POPIA Frequently Asked Questions

While some personal information is excluded from POPIA’s remit - for example - any information which “has been de-identified to the extent that it cannot be re-identified”, any natural or juristic person who processes personal information must take certain steps to comply with this law.

Small, Medium and Micro Enterprises (SMMEs) are NOT currently exempt from POPIA compliance, but the newly-constituted Information Regulator may make changes here.

For all intents and purposes, if you’re a DMASA member, you’d be well-advised to comply with POPIA sooner rather than later.

Yes. Full implementation of POPIA was delayed due to the Coronavirus, the Information Regulator not being fully constituted and other factors, however, the implementation of the remaining sections of the Act in July 2020 means the full spectrum of compliance and enforcement provisions are operational.

The Information Regulator was created by the promulgation of POPIA and it is this Act that gives the Regulator sharp teeth. The Regulator reports directly to Parliament and its chair is Adv Pansy Tlakula.

Data subjects can complain to the Regulator about data breaches and other alleged contraventions of the Act. This means responsible parties could ultimately be fined or even jailed.

The road to compliance is fairly clear-cut:

• Appoint an Information Officer.
• Draft a Privacy Policy.
• Raise awareness amongst employees.
• Amend contracts with operators.
• Report data breaches to the regulator and affected data subjects.
• Only share personal information in terms of the law.

Of course, you’ll need to investigate the above in more detail.

First and foremost, your business needs to commit to a POPIA compliance journey. You can start by inculcating compliance in the day-to-day management of your business, so that it becomes as second nature as any sales process.

Specifically; you’ll need to train your staff in POPIA compliance, find out how personal information flows through your business and secure your data by - at the very least - encrypting all the desktop and laptop computers in your business.

Then, consider speaking to an expert and also see the DMASA link immediately below.

The DMASA’s flagship POPIA compliance resource and intervention, the Data Protection Compliance Programme (DPCP), offers members tools to stay on the right side of the Act.

These include online risk assessments and training opportunities to boost knowledge transfer within the direct and integrated marketing (IDM) sector.

Please visit: https://dmasacomplianceportal.org/DMASA

Structuring your data will result in a leaner, more organised business. In addition, reassuring prospective customers that you take the protection of their personal information seriously could well turn out to be your source of competitive advantage.

As the DMASA has said before, data breaches are the industrial incidents of the Information Age and we need to find ways of eradicating them completely. POPIA goes a long way towards preventing bad actors from obtaining personal data for all the wrong reasons.

There are significant legal consequences for not complying with POPIA. Specifically, a fine of up to R10 million can be levied. Alternatively, a responsible party can be sentenced to up to 10 years in jail. In addition, the Courts can order compensation paid to data subjects for any damage suffered.

New

In short, no telemarketing does not fall within section 69 of POPIA because it is not ‘electronic communication’ as defined in section 1 of POPIA.

One of the most important definitions in POPA is ‘electronic communication’. If direct marketing is done ‘by means of electronic communication’, the consent requirements in section 69 will apply. In POPIA, it is defined as any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient’. Section 69(1) provides that electronic communication includes automatic calling machines, facsimile machines, SMSs or email.

The South African definition has three elements:

• any text, voice, sound or image message,
• sent over an electronic communications network,  
• which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient. 

For section 69 to apply, all three elements of the definition of electronic communications network must apply. For example, it is not enough that a message is sent over an electronic communications network; the message must also be stored in the network until it is collected by the data subject.

This is how the definition of ‘electronic communication’ applies to different marketing channels:

To summarise, telemarketing, snail mail, some forms of social media marketing and behavioural advertising (e.g., facilitated by tracking cookies) are not considered ‘electronic’ and is not subject to section 69 of POPIA. This means that these forms of marketing must be justified in terms of section 11. Responsible parties could argue that marketing their products and services are in the ‘legitimate interest of the responsible party’.  If a responsible party wants to rely on this legal basis, it must perform a legitimate interest assessment to ensure that the limitation of the right to privacy is justified. When a responsible party relies on its legitimate interest to market, the data subject will have a right to object (i.e., unsubscribe). In addition, when the data subject is also a ‘consumer’, the right to unsubscribe to direct marketing in terms of the CPA will apply.

Yes, you can still do SMS marketing for financial products, but section 69 of POPIA will apply.

The General Code of Conduct for Authorised Financial Services Providers and Representatives (Code) sets out the rules for direct marketing and advertising for financial service providers and their representatives. The Code was amended recently. These amendments to the Code amended the definitions of advertising and direct marketing and creates an opt-out system for ‘unwanted direct advertising’.

The Code defines ‘direct marketing’ as ‘the rendering of financial services by way of telephone, Internet, digital application platform, media Insert, direct or electronic mail but excludes the publication of an advertisement’.  This means that the definition of ‘advertisement’ is very important. The Code defines an ‘advertisement’ in relation to a provider as ‘any written, printed, electronic or oral communication … which is directed to … any client on request, by any such person, which is intended merely to call attention to the marketing or promotion of financial services offered by such person, and which does not purport to provide detailed information regarding any such financial services …’.

Never mind, TL;DR.  The definition is meant to distinguish direct marketing from advertisements aimed at the public but which do not provide detailed information to a specific client regarding a specific financial service.

Food for thought: Is this definition of direct marketing consistent with POPIA’s definition of direct marketing? According to the Code, you have to be rendering a financial service (e.g. furnishing advice). The definition in POPIA is a great deal wider. It includes communications with the indirect purpose of promoting a financial product.

Hold this thought.  The Code creates an opt-out system from ‘unwanted direct advertising’. It provides the following:

• Where a provider or any person acting on its behalf uses a telephone or mobile phone call, voice or text message or other electronic communication for an advertisement, it must allow the client during that call or within a reasonable time after receiving the message, the opportunity to demand that the provider or other person does not publish any further advertisements to the client through any of these mediums.
• A provider or any person acting on its behalf may not charge a client a fee or allow a service supplier to charge a client a fee for unsubscribing. 

What you need to know: Remember that in any given scenario, the legislation that is ‘more extensive’ will prevail.

This means that POPIA will apply in respect of electronic direct marketing. The Code’s provisions will apply to telemarketing, but only to the extent that the financial service provider is ‘furnishing advice’. If the marketing in question does not meet the more restricted definition of the Code, section 11(3)(b) will give the data subject the right to object to direct marketing (POPIA’s version) via telephone in any event.

This means that yes, you can still do SMS marketing for financial products, but section 69 of POPIA will apply. Therefore, you will need to comply with section 69 requirements to send direct marketing via SMS for financial products. Please see question 1.4 for the discussion of how to comply with section 69 of POPIA.

This then brings us to consent, or ‘the c-word’ as we call it. One of the most enduring myths about POPIA is that you can do whatever you like with personal information as long as you have consent. The number of blanket consents we see hidden in terms and conditions is nothing short of staggering. Most of these consents will be invalid. That is because POPIA defines consent as a ‘voluntary, specific and informed expression of will’. These are the elements of consent and what they mean in practice:

• Voluntary: It must be a genuine choice. The data subject has to be able to say no, but still continue with the activity (e.g., to purchase a product or service or apply for employment).  The consent should also not be bundled with terms and conditions – the data subject has to have the freedom to withhold consent, but still accept the terms and conditions.  In other words, no ‘fit in or f-off’ consents.
  Data subjects must be free to withdraw consent without undue effort and without any detrimental effects such as an increase in cost, a cessation of services or a decrease in service levels.
• Specific: The consent must always relate to a specific, well-articulated purpose. A blanket consent covering all purposes for which personal information is processed will be too vague to be valid. Instead, consents must be granular.
• Informed: The consent must be worded in such a way that the data subject is put in a position to make an informed decision. This means that they must have an understanding of the facts of the situation and the implications of granting or withholding consent. The European Data Protection Board is of the view that the following information must be provided for a consent to be valid
   
  • the identity of all of the responsible parties who will be relying on the consent
  • the purpose of each processing operation for which consent is asked
  • the type of personal information that will be collected and used
  • that the data subject can withdraw consent; and
  • whether the information will be used for automated decision-making.
     

  POPIA does not provide that responsible parties must use plain language. However, we would argue that a consent that is not in plain language will not meet the requirement that consent must be informed. In addition, the relationship between the responsible party and the data subject may be governed by the Consumer Protection Act 68 of 2008, which provides that ‘[t]he producer of a notice, document or visual representation that is required, in terms of [the Consumer Protection Act] or any other law [like POPIA]’ must provide the notice in plain language.

• Expression of will: The consent must be explicit, which means that it has to be given by means of a clear, unambiguous, affirmative act. It cannot be given by default and silence or inactivity cannot be taken as consent. To avoid ambiguity, the action of giving consent must also be distinct from other actions such as agreeing to terms and conditions.

Section 69(1) distinguishes between unsolicited direct marketing and direct marketing that is sent to a data subject that is a customer of the responsible party. Section 69(1)(a) provides that responsible parties can only send unsolicited direct marketing to data subjects if they have consented.

While the consent still has to be a voluntary, specific and informed expression of will, section 69(1) has its own additional requirements.

Enter Form 4. In the POPIA Regulations, the Information Regulator has issued a form (‘Form 4’) which must be followed when consent is obtained from the data subject in these circumstances.  
Food for thought: Do responsible parties have to use the form verbatim? No. The rationale for this answer is hidden. The definition of ‘form’ in the POPIA Regulations provides that the forms that are attached to the POPIA Regulations must be used ‘or any form which is substantially similar to that form’.  To be considered substantially similar to Form 4, it does not have to use the exact wording or layout of Form 4, but your direct marketing consent form must comply with the essential elements of Form 4. 

We have broken down Form 4 into its essential elements below, which responsible parties must fulfil to have a valid consent under POPIA to send direct marketing by means of unsolicited electronic communications to data subjects:

• Full name of the data subject who gives consent. Form 4 requires the ‘name of data subject’ in Part A and the ‘full name of data subject’ in Part B. We know that many responsible parties in the past have only collected the email address or the cell phone number of the data subject. Additionally, we think this is breaching POPIA’s own principle of minimality regarding personal information.  In our opinion, as long as the consent recorded is linked to the data subject via an email address, cell phone number or account name that distinctly identifies the data subject, this will comply with Form 4’s requirements.
• The signature of the data subject. It can be signed in person or electronically.  Even though the form looks like it has to be completed as a hard copy, the definition of ‘submit’ in the POPIA Regulations includes electronic submissions. The signature does not have to be an advanced electronic signature.
• The date and location where consent is given. As long as this data is captured by the responsibility in the back end, this is sufficient.
• The identity and contact information of the responsible party (the relevant organisation’s details). This is important. To meet the POPIA requirement that consent must be a ‘voluntary, specific and informed expression of will’,  the data subject needs to know the exact identity of the responsible party.
• The identity, contact information and signature of the person designated to act on behalf of the responsible party (usually the information officer or the deputy information officer). This is a controversial requirement, but some privacy lawyers argue that this is a ‘standard form’, so as long as the responsible party has a record of an authorised person signing this consent form off, it will be sufficient. We suggest that the responsible party should keep a record of who approved the consent form used.  We will keep you updated if there with further developments providing more clarity on this part of the form.
• The responsible party must specify what goods or services they will be marketing to the data subject. Consent must always be ‘specific’ and ‘informed’.  When creating Form 4, the Information Regulator indicated that in this context, this means that the responsible party must describe the goods or services in sufficient enough detail, so the specific purpose of the consent is clear.  But, how long is a piece of string? Must the responsible party list every product or service? Clearly, this would not be practical. Instead, it should be clear to the data subject what category of goods or services will be marketed to them.  In addition, if it is clear from the context what type of goods or services will be marketed, we do not think that the consent needs to expressly reference the type of goods. The rule of thumb is that the data subject must not be surprised to receive direct marketing about a particular good or service. For example, if a data subject consented to receive direct marketing about ‘groceries’, they may be surprised to receive direct marketing about life insurance from the responsible party. 
• The responsible party must specify the electronic communication channels they will use. For the consent to fulfil these requirements of being ‘specific’ and informed’, the channel(s) which the responsible party will use must be specified.

In addition, instructions on how to unsubscribe must be provided to the data subject.

Food for thought: If the responsible party wants to use this direct marketing consent for cross-selling with other entities within their group or other third parties, the responsible party must get additional consents from the data subject for each of these other entities or third parties. The consent must specifically list all the parties who can send direct marketing to the data subject.  Organisations cannot rely on vague third-party consents such as ‘you consent to your personal information being shared with carefully selected third parties for direct marketing purposes’.

If the data subject is a customer of the responsible party, the responsible party has to comply with the requirements of section 69(3) as it is then necessary to for consent using Form 4. In this section, we discuss the following requirements: 

• the responsible party obtained the contact details of the data subject ‘in the context of the sale of a product or service’,
•  the responsible party is marketing their ‘own similar products or services’, AND
• the data subject was given a reasonable opportunity(s) to object. 

Please remember: If a responsible party does not comply with all three of these requirements or cannot prove that they comply, section 69(3) does not apply. This means that the responsible party would have to obtain a consent that complies with Form 4. This is often referred to as ‘re-permissioning’ or ‘re-consenting’ an existing database. It is not something that marketers like doing, because low response rates will shrink the database substantially. Do not do it unless you absolutely have to! If you do have to, get advice on how to do it and speak to the creatives (not just the lawyers) about how to do it. We are not the first country to go through this change, and there is a lot we can learn from how other marketers dealt with it. 

As discussed above, the data subject must be a customer of the responsible party. This requirement confirms that the contact details must have been collected during the sales process and not after the transaction was concluded. If a responsible party only collects the contact details at a later stage, for the purpose of direct marketing, the responsible party will need to obtain consent using Form 4. 

Could ‘in the context of the sale of a product or service’ mean that section 69(3) will apply if the contact details are obtained well before the sale of a product or service or must it have been obtained as part of the negotiations? We believe that as long as there was a transaction, it does not really matter when the contact details were first collected. 

Food for thought: Must the responsible party obtain the information directly from the data subject for the requirement to be fulfilled? In the EU the requirement has been interpreted to mean that the contact details must be obtained directly from the data subject and not (for instance) from a list broker.  Be careful though! Article 13(2) of the EU Directive on Privacy and Electronic Communications  states that ‘where a natural or legal person obtains from its customers their electronic contact details for direct marketing’ while section 69(3)(a) is formulated ‘if the responsible party obtained the contact details of the data subject in the context of the sale of a product or service’; POPIA does not state where the contact details must have been obtained from. Section 12 of POPIA contains a list of instances when it will be acceptable for responsible parties to collect information from sources other than the data subject. The point here is that it is permissible, even for direct marketing purposes

Section 69(3) only applies to direct marketing that is sent by the same responsible party who collected the contact details and entered into the transaction with the data subject. In other words, section 69(3) cannot be used to justify direct marketing sent by (or for) another responsible party. 

In addition, the products or services that the responsible party is marketing must be ‘similar’ to the products or services the data subject purchased. In other words, section 69(3) cannot be used as a justification to cross-sell products or services, even if the other (different) products or services are sold by the same responsible party. A consent that complies with Form 4 will have to be obtained for other products or services. 
Food for thought: How similar is similar enough? The ordinary meaning of ‘similar’ is ‘having a resemblance in appearance, character, or quantity, without being identical’.  For instance, if a data subject has purchased apples from the responsible party before (and this is how the responsible party obtained the data subject’s contact details), under section 69(3) of POPIA it would be perfectly appropriate for the responsible party to send the data subject direct marketing about oranges. This is because these goods are in the same category (food).  Life insurance or credit, on the other hand, is an entirely different type of product. If the responsible party wants to send this data subject direct marketing about life insurance or credit, the responsible party will need to get an additional consent from the data subject to do so. The line can get a whole lot blurrier when goods are ‘kind of’ related to each other. E.g., a travel company that markets flights can ask for consent again if they start renting out vehicles. If a data subject booked a flight from that company, does it mean that the company can rely on section 69(3) to market vehicle rentals to that customer without first asking for consent? Both fall in the category of ‘transport’ and are often bought together, so we believe the answer is yes. 

The ICO considered this question and stated: ‘We consider that the key question here is whether the customer would reasonably expect messages about the product or service in question. This is likely to depend on the context – including the type of business and the category of product. For example, someone who has shopped at a supermarket might reasonably expect messages about a much wider range of goods than someone who has shopped at a specialist store for a specialist product.

Example: A customer buys groceries online from a large supermarket chain. Although they only bought bread and bananas on that occasion, they might reasonably expect emails about a wide range of products – including bread, fruit, and other groceries, but also books, DVDs, kitchen equipment and other everyday goods commonly sold in supermarkets. However, they are unlikely to expect emails about banking or insurance products sold under the supermarket brand. These products are not bought and sold in a similar context.’
Responsible parties should focus on managing the expectations of data subjects about what type of marketing they can expect to receive at the point of sale; data subjects who are not surprised about what they are going to receive will (probably) not complain. 

Section 69(3) will only apply if the data subject was given a reasonable opportunity to object to the use of his or her ‘electronic details’
at the time the information was collected; and on the occasion of each communication with the data subject for the purpose of marketing. 

There are two aspects that are important here:

• the form of the unsubscribe; and
• when it must be communicated to the data subject. 

We discuss the form of the unsubscribe below. As for the timing, in order to rely on section 69(3), the responsible party will have to show that the data subject was informed and given an opportunity to object at collection and again every time they were contacted. 

Tricky area: What if the personal information was not collected from the data subject directly? It is not a requirement that the contact details are obtained from the data subject directly for section 69(3) to apply. In cases where the information was collected from another source, we apply section 18(2)(b) which provides that where information was not collected from the data subject, notification can take place ‘as soon as reasonably practicable after it has been collected’. However, if notification of the right to unsubscribe did not take place at all (for whatever reason),  the responsible party cannot rely on section 69(3) and would have to ask for consent and comply with Form 4.
What this means is that the responsible party has to prove that this information was given to data subjects, even where collection took place decades ago! 

Data subjects have the right to ‘unsubscribe’ from direct marketing. It is referred to as the right to object, but most of us know this as unsubscribing.

Please note: This not only applies to electronic direct marketing,  but also in respect of non-electronic forms of marketing.

Once a data subject has unsubscribed, the responsible party must stop sending direct marketing to that data subject. Internationally under the EU GDPR, many companies have been fined large sums by regulators for failing to process their unsubscribes properly. For example, in March 2020 a Romanian company was fined approximately EUR3000 for sending a commercial message to just one customer who had already unsubscribed.  Additionally, in October 2019, a Greek telecommunications company was fined EUR200,000 for contacting a large number of customers via telemarketing when all these customers had specifically opted out of receiving telemarketing from them. The unsubscribes had not been processed properly due to technical issues.  These examples demonstrate how important it is to manage direct marketing unsubscribes properly for all forms of direct marketing, and the negative repercussions organisations can face if they do not.

Please note: In addition to a potential fine by the Information Regulator, a complaint for failing to honour an unsubscribe has other consequences. The cost and inconvenience of being investigated by the Information Regulator will be significant and once the Information Regulator starts investigating an organisation, there is no telling where the investigation could lead.

There are no general requirements in POPIA for the form the unsubscribe must take. However, when unsubscribes are being considered for purposes of section 69(3)(c), the following requirements are listed: 

• It must be free of charge.
• The opportunity to unsubscribe must be ‘free of unnecessary formality’. 

Please note: We believe that these requirements should be viewed as ‘best practice’ for all unsubscribes, not just when compliance with section 69(3) is being considered. In other words, we believe that these requirements should be applied when considering compliance with section 11(3)(b) too, even though the requirements are not mentioned there. In any event, if the direct marketing is being sent to a consumer as defined in the CPA, section 11 provides that a responsible party must ‘implement appropriate procedures to facilitate the receipt of [unsubscribes] and must not charge the consumer a fee for unsubscribing’. 

The requirement that the unsubscribe must be free of charge is quite clear, albeit not always simple to execute. However, defining what would constitute ‘unnecessary formality’ is harder to quantify. 

Here are the guidelines provided by the ICO:  

• It must be simple to opt out. 
• When first collecting the data subject’s details it must be part of the same process (e.g. the form should contain a prominent opt-out box or staff should offer it when information is being collected ‘in person’). 
• In subsequent communication, the data subject should be able to unsubscribe by replying to the message or by clicking on an unsubscribe link.
• If the marketing is taking place via SMS, the data subject should be able to unsubscribe by sending a stop message to a short code. 

For our view on the buying and selling of third party databases – and how to do this in a POPIA-compliant way – please view the ’10 Guiding Principles of Ethical Lead Generation’ in the Downloads sidebar.

Concerning whether you can keep a database purchased for direct marketing purposes prior to 1 July 2021, this is not a clear-cut ‘yes/no’ answer. It is usually very dependent on the individual context of each responsible party. Or usual motto is ‘don’t throw the database out with the bathwater’ unless you have done a thorough investigation first. 

Suppose the data subject is a customer of the responsible party. In that case, the responsible party has to comply with section 69(3) requirements to avoid asking for consent to send direct marketing using Form 4. The responsible party must meet the following requirements: 

• the responsible party obtained the contact details of the data subject ‘in the context of the sale of a product or service’,
• the responsible party is marketing their ‘own similar products or services’, AND
• the data subject was given a reasonable opportunity(s) to object. 

If a responsible party does not comply with all three of these requirements or cannot prove that they comply, section 69(3) does not apply. This means that the responsible party would have to obtain a consent that complies with Form 4. This is often referred to as ‘re-permissioning’ or ‘re-consenting’ an existing database. It is not something that marketers like doing because low response rates will shrink the database substantially. Do not do it unless you absolutely have to! If you do have to, get advice on how to do it and speak to the creatives (not just the lawyers)  about doing it. We are not the first country to go through this change, and there is a lot we can learn from how other marketers dealt with it. 

To streamline an organisation's direct marketing efforts to be POPIA compliant, we advise that organisations should go about a spring cleaning and rebuilding exercise of their direct marketing database. 
As best practice for achieving POPIA compliance, an organisation should be able to answer the following questions about all the data subjects in their direct marketing database:

• Where the organisation got each data subject's personal information, i.e., did the organisation get it straight from the data subject, did the organisation get it from a public record or social media, did the organisation get it from a different entity in their same corporate group, did the organisation get it from a credit bureau or did the organisation buy it from a lead generation company or data broker? 
• Whether each data subject has consented to receive direct marketing from the organisation, if the answer is yes, then the organisation needs to determine which specific brand/product the data subject has consented to receive direct marketing about and what channel of communication the data subject chose to receive direct marketing by. If the answer is no, the organisation needs to check if that data subject has requested to unsubscribe from direct marketing and if that unsubscribe has been processed properly. 
• If each data subject is allowed to unsubscribe on each different direct marketing occasion.
• If the organisation has shared each data subject's personal information with any third party and for what reason.  

Once the organisation has established the answers to these questions concerning their direct marketing database, we have made this handy table to assist with making the right spring-cleaning decision based on the above exercise results. 

Section 12 of POPIA deals with the collection of personal information. The default rule in section 12(1) of POPIA is that responsible parties must always collect personal information directly from the data subject. There are exceptions to this rule, however. These are outlined in section 12(2) of POPIA. These include:

• Personal information in or derived from a public record;
• Personal information which the data subject deliberately made public;
• The data subject consent to the collection of their personal information from third parties;
• The responsible party can demonstrate that collecting the personal information from another source does not prejudice a legitimate interest of the data subject;
• Collection from third-party sources is required for law and order;
• Collection from a third party is necessary to maintain the legitimate interests of the responsible party or a third party;
• Collection directly from the data subject prejudices a lawful purpose of the collection; and
• The responsible party does not have to collect the personal information from the data subject if this is not ‘reasonably practicable in the circumstances of the particular case’.

It is also important to note that in most circumstances, if you are collecting a data subject’s personal information from a third party source (whatever the legal justification) – you are required to notify the data subject about this collection in terms of section 18. 

In cases where the personal information is collected from another source the data subject must preferably be notified before collection occurs  or, if that is not possible, ‘as soon as reasonably practicable after it has been collected’.  It is a pity that POPIA did not provide more specific guidelines in this regard. The EU GDPR provides that the notifications must be made: 

• within a reasonable time after collection, ‘but at the latest within one month, having regard to the specific circumstances in which the personal data are processed’;
• ‘at the latest at the time of the first communication’ with the data subject (if the personal data will be used to communicate with the data subject); or
• before the personal information is shared with any ‘recipient’.  

Food for thought: Even though POPIA is silent on what would qualify as ‘as soon as reasonably practicable’, the standard set by the EU GDPR is a useful indication of ‘best practice’. Responsible parties should carefully document their decision-making process when they determine when data subjects will be notified and be ready to defend their decision about when to notify.