Reasonably practicable compliance with POPI is not enough

When considering how much you should do to comply with legislation like the Protection of Personal Information Act, you have three choices:

  1. Do as little as possible and see what you can get away with;
  2. Calculate the degree of “reasonably practicable” compliance required and stick with that;
  3. Adopt a more holistic approach to compliance.

Of the three options, the first is clearly a recipe for disaster. The only questions are when disaster will strike and how devastating will it be?

The second option is a popular one. To begin with, it is a practical solution because it takes into account what the law requires of you in order to meet the law’s standard so you limit your potentially significant investment in a compliance program without a corresponding quantitative benefit. Makes sense, right? In a way, yes, but what it doesn’t take into account is that your primary compliance risk is increasingly not regulators (at least not in South Africa where regulators often lack the capacity to respond very quickly), but rather the people who are directly affected by your decisions.

In other words, complying with laws like the Consumer Protection Act and Protection of Personal Information Act is not a quantitative exercise where you empirically (or as close to empirically as a legal compliance assessment can be) calculate your desired degree of compliance and work to that standard. Instead compliance is qualitative.

John Giles published a terrific post on the Michalsons blog titled “Only do what is reasonably practicable to comply with POPI” in which he explains POPI’s baseline compliance standard which is based on reasonableness and how this translates into what is likely an effective quantitative approach to compliance. It is worth saving the article because it is a handy reference for when you need to understand what the law means by “reasonably practicable”.

I don’t believe that this is enough, though. If anything, the question of what is reasonably practicable should only be part of your assessment of what you should do. The next, and arguably more important, question should be “What should we do to ensure not only compliance with the law but also to earn our customers’ trust?”. No, I’m not suggesting you drink the “rainbows and unicorns” energy drink and incur real money complying with some nebulous standard because your customers will like you more. Well, not entirely. What I am suggesting is that there is another dimension to compliance with legislation that affects people in very personal ways.

When you look at recent privacy controversies involving services like Facebook, Google and SnapChat, one theme that emerges from each of these controversies is not that these companies handled users’ personal information in ways they necessarily concealed from users. Their privacy policies describe what they do with users’ personal information in varying degrees. What really upsets users is that they weren’t expecting these companies to do the things they did because users tend to develop a set of expectations of what to expect from their providers which is typically not informed by privacy policies (because few people read them). These expectations are informed by what these companies tell them in marketing campaigns, what other users and the media tell them, what their friends share with them and their experiences with the services themselves.

When a provider steps outside its users’ collective expectations, mobs form and there is chaos in the metaphorical streets. The fact that these companies stuck to their published privacy policies and terms and conditions is largely irrelevant because users are not wholly rational and analytical. They don’t go back to the legal documents, read them quietly and go back to their daily lives when they realise that they mis-read or misunderstood the legal terms and conditions. No, they are outraged because the companies violated the trust users placed in these companies based on users’ expectations.

You may not have the same number of customers as Facebook, Google or SnapChat and your business may be different but if you are considering Protection of Personal Information Act or Consumer Protection Act compliance, you are dealing with the same people: consumers who have expectations and perceptions which you influence but certainly don’t control. If you violate the trust they place in you, the response will be swift and the consequences from a reputational perspective could be severe.

Fountain Square in Downtown Cincinnati Is a Public Square That Works for the City and Its People in a Myriad of Ways: Tyler Davidson Fountain 05/1973

When you develop your compliance program, assess what is reasonably practicable and set that as your commercial baseline. Then, consider how transparent you can be with your customers about what you intend doing with their personal information?

I remember reading a discussion about partners cheating on each other and at one point in the article the writer said that cheating isn’t just about the act but also the thoughts that precede it. If you have thoughts about another person which you don’t want to share with your partner, that is probably a good indication you are contemplating something you shouldn’t be doing. Apply that to your compliance program and ask yourself if you are comfortable disclosing what you intend doing with your customers’ personal information to them? If you are, be transparent about it in your privacy statement/policy and in your communications with your customers.

If you don’t feel comfortable being transparent about how you intend using your customers’ personal information and, instead, intend hiding behind technical legal compliance with the law to justify your data use, you may be setting yourself up for a bitter divorce and a costly battle with your customers. By the time the regulators arrive to assess your compliance, the damage will already have been done and the reasonably practicable thing to do will be to pick up the pieces of your reputation (and possibly your business) and start earning your customers’ trust again.

Don’t place too much emphasis on the Protection of Personal Information Act

With the Protection of Personal Information Act signed and likely to be implemented to some degree sometime this year, it is fashionable to focus on POPI when thinking about data protection and privacy. While POPI is a very important Act, a complete data protection review has to take into account much more. I prepared a diagram to give you a quick overview of what you should be considering when you assess your compliance readiness.

2014-01-14 Privacy is more than just POPI

POPI compliance is a steep, uphill climb for direct marketers

The Protection of Personal Information Act is going to have a radical impact on the direct marketing industry and a number of direct marketing businesses are going to shut down because they won’t be able to adapt and remain viable, especially if they don’t take action right away. If you don’t have a direct marketing business that is already based on a truly consensual business model (bearing in mind the consent model in the Protection of Personal Information Bill), you simply can’t afford to waste any more time.

Nokia Lumia launch-59

Direct marketers who are working towards bringing their businesses into line with the Protection of Personal Information Bill, which is expected to be finalised and put to a vote by 6 March 2013, may have a lot of work ahead of them. What is worrying is that many direct marketers don’t really appreciate just how much work they have to do. Ignorance isn’t bliss, it is a recipe for disaster.

We’ve been working with clients on bringing their direct marketing businesses into line with the Protection of Personal Information Act. The first step is understanding what the business’ current degree of compliance is and, more often than not, there are usually compliance gaps big enough to float a cruise liner through. The first thing that direct marketers need to understand is that the starting point is not the direct marketer’s current systems and processes but rather its database’s origins and the consents which were given to compile the database the direct marketing business is based on.

As a general rule[1], personal information must be collected directly from the data subject[2] (where I refer to a consumer in this post, I am referring to a consumer as a data subject) who must also consent to how the personal information will be “processed”[3]. We’ve seen letters from data suppliers simply stating that consumers have “consented” or “opted in” to their personal information being collected, added to the databases they have supplied and for the purposes those databases are to be used. That just isn’t enough of an indication of what the consumers have given their consents for.

Consent is not just some generic approval for some personal information to be collected and used for marketing purposes. The consent has to be very specific. It has to be –

any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information

If you break that down, consent, under the Protection of Personal Information Bill –

  • can’t be taken from the data subject involuntarily (this sounds obvious but how many campaigns purport to take a consent without the data subject being aware that he or she is giving consent for anything?);
  • has to be specific and must relate to specific uses and conditions instead of a general purpose consent for vague uses under the umbrella term “marketing purposes”;
  • has to be informed (this ties in with the specificity requirement) so the data subject is well aware of what personal information is being collected; what that personal information is going to be used for; how the personal information will be handled and under which circumstances the personal information will be disclosed to whom?

A consumer must also give consent explicitly. This is borne out by the phrase “expression of will” which implies some sort of express act and not an implicit understanding that consent is required for some or other purpose.

Once you have that understanding of consent as a fundamental requirement for personal information to be processed and that obtaining that consent from the data subject directly is required for any subsequent personal information processing. In essence, that consent applies to subsequent use of the data subject’s personal information and if those subsequent uses are not adequately covered by the original consent, those subsequent uses will probably infringe the data subject’s privacy rights and fall foul of the Protection of Personal Information Act.

As a direct marketer, your entire business rests on the quality and scope of the consents that relate to each and every record in your database. Those consents must cover aspects such as –

  • what personal information is being processed (can you use the data subject’s name, phone number and email or did the data subject only consent to you using a phone number, for example?);
  • which personal information can be processed for which campaign or use (did the data subject consent to receive marketing information about cars and you are marketing furniture?);
  • have you received consent to process the data subjects’ personal information or was consent only given to your source (if consent was not given to you, specifically, you may still be permitted to process the personal information depending on your relationship with the party that received the consent).

Another problematic practice is enriching databases using 3rd party data sources. Firstly, this can only be done under the Protection of Personal Information Act with the Regulator’s consent[4] and you also have to take into account that the requisite consents must have been given to the parties you obtain the additional personal information from to add it to your databases and then process that additonal personal information in the manner in which you intend to process it.

Of course there are also specific provisions in the Protection of Personal Information Bill that deal with direct marketing[5] which impose additional requirements on direct marketers when it comes to the forms of consents required in different contexts. The Electronic Communications and Transactions Act is also about to be amended to support the opt-in requirements for so-called “electronic communications” and I expect the Consumer Protection Act will be amended to close the opt-out loophole too.

This only really just scratches the surface of the analysis that has to take place just to determine how much work a direct marketing business has ahead of it to bring it into line with the Protection of Personal Information Act when it goes into effect (if everything stays on track, this could be around March 2014). The process of identifying the gaps can take months, the process of changing a business model to adapt to the necessary changes could take longer. We and other lawyers in this space have been talking about the need to perform the necessary analysis and introduce the necessary changes for some time now. It is a long and complex process.

The Protection of Personal Information Act is going to have a radical impact on the direct marketing industry and a number of direct marketing businesses are going to shut down because they won’t be able to adapt and remain viable, especially if they don’t take action right away. If you don’t have a direct marketing business that is already based on a truly consensual business model (bearing in mind the consent model in the Protection of Personal Information Bill), you simply can’t afford to waste any more time.

As we mentioned at the beginning of our post, we are working with clients to help them adapt to the coming changes. We have developed a detailed and comprehensive compliance gap analysis and review model which we use to gain a detailed understanding of our clients’ businesses and give specific advice on how to close the gaps.

Contact us

if you would like us to assist you.

  1. Section 12 of the Protection of Personal Information Bill  ↩
  2. Defined as “the person to whom personal information relates”  ↩
  3. ‘‘processing’’ means any operation or activity or any set of operations, whether or
    not by automatic means, concerning personal information, including—
  4. (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
  5. (b) dissemination by means of transmission, distribution or making available in any other form; or
  6. (c) merging, linking, as well as restriction, degradation, erasure or destruction of information  ↩
  7. Section 57(1)(ii)  ↩
  8. Section 69  ↩

Website terms and conditions are surprisingly complex

Website terms and conditions are pretty tough to do properly. They are on just about every website you come across on the Web and are so prevalent that it is easy to take them for granted and also assume that they are all pretty much the same. Often how a website terms and conditions (I’ll refer to them as “website terms” for the rest of this post) is drafted is a matter of personal style but a lot of thought and planning goes into a well drafted website terms.


Lawyers have different approaches to website terms. Some will look for seemingly complete website terms on the Web or in precedent libraries, change the names and details and push it out to their clients. Other lawyers will spend more time on a website terms and prepare a set of website terms that are at least prepared with the client’s business in mind. Yet another group of lawyers will take a more involved approach which may include:

  • taking more detailed instructions from the client about the client’s business and what the website is intended to do;
  • carefully consider the risks that could arise;
  • carefully consider the various pieces of legislation and third party terms and conditions the website terms will have to comply with or take into account; and
  • prepare website terms which establish a sound legal framework for the website and its proposed activities.

Leaving aside website terms’ content, the way website terms are presented is also fairly important. Paper-based legal documents are frequently formatted using multi-level paragraph numbering because those paragraph numbers are the most convenient referencing system on paper. Clauses often refer to each other and lawyers need a convenient way to refer to parts of the document. Its just easier to refer to “clause 3.4.2” than it is to refer to “the clause that sets out the exception to the duration clause”.

When it comes to website terms and conditions, the multi-level numbering convention still works (although it is probably a pain for developers to convert these documents into a website friendly format) but the result is often a fairly intimidating block of text. Three good examples of this sort of website terms are the Zappon, Times Live and Facebook website terms:

Zappon terms

Times Live:
Times Live terms

Facebook terms

Another approach to website terms is to dispense with multi-level paragraph numbering. An example of this approach is the Foursquare website terms:
Foursquare terms

Both of these approaches have merit. A couple formatting issues affect readability (usability experts can probably cite a dozen more): the effect of multi-level numbering on the document’s apparent density, line spacing and the font used. In the Zappon website terms the multi-level numbering and line spacing make the text look pretty dense and not terribly enticing. On the other hand, the Times Live website terms (very possibly prepared by the same legal team) also uses multi-level numbering and is better spaced. The Times Live website terms are far easier to read than the Zappon website terms. The Facebook terms sit in between the Times Live and Zappon website terms.

On the other hand, the Foursquare terms dispense with multi-level numbering in favour of a simpler document structure (I tend to prefer this approach myself). The challenge with this approach is the loss of an easy paragraph referencing system with multi-level numbering presents. The solution is to use hyperlinks instead, the Web’s referencing system. Although the basic layout makes the Foursquare website terms easier to read, the font detracts from that. The Zappon terms have a similar issue. This may be a personal preference but I find non-serif fonts to be much more readable that serif fonts when it comes to website terms. The Facebook and Times Live website terms use non-serif fonts. I have spent a little time reading about fonts in legal documents and while I just barely scratched the surface, it is a pretty interesting topic.

So why all the talk about readability? Website terms are contracts between website visitors and the website proprietor. Just as the Consumer Protection Act requires that contracts be drafted in plain language to make them more accessible and intelligible, formatting website terms to make them more readable achieves a similar objective. Website terms, when they deal with all the legal issues they need to deal with, are lengthy documents but they are important documents. If a visitor is immediately put off by the website terms’ formatting, the visitor will be that much less inclined to read the document which will contain terms he or should really should read. The end result is that the website terms will not do what they are supposed to do.

This discussion may seem pretty abstract but it becomes pretty important in the context of consumer protection imperatives like the plain language requirement. It is also important from a contractual perspective. A contract should be clear and readable if it is to adequately support the agreement between the parties to it. Everyone should understand their rights and obligations and a dense body of text with numbered paragraphs renders the document virtually inaccessible.

Image credit: Manuscript by Muffet, licensed CC BY 2.0

Legal compliance through Online Reputation Management

Online Reputation Management (commonly referred to as “ORM”) solutions are popular with companies that have social media initiatives. These solutions enable companies to monitor the social media landscape for keyword and brand mentions that they often select based on their areas of interest. Two local solutions are BrandsEye and saidWot (Disclosure: saidWot’s sister company, Virtuosa, has been a client).

I came across an American solution that has an interesting approach. Hearsay Social appears to combine ORM with US financial services industry compliance solutions to provide a more holistic approach to the social Web. I have no experience with the product but their introductory video explains their approach nicely:

ORM solutions tend to do a good job monitoring the social Web for specified mentions. The emphasis has tended to be the marketing benefits this sort of monitoring brings to the table but there is another, perhaps more important, function these services could (and, to an extent, perhaps already do) perform: legal compliance. Legal compliance requirements vary from industry to industry and are fairly well addressed in conventional contexts. Financial institutions, for example, carefully monitor what their employees say in mainstream press and restrict communications about their financials over certain times of their financial year.

While some of these businesses are taking a greater interest in relevant mentions on the social Web, its not clear how many businesses regard ORM as a compliance tool in addition to a marketing tool. Well, the nature of ORM services does speak to a compliance aspect in that they often conduct some form of reputation scoring but, as I understand these solutions, the purpose of that scoring is more for marketing purposes to facilitate improved engagement and help shape marketing strategy than it is to ensure better compliance with the myriad legislative and regulatory compliance requirements.

The challenge with the social Web is that communications on the social Web exist outside corporate networks and are subject to third party control, variable user privacy settings and are distributed across a range of services (although probably concentrated on a few large ones like Facebook, Twitter, LinkedIn and, to a degree, Quora). Many businesses have implemented systems that help them monitor employee communications using email, instant messaging and perhaps even internal social media implementations but few seem to be tackling the social Web and what employees and customers say on the social Web from a legal compliance perspective.

A compliance-oriented approach to ORM could extend social media policies meaningfully and help companies track and store detailed reports setting out the extent and scope of resulting interactions. Such a solution will need to cater not just for specific legislative and regulatory requirements but also for businesses’ own compliance programs (for example, programs to ensure Consumer Protection Act compliance through best practices). Records compiled by these solutions would also need to be detailed enough to fulfill an evidentiary role should interactions prove to be contentious down the line and be stored in an appropriate form and mechanism to meet evidentiary requirements.

ORM is fascinating work and just as social marketing should integrate a legal component, so should ORM. In fact, ORM solutions are potentially ideal compliance solutions too, with appropriate features

Compliance can be tricky, especially when it comes to social media. Get in touch with us to discuss your business’ requirements in more detail and how we can help your business be more legally compliant.