For most organisations, the direct marketing of products and services to customers and potential customers is a vital source of business.
Until recently, organisations in South Africa that conduct direct marketing have, by and large, only needed to concern themselves with complying with the marketing standards set out in the Consumer Protection Act, 2008 (“CPA”), in terms of which a direct marketing registry (for consumers who have opted out of direct marketing) is yet to be established. With the commencement of the Protection of Personal Information Act, 2013 (“POPIA”) on 1 July 2020 (subject to a one-year “grace period”), the processing of personal information for direct marketing purposes has become even more stringently regulated. The most fundamental implication for direct marketing, broadly speaking, is that while the CPA provides rights and remedies for consumers which allows them to “opt-out” of direct marketing, POPIA mandates an “opt-in” regime for direct marketing to data subjects who are not existing customers within the ambit of POPIA, unless the soft “opt-in” rules apply, and results in liabilities and penalties for organisations that do not comply with the provisions of POPIA.
Below, we set out some of the key considerations for direct marketing under POPIA that organisations should be aware of. We also deal with some useful and relevant international regulations and directives, which can assist with interpreting the “opt-in” and “soft opt-in” provisions of POPIA, as well as provide guidance for possible penalties and breaches.
- Do the direct-marketing provisions of the CPA and POPIA overlap?
While this article does not consider the provisions of the CPA relating to direct marketing, it is important for direct-marketers, at the outset, to be aware that the direct-marketing provisions of the CPA and POPIA should be read together. It is also important to note that, while the CPA only applies to direct marketing to consumers (ie, natural persons and juristic persons below the ZAR2-million threshold), POPIA applies to the processing of personal information of both natural and juristic persons for direct marketing purposes.
- What does “direct marketing” mean in terms of POPIA?
- “direct marketing” under POPIA means to approach a data subject, either in person or by mail or electronic communication (electronic communication widely defined as "[a]ny text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient's terminal equipment until it is collected by the recipient”) for the direct or indirect purpose of:
- promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
- requesting the data subject to make a donation of any kind for any reason.
- Importantly, section 69(1) of POPIA provides that the processing of personal information of a data subject, for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines (ie, machines that are able to do automated calls without human intervention), facsimile machines, SMSs or e-mail, is prohibited unless the data subject:
- has given his, her or its consent to the processing; or
- is a customer of the responsible party (provided the conditions discussed below are adhered to).
- POPIA and opting-in
- Section 69(2) of POPIA provides that a responsible party may approach a data subject whose consent is required for direct marketing by electronic means, and who has not previously withheld such consent, only once in the prescribed manner and form, that was promulgated as form 4 in terms of regulation 6 of the POPIA Regulations, in order to request the consent of that data subject for direct marketing purposes.
- Section 69(4) provides that any communication for the purpose of direct marketing must contain details of the identity of the sender (or the person on whose behalf the communication has been sent) and an address or other contact details to which the recipient may send a request that such communications cease.
- We suggest that consideration be
given to the Guidance on Direct Marketing under the
Privacy and Electronic Communications
(EU Directive) Regulations 2003/2426
(“PECR”) issued by the UK Information
Commissioner's Office Organisations
- explains the circumstances under which organisations are able to carry out direct marketing and, in particular, states that organisations can generally only send marketing messages to individuals if that person has specifically consented to receiving them from the sender; and
- provides that, for consent to be valid, it must be freely given, specific and informed, an individual must know what they are consenting to and be given clear instruction on what that consent means.
- What are POPIA's “soft opt-in” provisions?
- Section 69(3) provides that a responsible party may only process the personal information of a data subject who is a customer of the responsible party:
- if the responsible party has obtained the contact details of the data subject in the context of the sale of a product or service;
- for the purpose of direct marketing of the responsible party's own similar products or services; and
- if the data subject has been given a reasonable opportunity to object, free of charge, and in a manner free of unnecessary formality, to such use of his, her or its electronic details at the time when the information was collected and on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use.
- What can we learn from the PECR about soft “opt-in”? The ICO said (in August 2020) that:
“The term ‘soft opt-in' is used to describe the rule set out in in Regulation 22(3) of PECR. In essence, an organisation may be able to e-mail its existing customers even if they haven't specifically consented to electronic mail. The soft opt-in rule can only be relied upon by the organisation that collected the contact details.”
- What happens if it all goes wrong?
Fines and penalties for contraventions of direct marketing provisions are big-ticket items for regulators around the world and many fines have been issued across the UK and EU over the last few years. A good example is the recent (12 August 2020) penalty of GBP100 000 issued by the ICO against Koypo Laboratories Limited (Koypo) under section 55A of the Data Protection Act 1998 (DPA) (in relation to a serious contravention of Regulation 22 of the PECR):
Facts and findings:
- Between 1 March 2017 and 31 March 2018 an estimated 21,166,574 marketing e-mails were received by individuals from Koypo affiliates on behalf of Koypo. It was clear that Koypo was engaging in “hosted marketing” (when an organisation sends direct marketing emails to its own database, but the marketing material relates to a third party).
- The ICO found that the unsolicited, direct marketing emails were sent to subscribers without their consent and that the contravention was serious. Koypo's actions were found to be a deliberate contravention of PECR (although Koypo did not actually intend to contravene PECR). The ICO also found Koypo to be negligent (given that Koypo is involved in a business reliant on direct marketing, and the fact that the issue of unsolicited messages has been widely publicised in the media as being a problem, that it ought reasonably to have known that there was a risk that these contraventions would occur).
- Factors considered by the ICO (and why this matters to your organisation):
- Detailed consent policies are of paramount importance to avoid penalties: The Commissioner reviewed the policies and information in place at the time of the contravention and identified that the websites where consent was obtained did not name Koypo or make it clear that user's may receive marketing Koypo. The sites “relied on providing consent to ‘third parties' and ‘partners' however these were not tightly defined and were too general to demonstrate valid consent”.
- Penalties will be imposed by the Regulator as a general deterrent against non-compliance: The ICO found that the “issuing of a monetary penalty will reinforce the need for businesses to ensure that they are only messaging those who specifically consent to receive marketing.” (our emphasis)
- The impact of imposing any penalty on the business is a relevant consideration: The ICO considered “the likely impact of a monetary penalty on Koypo”. Based on the information available, the ICO found that Koypo had access to “sufficient financial resources to pay the proposed monetary penalty without causing undue financial hardship”.
- Obtaining comprehensive legal advice and implementing changes to procedures will serve as mitigating factors: Koypo informed the ICO that it had now instructed a law firm to “develop procedures with regards to the compliant handling of data” and that it had suspended its email marketing campaigns at present (presumably with a view to implementing changes to procedures) – these factors were favourably considered by the ICO. Obtaining comprehensive advice (even at a late stage) can serve to mitigate any amount of damages imposed by the Regulator.
Direct marketing regulation in terms of data protection laws worldwide presents one of the most complex issues that businesses need to get to grips with. This is not unique to South Africa. Compliance with POPIA and being able to demonstrate appropriate data subject consent for direct marketing is paramount to avoid hefty fines and liabilities.
ENSafrica provides comprehensive and full-service data privacy, regulatory enforcement and data breach advice and assistance, and regularly hosts tailor-made direct-marketing workshops to help organisations find practical solutions to comply with their legal obligations. We also provide comprehensive advice and assistance in mitigation of liability and regulatory investigations.
Originally published by ENSafrica, August 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.