The Protection of Personal Information Act 4 of 2013 (“POPIA”) aims to protect your constitutional right to privacy by ensuring that your personal information is processed in a manner that ensures its confidentiality and that your privacy is respected. Although the Act has not yet come fully into operation, it is just a matter of time before it fully applies.
Under POPIA consent plays an important role. On the one hand, consent is required to ensure that your personal information is protected and that individuals and/or entities (“responsible parties”) do not process your personal information without your consent. It also aims to ensure that a responsible party cannot market their products or services directly to you if you have not consented to such marketing.
Section 69 of POPIA deals with consent for direct marketing purposes by way of unsolicited electronic communications such as automatic calling machines, facsimile machines, SMSs or electronic mails. It determines that if you are not the responsible party’s customer and you have not previously withheld consent, the responsible party has a once-off opportunity to send you a request for your express consent to allow the responsible party to use your personal information for direct marketing purposes. In practice, this is usually a message informing you about the products and/or services the responsible party would like to market to you and which requests you to consent thereto. This once-off message should not be of a marketing nature as such a message would violate the general prohibition, and should merely be of an informative nature.
Once you consent/opt-in, the responsible party will be entitled to use your personal information for direct marketing purposes within the consent’s parameters. You should however be able to opt-out from continuing to receive such direct marketing at any time. For a responsible party to obtain the informed consent required by POPIA, the responsible party must obtain such consent through a sufficiently detailed privacy policy.
Section 69(2)(b) requires that a responsible party obtain your consent in the manner and form prescribed by the POPIA Regulations. An example of such a consent document can be found in the Regulations. Such a consent document should, among other things, draw your attention to the provisions of section 69 of POPIA, indicate what the terms ‘processing’ and ‘personal information’ mean in terms of POPIA, stipulate that your consent is obtained in relation to the goods and/or services specified in the document, as well as stipulate that your consent is obtained in respect of each means of electronic communication the responsible party intends to use for direct marketing.
In the event that you do not give express consent through a policy or consent document, but you are a customer of the responsible party, your consent could be implied by virtue of you being a customer and therefore interested in learning more about the responsible party’s products and/or services. However, the responsible party may only use your personal information for marketing purposes (1) where the responsible party obtained your personal information in the context of a sale of a product and/or rendering of a service, (2) for the purpose of direct marketing of the responsible party’s own similar products and/or services and (3) where you have been given a reasonable opportunity to object (free of charge and without unnecessary formalities) to receiving such marketing.
Accordingly, in your situation it could be argued that the store would be allowed to use direct marketing if you are a customer but that they must afford you the opportunity to reject any type of direct marketing, typically through an “opt-out” opportunity if you no longer wish to receive direct marketing messages from them.
