POPIA and Email Marketing: What South African Marketers Must Know

POPIA has real teeth for email marketers, here is what the law actually requires, from consent and soft opt-in rules to what Chapter 8 means for your database.

email-databaseemail-marketinghow-toimportant-announcements

As of July 2020, the majority of the Protection of Personal Information Act of 2013 (POPIA), South Africa's equivalent of the EU GDPR, came into effect. Businesses had one year to comply, meaning the deadline was 1 July 2021. POPIA sets conditions for responsible parties (called controllers in other jurisdictions) to lawfully process the personal information of data subjects, which includes both natural and juristic persons.

According to POPIA, personal information is data that can be used to identify a person: "information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person."

In plain terms, companies need your permission to send you, or your company, marketing material. Once you have given that permission, they can contact you until you ask them to stop.

The buying and selling of personal information is also prohibited. Many companies built large databases of contact details, including phone numbers and email addresses, and traded them openly. That is no longer legal, and it was never particularly ethical. For guidance on building a quality database the right way, see our posts here and here.

What counts as personal information?

The following personal information is relevant to direct marketing, though the list is not exhaustive:

  • Gender
  • Age
  • Religion / beliefs / culture
  • Language
  • Email address
  • Physical address
  • Telephone number
  • Location
  • Personal opinions, views or preferences

Much of the data most commonly used in direct marketing falls under POPIA. As a marketer, you need to pay close attention to how you collect, store, and use it.

Do I have permission to contact people already on my mailing list?

In short, yes. If you already have permission, you can keep sending. There is no need to ask your entire database to re-subscribe.

If you collected information, told subscribers you would use it to send promotional content, and gave them the chance to unsubscribe, you are fine under POPIA.

If you have been emailing a client for a reasonable period and they have not objected, the principle of "soft opt-in" applies. If a client later raises a POPIA complaint, it is this principle that governs the situation.

Soft opt-in is not codified law. It places the responsibility squarely on the marketer to manage their database ethically and not abuse the concept.

Two points worth knowing: a person can only be approached once to obtain consent. If they refuse, that refusal stands permanently. Also, you must always be able to tell a subscriber where you got their information.

The important part: Chapter 8 of POPIA

For direct marketers, Chapter 8 is the section that governs unsolicited electronic communications. Here are the main provisions, translated into plain English:

Processing personal information for direct marketing via electronic communication is prohibited unless the data subject: (a) has given consent to the processing; or (b) is an existing customer.

Key takeout: always get permission before using personal information for marketing.

You may only process a customer's personal information if: (a) you obtained their contact details in the context of a sale; (b) you are marketing your own similar products or services; and (c) you gave the customer a clear, free opportunity to opt out at the point of collection and in every subsequent communication.

Key takeout: you can only market to existing customers, only for similar products or services, and you must always offer an opt-out.

Every direct marketing communication must include: (a) the identity of the sender or the person on whose behalf it was sent; and (b) an address or contact details the recipient can use to stop communications.

Key takeout: identify yourself clearly in every send and make the opt-out easy to find.

What does this mean for your business?

Every business in South Africa needs to comply, not just large corporates.

You will need a written Information Policy, staff who understand POPIA, and an appointed information officer. This does not have to be a new hire. You can appoint yourself, but you take on responsibility for ensuring your business processes data correctly, has a retention and disposal plan, and has a response plan ready in the event of a data breach.

If your business has a website, you also need a privacy notice that explains what you do with customer information, how you process it, and how long you keep it.

General good-practice checklist

Run through these before your next send:

  • Did you receive the subscriber's details in the process of a sale?
  • Does your email display your company name or logo, and is your sender name clearly identified?
  • Is the communication related to your own products or services?
  • Can the customer opt out at the point of data collection and in every communication?
  • Does your content relate only to your own or similar products or services?
  • Have you included an address or link the customer can use to opt out?

Non-compliance carries real consequences: reputational damage, fines, imprisonment, and potential damages claims from data subjects, plus the cost of any court proceedings.

Using a reputable bulk email platform is a good start, but the compliance responsibility sits with you. Here is how TouchBasePro can help:

  • Your business address, contact details, and unsubscribe options are built into the footer of every email. Opt-ins and opt-outs are handled automatically.
  • Data is stored securely. You control who in your organisation has access, and we do the same on our side. Most data breaches happen at the access level, so having an internal process matters.
  • Sign-up forms track how you collected each contact automatically. If you import a list, naming your mailing lists clearly helps prevent data being moved between the wrong groups.
  • The platform flags and excludes broken email addresses before a send. Our dedicated email verification service goes further, scoring and validating each address for deliverability before you hit send.

If you want help getting your business ready, email us at support@touchbasepro.com and our team will follow up.

Frequently asked questions

Do I need to ask my existing email subscribers to re-consent after POPIA came into effect?
No. If you already had permission before POPIA's July 2021 deadline, you can continue sending without asking subscribers to re-subscribe. The soft opt-in principle also covers situations where a client has received emails for a reasonable period without objecting.
Can I buy or rent an email database to use for marketing under POPIA?
No. POPIA prohibits the buying and selling of personal information, including email addresses and phone numbers. You must collect contact details directly, in the context of a transaction or with explicit consent.
What must every marketing email include to be POPIA-compliant?
Every direct marketing email must clearly identify the sender and include a way for the recipient to request that communications stop, typically an unsubscribe link or a reply-to address. TouchBasePro handles both automatically through footer and unsubscribe management.
What are the penalties for not complying with POPIA?
Non-compliance can result in reputational damage, fines, imprisonment, and civil damages claims from affected data subjects. Court proceedings add further cost and risk.