POPIA and the role of consent for direct marketing

“I have purchased some electronic products from a local store. They asked me for my contact details supposedly for warranty purposes on the product. Now they keep sending me SMS’s and emails to market their products. Surely they must first ask to me before they can do this?”

The Protection of Personal Information Act 4 of 2013 (“POPIA”) aims to protect your constitutional right to privacy by ensuring that your personal information is processed in a manner that ensures its confidentiality and that your privacy is respected. Although the Act has not yet come fully into operation, it is just a matter of time before it fully applies. 

Under POPIA consent plays an important role. On the one hand, consent is required to ensure that your personal information is protected and that individuals and/or entities (“responsible parties”) do not process your personal information without your consent. It also aims to ensure that a responsible party cannot market their products or services directly to you if you have not consented to such marketing.

Section 69 of POPIA deals with consent for direct marketing purposes by way of unsolicited electronic communications such as automatic calling machines, facsimile machines, SMSs or electronic mails. It determines that if you are not the responsible party’s customer and you have not previously withheld consent, the responsible party has a once-off opportunity to send you a request for your express consent to allow the responsible party to use your personal information for direct marketing purposes. In practice, this is usually a message informing you about the products and/or services the responsible party would like to market to you and which requests you to consent thereto. This once-off message should not be of a marketing nature as such a message would violate the general prohibition, and should merely be of an informative nature. 

Once you consent/opt-in, the responsible party will be entitled to use your personal information for direct marketing purposes within the consent’s parameters. You should however be able to opt-out from continuing to receive such direct marketing at any time. For a responsible party to obtain the informed consent required by POPIA, the responsible party must obtain such consent through a sufficiently detailed privacy policy.

Section 69(2)(b) requires that a responsible party obtain your consent in the manner and form prescribed by the POPIA Regulations. An example of such a consent document can be found in the Regulations. Such a consent document should, among other things, draw your attention to the provisions of section 69 of POPIA, indicate what the terms ‘processing’ and ‘personal information’ mean in terms of POPIA, stipulate that your consent is obtained in relation to the goods and/or services specified in the document, as well as stipulate that your consent is obtained in respect of each means of electronic communication the responsible party intends to use for direct marketing.

In the event that you do not give express consent through a policy or consent document, but you are a customer of the responsible party, your consent could be implied by virtue of you being a customer and therefore interested in learning more about the responsible party’s products and/or services. However, the responsible party may only use your personal information for marketing purposes (1) where the responsible party obtained your personal information in the context of a sale of a product and/or rendering of a service, (2) for the purpose of direct marketing of the responsible party’s own similar products and/or services and (3) where you have been given a reasonable opportunity to object (free of charge and without unnecessary formalities) to receiving such marketing.

Accordingly, in your situation it could be argued that the store would be allowed to use direct marketing if you are a customer but that they must afford you the opportunity to reject any type of direct marketing, typically through an “opt-out” opportunity if you no longer wish to receive direct marketing messages from them.

November 9, 2018
International: Privacy by Design – prioritizing security in business

International: Privacy by Design – prioritizing security in business

In today’s current digital space, safeguarding privacy and ensuring that your business is compliant with the various cyber laws and data privacy regulations is crucial to ensure that business operations are well protected. In this article, PR de Wet and Mishka Cassim, from VDT Attorneys Inc., seek to address some of the most important issues companies face and need to consider on a global scale when addressing privacy concerns.

South Africa: POPIA and prior authorisation to process personal information

South Africa: POPIA and prior authorisation to process personal information

The Protection of Personal Information Act, 2013 (Act 4 of 2013) (‘POPIA’) requires a responsible party to apply for and obtain authorisation prior to processing certain identified categories of personal information. With POPIA compliance deadlines fast approaching PR de Wet and Hayley Levey, from VDT Attorneys Inc, analyse the POPIA prior authorisation regime.

Sign up to our newsletter

Pin It on Pinterest