Consent for Direct Marketing Under POPI

The Protection of Personal Information Act has particular interest for direct marketers because of the likely substantial impact the legislation will have on consumer-facing initiatives when it goes into effect. POPI has a section that deals specifically with and introduces a consent model designed for direct marketing. It is an interesting model and I’ll explain why in a moment. In the meantime, it is worth reading the following posts if you haven’t already:

Protection of Personal Information Act’s section 69 is titled “Direct marketing by means of unsolicited electronic communications”. It begins with the following general prohibition on –

The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail …

unless the data subject [1] either consents[2] or, importantly, is the “responsible party’s[3]” customer.

If, on the other hand, the consumer (or data subject) is not the provider’s (responsible party) customer and if the consumer has not “previously withheld” consent, the provider has a once-off opportunity to send the consumer a request for the consumer’s consent to allow his or her personal information to be used for direct marketing purposes. In practice this is usually a message simply informing the consumer about the products or services the provider would like to market to the consumer and requesting consent. This once-off message should not be a marketing message because that would violate the general prohibition. It should be an information message and its specific format may be prescribed in regulations supporting the Protection of Personal Information Act in due course.

If the consumer consents then the provider will be entitled to use the consumer’s personal information for direct marketing purposes within the consent’s parameters. This may sound obvious but this can be a little tricky. The best way to obtain the quality consent the Protection of Personal Information Act contemplates (take another look at the consent definition[2]) is through a sufficiently detailed privacy policy document. This is a privacy policy’s role. It is the foundation of a compliant direct marketing campaign so do it properly!

If the consumer doesn’t give express consent through a privacy policy but is a provider’s customer[4] already, the consumer’s consent is essentially implied by virtue of the consumer being a customer who is already interested in learning more about the provider’s products or services. In this scenario, the provider can use the consumer’s personal information for marketing purposes where –

  1. the provider obtained the consumer’s personal information in the context of a sale of a product or service;
  2. “for the purpose of direct marketing of the [provider’s] own similar products or services”; and
  3. the consumer has been given “a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details” both at the time the consumer’s personal information was first collected and each time the provider communicates with the consumer for marketing purposes (and assuming the consumer didn’t refuse to consent the first time he or she was asked).

Then, lastly, the each communication for the purpose of direct marketing must contain both the provider’s identity as well as contact details which the consumer can use to opt-out of further marketing communications.

This basic model isn’t totally new. It has existed for some time in other regulatory frameworks like the WASPA Code of Conduct (mobile service providers will be familiar with this mechanism). It does represent a broader shift in South African law because the Protection of Personal Information Act will establish minimum requirements for practically all direct marketing communications, particularly from a consent perspective.

If you are engaged in direct marketing, this is a pretty important aspect of the Protection of Personal Information Act for you. This isn’t the only legislation dealing with direct marketing, though, just arguably the most important from a privacy perspective. The Consumer Protection Act, for example, deals with other issues relating specifically to direct marketing such as cooling off periods for sales made through direct marketing (there is some overlap with the Electronic Communications and Transactions Act which also deals with cooling off periods and which Act applies will depend on what was sold and how?).

In the meantime, it is worth taking some time to explore how your direct marketing activities may need to change to accommodate the Protection of Personal Information Act’s compliance requirements. You may not need to make substantial changes, only make sure you have an adequate privacy policy framework and the back-end systems to properly process opt-ins and opt-outs. Whatever your particular requirements may be, time is running out. The Protection of Personal Information Act has been passed by Parliament and is likely before the President waiting for his signature and then it will be implemented.


  1. ‘‘data subject’’ means the person to whom personal information relates.  ↩
  2. consent” means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.  ↩
  3. ‘‘responsible party’’ means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.  ↩
  4. Express consent would be required where a consumer is approached for the first time by a provider’s representative and asked to consent to direct marketing. An example could be a consumer who completes a feedback form at a bookstore which includes a section requesting permission to send the consumer marketing information about book sales and specials. On the other hand, a consumer who has already bought books from the bookstore is, obviously, already a customer and the rules change somewhat.  ↩

Comments are closed.

Powered by WordPress.com.

Up ↑

%d bloggers like this: