POPI, organisations have to ensure that all their underlying processes are aligned with POPI’s requirements. In this sense a privacy policy is really more of a description of a series of data protection practices which have been implemented throughout the organisation. If there is a disconnect between your organisation’s practices and processes and what the privacy policy describes, the consents you are hoping to obtain through the privacy policy will amount to little more than lip service to the legislative framework it serves.

Nokia Lumia launch-9 railing

The Protection of Personal Information Act has been in the pipeline for so long I keep expecting someone to develop a drinking game around “POPI” mentions in conferences (every time a speaker says “POPI”, everyone takes a drink). The Bill was passed by Parliament and the President has signed it into law as the Protection of Personal Information Act (No. 4 of 2013). The next step is POPI’s commencement date in a government gazette and the final countdown to its implementation and a compliance deadline. A copy of the Act is at the bottom of this post for your reading pleasure.

Unfortunately many companies may have left their preparation too late, especially the larger companies, and have not yet established a complete set of practices and processes to ensure their compliance with POPI’s many requirements. Although companies will likely have a year before many of POPI’s compliance requirements go into effect, a year is simply not enough time to prepare adequately. Compliance isn’t just a matter of writing a privacy policy and publishing that. In order to comply with POPI, organisations have to ensure that all their underlying processes are aligned with POPI’s requirements. In this sense a privacy policy is really more of a description of a series of data protection practices which have been implemented throughout the organisation. If there is a disconnect between your organisation’s practices and processes and what the privacy policy describes, the consents you are hoping to obtain through the privacy policy will amount to little more than lip service to the legislative framework it serves.

Something else to bear in mind is that a data gold rush before POPI comes into effect may amount to a waste of time, money and effort. Some of my colleagues have advised their clients that POPI will not have retrospective effect so anything done before POPI goes into effect will not be affected by POPI’s more stringent restrictions. They are likely correct about POPI not having retrospective application but POPI’s compliance requirements will almost certainly not be waived just because you collected personal information before POPI’s implementation date. If, for example, you don’t obtain adequate consent for your intended personal information uses before POPI is implemented, I doubt very much that this will be excused once POPI goes into effect and you could find your shiny data treasure trove is tainted, must be discarded and you will have to start again and do the work you should be doing now (if you haven’t done it already).

The bottom line, so to speak, is that if you haven’t prepared for POPI you may not have much time left. As the saying goes, your failure to plan for POPI is, effectively, your planned failure to comply.

That said, here are a couple next steps in your road to compliance:

  1. Review your processes which touch on personal information collection and processing. The best data protection policies are useless if your underlying processes are not going to comply with POPI’s requirements. Your marketing teams, in particular, need to understand how POPI affects them and must assess their databases, marketing initiatives and other personal information-related activities. Don’t forget to include internal data processing in your review. You will have to apply similar principles to the personal information you process internally so your human resources people need to be involved too.
  2. Align your marketing initiatives with your organisation’s compliance requirements and your underlying processes. Marketing campaigns rely on personal information and they have to be supported by the day to day data processing workflows and, in turn, support essential policy frameworks. Don’t just leave this up to your marketing teams, you need people who understand POPI’s impact and can mediate between Marketing/Communications and Legal/Compliance imperatives.
  3. Take into account industry regulatory frameworks like the WASPA Code of Conduct. It is now backed by a law and could have a fundamental impact on any mobile initiatives you are running. Failure to comply with WASPA’s Code and its Advertising Rules can behead a mobile campaign that relies on mobile short codes, for example.
  4. Develop and implement clear and practical privacy or data protection policy frameworks. These policy frameworks must be supported by the practical realities of how your teams handle personal information every day. A policy framework in a process vacuum is pretty ineffective and a pretty short road to reputational harm and regulatory attention.

Preparing for POPI is not a quick and easy process and I’m not saying this because this is one of my focus areas, the more you delve into the law the more you realise what a mammoth undertaking it is. Call me if you could use some help. Alternatively, read the Direct Marketing Legalities Survival Guide I published earlier this week. I explain many of the compliance requirements in POPI and other legislation like the Electronic Communications and Transactions Act and Consumer Protection Act as well as WASPA and ISPA Hall of Shame considerations.

PPC Lead Generation’s Privacy Risks

PPC lead generation is a search-based lead generation technique which leverages search terms to surface (preferably) relevant ads in search results. When you click on those ads you are often taken to landing pages where you have the option of submitting your details to a company so it can get in touch with you about its products and services. It’s a pretty smart marketing option because it begins with the premise that you are searching for what the company offers. It is also a potentially risky proposition for brands that fail to implement adequate privacy protections.

PPC_lead_generation_-_Google_Search - modified

PPC lead generation is a search-based lead generation technique which leverages search terms to surface (preferably) relevant ads in search results. When you click on those ads you are often taken to landing pages where you have the option of submitting your details to a company so it can get in touch with you about its products and services. It’s a pretty smart marketing option because it begins with the premise that you are searching for what the company offers. Here is an example:

How PPC Lead Generation Works

Let’s assume you are in the market for home insurance so you search for “home insurance”:

You’ll notice a couple ads which relate to “home insurance” and which are identified as ads. These are sponsored or paid ads which are displayed in your search results based on your search terms. The companies that purchase the ads (often an agency specialising in this sort of advertising) select key words that they believe will correspond with your search terms so when you run your search, their ads are displayed as relevant search results (Google regards these ads as something which may be valuable to you so it built an ad sales model based on this process). You click on a link in one of the ads and you are taken to a landing page which can look something like this:

Notice the form on the right? That form is an opportunity for you to submit your details to the brand behind the campaign, in this case MiWay, so its sales representatives can contact you about its products and services. Once you submit your details, you become a sales lead (hence the term “lead generation”). The “PPC” bit stands for “Pay Per Click” which is a reference to the payment model the advertiser agrees to. The advertiser pays for each click on the ad. Some advertisers will pay their agencies for leads generated. It depends on the advertiser’s preferences and the agency’s business model.

The Privacy Considerations

This form of advertising is an interesting one because it begins with a person searching for something she is interested in. In this example, “home insurance”. When she is presented with search results relevant to her search terms and she clicks on one of them (in this case the MiWay ad), she is implicitly indicating an interest in what the relevant brand has to offer. So far she is consenting to some of her personal information being collected although it is likely data such as her IP address, general location, browser and computer information and so on.

Assuming the ad takes her to a page that is relevant to her search term and the ad text which informed her decision which ad to click on, there aren’t any privacy concerns so far. If the ad is misleading then any personal information the advertiser collects so far is without her permission because she was expecting a different result and that would have informed her consent in whatever form she gave it.

Once she she loads the landing page, the situation changes somewhat. Presented with the form, the advertiser has two options:

  1. rely on the consumer’s continued implicit consent to have the personal information she submits through the form to process it as the advertiser intends processing it, or
  2. explain what personal information the advertiser will collect through its interaction with the consumer, what it will do with that personal information and under what circumstances it will share that personal information with others.

The first option is inherently risky because the consumer assumes that the brand itself, namely MiWay, will collect the consumer’s personal information and will only use it to contact the consumer. That, at least, is the impression the landing page gives. The consumer may also assume that her personal information will not be used for cross-selling, disclosure to associated companies and will be limited to what she submits through the form. This may not be the case.

Often what happens is that the agency collects leads generated through the landing page and passes them along to its client, the company behind the brand. That company may want to use that personal information to market other products and services within its group, share it with partners and so on. There is also little, if any, indication of how long the personal information will be stored, how it will be stored and at what point it will be destroyed.

All of these answers should be communicated to consumers going forward if they are to make informed decisions about who can process their personal information and under what circumstances under the expanded privacy compliance framework Protection of Personal Information Act is going to introduce shortly. One of the best ways to do this at the moment is through a clear privacy policy framework which solicits that consent from consumers arriving at the landing page. These policies should clearly identify the parties handling the personal information consumers submit and what happens to it from the time it is submitted.

Agencies have a couple options when it comes to implementing privacy policy frameworks which range from incorporating their clients’ privacy policy frameworks (assuming they are appropriate) to publishing custom policies. Whichever option, it is not a very complex process, it just needs to be done with sufficient thought about the compliance requirements marketers face.

Risk management doesn’t stop at a privacy policy. It extends to data management and ensuring that personal information is processed securely and consistently with privacy policies’ requirements. Agencies should also consider whether they have sufficiently structured their contractual relationships with their clients (and vice versa) in order to manage potential liability flowing from privacy violations which could occur and which could be remarkably costly, both in terms of reputational harm and monetary cost.

<

p>The potential harm is not always foreseeable and neither is its extent. A good example of this is the recent Adobe privacy breach which has had far-reaching implications not just for Adobe itself but for users who use a range of other services. This is just not something companies or their agencies can afford to ignore. They could be the next trending news item with a plummeting share price.

Consent for Direct Marketing Under POPI

The Protection of Personal Information Act has particular interest for direct marketers because of the likely substantial impact the legislation will have on consumer-facing initiatives when it goes into effect. POPI has a section that deals specifically with and introduces a consent model designed for direct marketing. It is an interesting model and I’ll explain why in this post.

The Protection of Personal Information Act has particular interest for direct marketers because of the likely substantial impact the legislation will have on consumer-facing initiatives when it goes into effect. POPI has a section that deals specifically with and introduces a consent model designed for direct marketing. It is an interesting model and I’ll explain why in a moment. In the meantime, it is worth reading the following posts if you haven’t already:

Protection of Personal Information Act’s section 69 is titled “Direct marketing by means of unsolicited electronic communications”. It begins with the following general prohibition on –

The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail …

unless the data subject [1] either consents[2] or, importantly, is the “responsible party’s[3]” customer.

If, on the other hand, the consumer (or data subject) is not the provider’s (responsible party) customer and if the consumer has not “previously withheld” consent, the provider has a once-off opportunity to send the consumer a request for the consumer’s consent to allow his or her personal information to be used for direct marketing purposes. In practice this is usually a message simply informing the consumer about the products or services the provider would like to market to the consumer and requesting consent. This once-off message should not be a marketing message because that would violate the general prohibition. It should be an information message and its specific format may be prescribed in regulations supporting the Protection of Personal Information Act in due course.

If the consumer consents then the provider will be entitled to use the consumer’s personal information for direct marketing purposes within the consent’s parameters. This may sound obvious but this can be a little tricky. The best way to obtain the quality consent the Protection of Personal Information Act contemplates (take another look at the consent definition[2]) is through a sufficiently detailed privacy policy document. This is a privacy policy’s role. It is the foundation of a compliant direct marketing campaign so do it properly!

If the consumer doesn’t give express consent through a privacy policy but is a provider’s customer[4] already, the consumer’s consent is essentially implied by virtue of the consumer being a customer who is already interested in learning more about the provider’s products or services. In this scenario, the provider can use the consumer’s personal information for marketing purposes where –

  1. the provider obtained the consumer’s personal information in the context of a sale of a product or service;
  2. “for the purpose of direct marketing of the [provider’s] own similar products or services”; and
  3. the consumer has been given “a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details” both at the time the consumer’s personal information was first collected and each time the provider communicates with the consumer for marketing purposes (and assuming the consumer didn’t refuse to consent the first time he or she was asked).

Then, lastly, the each communication for the purpose of direct marketing must contain both the provider’s identity as well as contact details which the consumer can use to opt-out of further marketing communications.

This basic model isn’t totally new. It has existed for some time in other regulatory frameworks like the WASPA Code of Conduct (mobile service providers will be familiar with this mechanism). It does represent a broader shift in South African law because the Protection of Personal Information Act will establish minimum requirements for practically all direct marketing communications, particularly from a consent perspective.

If you are engaged in direct marketing, this is a pretty important aspect of the Protection of Personal Information Act for you. This isn’t the only legislation dealing with direct marketing, though, just arguably the most important from a privacy perspective. The Consumer Protection Act, for example, deals with other issues relating specifically to direct marketing such as cooling off periods for sales made through direct marketing (there is some overlap with the Electronic Communications and Transactions Act which also deals with cooling off periods and which Act applies will depend on what was sold and how?).

In the meantime, it is worth taking some time to explore how your direct marketing activities may need to change to accommodate the Protection of Personal Information Act’s compliance requirements. You may not need to make substantial changes, only make sure you have an adequate privacy policy framework and the back-end systems to properly process opt-ins and opt-outs. Whatever your particular requirements may be, time is running out. The Protection of Personal Information Act has been passed by Parliament and is likely before the President waiting for his signature and then it will be implemented.


  1. ‘‘data subject’’ means the person to whom personal information relates.  ↩
  2. consent” means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.  ↩
  3. ‘‘responsible party’’ means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.  ↩
  4. Express consent would be required where a consumer is approached for the first time by a provider’s representative and asked to consent to direct marketing. An example could be a consumer who completes a feedback form at a bookstore which includes a section requesting permission to send the consumer marketing information about book sales and specials. On the other hand, a consumer who has already bought books from the bookstore is, obviously, already a customer and the rules change somewhat.  ↩

Introducing POPI’s processing conditions

There is a lot more to the anticipated Protection of Personal Information Act and, in this post, I’d like to introduce you to what are known as “Conditions for lawful processing of personal information”. These conditions effectively operate as processing parameters and will have a relatively subtle but substantial impact on direct marketing because they limit the scope of what personal information can be processed and for how long.

I touched on consent as a key consideration in the Protection of Personal Information Act (expected to be passed shortly) in our recent post titled “POPI is a steep, uphill climb for direct marketers”. As I pointed out in that post, the consent issue, while critical, just scratches the surface. I took this further in a subsequent post titled “Processing, personal information and direct marketing under POPI” where I explored two further fundamental terms, namely “personal information” and “processing” which have interesting implications for marketers in particular. The recording below is an overview of that post and the implications of those two terms.

There is a lot more to the anticipated Protection of Personal Information Act and, in this post, I’d like to introduce you to what are known as “Conditions for lawful processing of personal information”. These conditions effectively operate as processing parameters and will have a relatively subtle but substantial impact on direct marketing because they limit the scope of what personal information can be processed and for how long.

An Overview of the Processing Conditions

The Protection of Personal Information Act will have 8 processing conditions:

  1. Accountability
  2. Processing limitation
  3. Purpose specification
  4. Further processing limitation
  5. Information quality
  6. Openness
  7. Security Safeguards
  8. Data subject participation

In this post I’ll introduce you to the first two processing conditions, namely Accountability and Processing limitation.

Accountability

This condition essentially requires that the “responsible party” ensure that the various processing conditions are met and –

are complied with at the time of the determination of the purpose and means of the processing and during the processing itself

In other words, the responsible party is required to ensure the conditions are met at all times. So who or what is the responsible party? The “responsible party” means –

a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information

A “responsible party” is not to be confused with an “operator”, though. They are different parties in the context of this legislation.

Processing Limitation

This condition is divided into 4 distinct requirements:

  1. Lawfulness of processing
  2. Minimality
  3. Consent, justification and objection
  4. Collection directly from the data subject

Lawfulness of Processing

This requirement is fairly self-explanatory and entails ensuring that personal information is not just processed “lawfully” but also reasonably in a way that doesn’t infringe the data subject’s “privacy”. This second part both a little circular because the Protection of Personal Information Act goes a long way to unpacking privacy as a legal concept and also establishes a broad reasonableness requirement for personal information processing.

Minimality

This requirement is linked to the Purpose specification condition and states that, in addition to processing personal information for its specific purpose, it may only be processed if that is “adequate, relevant and not excessive”. It is an overarching limitation on top of the Purpose specification condition and serves as an additional layer of protection for data subjects against overreaching, even within the confines of the Purpose specification condition.

Consent, justification and objection

As this section’s name suggests, this is all about consent or, where there isn’t adequate consent, when it processing personal information is justified and what the data subject can object to.

The starting point is that consent from a data subject is always the best option from the perspective that it incorporates informed and specific permission to process the personal information. Where the data subject is a child, you will need the child’s “competent person” to consent to processing the child’s personal information (there are a couple additional restrictions later in the Bill regarding children’s personal information). Who is a “competent person”? According to the Bill, “competent person” means –

any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child;

Consent isn’t the sole requirement to allow a party to process personal information. Other justifications include –

  • processing necessary to conclude or perform in terms of a contract the data subject is a party to;
  • where the processing is compliant with a legal obligation imposed on the responsible party (the party collecting the personal information);
  • where processing the personal information would protect the data subject’s legitimate interest (this is pretty vague and bound to be the subject of much debate);
  • where “processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied” (this is potentially even broader than the previous justification and isn’t constrained by the data subject’s interests).

Where a responsible party contends it/he/she received consent to process a data subject’s personal information, that responsible party will have to prove that. This means that documenting that consent is essential and preserving that documentation correctly is similarly essential. The requirements for data retention and preservation as evidence are spelt out in the Electronic Communications and Transactions Act and worth reading very carefully when designing your data retention systems. Not being able to present admissable evidence of consents obtained could leave you in breach of the Act and subject to its penalties.

Consent isn’t irrevocable under the Protection of Personal Information Bill. A data subject can withdraw consent at any time but doing that doesn’t invalidate processing prior to withdrawing consent. Going further, a data subject can also object to his or her personal information being processed under the various justifications on “reasonable grounds”, although not where legislation requires that personal information processing. An example here is a law requiring a mobile network provider to collect consumers’ personal information under the Regulation of Interception of Communications and Provision of Communication-related Information Act. A consumer can’t object to personal information being collected in that context because the statute requires it.

Section 69 of the Protection of Personal Information Bill deals with direct marketing using electronic communications and includes provisions enabling consumers to object or withdraw consent to direct marketing. We’ll go into that section in more detail in a subsequent post.

Interestingly, this section of the Bill also provides that where a data subject has objected to personal information processing, the responsible party “may no longer process the personal information”. This section doesn’t seem to require that the objection be confirmed as valid, just that an objection halts the processing activity. The responsible party would presumably then have to establish that the objection wasn’t reasonable or was required by law to continue.

Collection directly from the data subject

This processing limitation, as its name suggests, requires that responsible parties collect personal information directly from the data subject. There are some exceptions to this requirement where, for example, the information is “contained in or derived from a public record or has deliberately been made public by the data subject”; where the data subject is a child and a competent person has consented to the child’s personal information being collected from “another source” as well as wearing collecting the personal information from another source “would not prejudice a legitimate interest of the data subject”.

They are also a number of exceptions to this requirement based on necessity. These include law-enforcement requirements, steps taken to ensure compliance with legal obligations or to enforce legislation, for the conduct of legal proceedings, the interest of national security or to maintain the legitimate interests of the responsible party or of a third party to whom the information is supplied. Even further exceptions include situations where compliance would “prejudice a lawful purpose of the collection” or where compliance is “not reasonably practicable in the circumstances of the particular case”.

This limitation applies more to scenarios that do not include some sort of law enforcement requirement all where either the data subject’s all responsible party’s “legitimate interest” are involved. The “legitimate interests” concept is pretty broad and is not defined in the Bill. Where this limitation does have a real impact is on marketers who have, historically, been in the habit of aggregating marketing databases using multiple sources, many of which have been traded, enriched and expanded without much reference to the individuals concerned.

<

p>It is also worth bearing in mind that collection is distinct from other processing conditions such as the requirement for consent and purpose specification (which we will deal with in a subsequent post). In other words, simply being able to collect the personal information does not automatically grant the responsible party the right to make use of the personal information for any particular purpose. A number of other processing conditions deal with what can be done with that personal information once it is collected.

Processing, personal information and direct marketing under POPI

Consent, while critical, just scratches the surface of the Protection of Personal Information Bill. There is a lot more to the anticipated Protection of Personal Information Act and, in this post, I’d like to give you an overview of two further important terms used in the Protection of Personal Information Bill, namely “personal information” and “processing”.

I touched on consent as a key consideration in the Protection of Personal Information Act (expected to be passed shortly) in our recent post titled “POPI is a steep, uphill climb for direct marketers“. As I pointed out in that post, the consent issue (the video above summarises consent as a key concept and why it is so important in direct marketing), while critical, just scratches the surface. There is a lot more to the anticipated Protection of Personal Information Act and, in this post, I’d like to give you an overview of two further important terms used in the Protection of Personal Information Bill, namely “personal information” and “processing”.

Personal Information and Processing

Before you can understand the conditions, you need to understand two further terms used in the Protection of Personal Information Bill, namely “personal information” and “processing”. The “personal information” definition is pretty broad. It includes all the usual categories of personal information and a great deal more:

‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

I highlighted some of the interesting aspects of “personal information” because these categories of personal information are not always recognised as such. For example, “any identifying number, symbol” or “online identifier” could include a Twitter handle or pseudonym (assuming it could be associated with an identity). “Personal opinions, views or preferences” covers a wide range of questions marketers often ask people in surveys and competitions. Add to this other people’s “views or opinions” about your data subject and you’re now dealing with personal information about person A which you obtain from person B and which is also person B’s personal information so you potentially need to obtain consent from both people.

The next important term is “processing”. This is the term used for a variety of activities pertaining to how personal information is handled. It is also fairly broad:

‘‘processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—

(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;

This definition basically categorises virtually any action relating to personal information as “processing” and subject to consent by the data subject. As the definition’s lead-in indicates, this covers both single actions and groups of actions or, as the definition puts it: “any operation or activity or any set of operations”. Like I said, it is broad, very broad.

<

p>Both of these terms form part of the foundation of an adequate privacy model that direct marketing businesses should have in place already or, at the very least, should be actively developing. We will explore more POPI themes in an upcoming series of posts about the processing conditions in this anticipated legislation in more detail. The processing conditions establish a series of parameters that will shape direct marketing campaigns and other activities that make use of personal information for quite some time to come.

POPI compliance is a steep, uphill climb for direct marketers

The Protection of Personal Information Act is going to have a radical impact on the direct marketing industry and a number of direct marketing businesses are going to shut down because they won’t be able to adapt and remain viable, especially if they don’t take action right away. If you don’t have a direct marketing business that is already based on a truly consensual business model (bearing in mind the consent model in the Protection of Personal Information Bill), you simply can’t afford to waste any more time.

Nokia Lumia launch-59

Direct marketers who are working towards bringing their businesses into line with the Protection of Personal Information Bill, which is expected to be finalised and put to a vote by 6 March 2013, may have a lot of work ahead of them. What is worrying is that many direct marketers don’t really appreciate just how much work they have to do. Ignorance isn’t bliss, it is a recipe for disaster.

We’ve been working with clients on bringing their direct marketing businesses into line with the Protection of Personal Information Act. The first step is understanding what the business’ current degree of compliance is and, more often than not, there are usually compliance gaps big enough to float a cruise liner through. The first thing that direct marketers need to understand is that the starting point is not the direct marketer’s current systems and processes but rather its database’s origins and the consents which were given to compile the database the direct marketing business is based on.

As a general rule[1], personal information must be collected directly from the data subject[2] (where I refer to a consumer in this post, I am referring to a consumer as a data subject) who must also consent to how the personal information will be “processed”[3]. We’ve seen letters from data suppliers simply stating that consumers have “consented” or “opted in” to their personal information being collected, added to the databases they have supplied and for the purposes those databases are to be used. That just isn’t enough of an indication of what the consumers have given their consents for.

Consent is not just some generic approval for some personal information to be collected and used for marketing purposes. The consent has to be very specific. It has to be –

any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information

If you break that down, consent, under the Protection of Personal Information Bill –

  • can’t be taken from the data subject involuntarily (this sounds obvious but how many campaigns purport to take a consent without the data subject being aware that he or she is giving consent for anything?);
  • has to be specific and must relate to specific uses and conditions instead of a general purpose consent for vague uses under the umbrella term “marketing purposes”;
  • has to be informed (this ties in with the specificity requirement) so the data subject is well aware of what personal information is being collected; what that personal information is going to be used for; how the personal information will be handled and under which circumstances the personal information will be disclosed to whom?

A consumer must also give consent explicitly. This is borne out by the phrase “expression of will” which implies some sort of express act and not an implicit understanding that consent is required for some or other purpose.

Once you have that understanding of consent as a fundamental requirement for personal information to be processed and that obtaining that consent from the data subject directly is required for any subsequent personal information processing. In essence, that consent applies to subsequent use of the data subject’s personal information and if those subsequent uses are not adequately covered by the original consent, those subsequent uses will probably infringe the data subject’s privacy rights and fall foul of the Protection of Personal Information Act.

As a direct marketer, your entire business rests on the quality and scope of the consents that relate to each and every record in your database. Those consents must cover aspects such as –

  • what personal information is being processed (can you use the data subject’s name, phone number and email or did the data subject only consent to you using a phone number, for example?);
  • which personal information can be processed for which campaign or use (did the data subject consent to receive marketing information about cars and you are marketing furniture?);
  • have you received consent to process the data subjects’ personal information or was consent only given to your source (if consent was not given to you, specifically, you may still be permitted to process the personal information depending on your relationship with the party that received the consent).

Another problematic practice is enriching databases using 3rd party data sources. Firstly, this can only be done under the Protection of Personal Information Act with the Regulator’s consent[4] and you also have to take into account that the requisite consents must have been given to the parties you obtain the additional personal information from to add it to your databases and then process that additonal personal information in the manner in which you intend to process it.

Of course there are also specific provisions in the Protection of Personal Information Bill that deal with direct marketing[5] which impose additional requirements on direct marketers when it comes to the forms of consents required in different contexts. The Electronic Communications and Transactions Act is also about to be amended to support the opt-in requirements for so-called “electronic communications” and I expect the Consumer Protection Act will be amended to close the opt-out loophole too.

This only really just scratches the surface of the analysis that has to take place just to determine how much work a direct marketing business has ahead of it to bring it into line with the Protection of Personal Information Act when it goes into effect (if everything stays on track, this could be around March 2014). The process of identifying the gaps can take months, the process of changing a business model to adapt to the necessary changes could take longer. We and other lawyers in this space have been talking about the need to perform the necessary analysis and introduce the necessary changes for some time now. It is a long and complex process.

The Protection of Personal Information Act is going to have a radical impact on the direct marketing industry and a number of direct marketing businesses are going to shut down because they won’t be able to adapt and remain viable, especially if they don’t take action right away. If you don’t have a direct marketing business that is already based on a truly consensual business model (bearing in mind the consent model in the Protection of Personal Information Bill), you simply can’t afford to waste any more time.

As we mentioned at the beginning of our post, we are working with clients to help them adapt to the coming changes. We have developed a detailed and comprehensive compliance gap analysis and review model which we use to gain a detailed understanding of our clients’ businesses and give specific advice on how to close the gaps.

Contact us

if you would like us to assist you.

  1. Section 12 of the Protection of Personal Information Bill  ↩
  2. Defined as “the person to whom personal information relates”  ↩
  3. ‘‘processing’’ means any operation or activity or any set of operations, whether or
    not by automatic means, concerning personal information, including—
  4. (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
  5. (b) dissemination by means of transmission, distribution or making available in any other form; or
  6. (c) merging, linking, as well as restriction, degradation, erasure or destruction of information  ↩
  7. Section 57(1)(ii)  ↩
  8. Section 69  ↩

Extracts from a discussion about privacy and the Protection of Personal Information Bill

This is a partial recording from Marketing Mix‘s Permission Based Marketing Conference in Cape Town on 2012-06-01 where I was a panelist speaking about privacy and the Protection of Personal Information Bill. I recorded part of my contribution to the discussion and this recording covers the nature of privacy from the perspective of the Bill and the definition of consent in the 7th draft of the Bill which has the potential to radically change the Bill’s impact on privacy practices and the direct marketing industry in SA.