As of July 2020, the majority of the Protection of Personal Information Act of 2013 (“POPI”), South Africa’s equivalent of the EU GDPR, came into effect. Businesses have one year to comply with the regulations, meaning the deadline for compliance is the 1st of July 2021. POPI sets some conditions for responsible parties (called controllers in other jurisdictions) to lawfully process the personal information of data subjects (including both natural and juristic persons). In other words, it sets the conditions to lawfully process the personal information of both people and companies.
According to the POPI Act, personal information is defined as data that can be used to identify a person, explained as “information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person.”
This essentially means companies need to ask your permission to send you, or your company, marketing material. If you’ve given that permission, they can contact you until you ask them to stop or ‘opt out’.
The buying and selling of such information is also prohibited. Certain companies have built up massive databases of contact details, including phone numbers and email addresses, and these get bought and sold on the open market. This is also no longer allowed (and is pretty unethical anyway). Rather refer to our previous blogs over here and here for tips on how to build a quality database.
Below is a list of personal information which is important to direct marketing, which includes, but is not limited to:
This means that some of the most commonly utilised data in direct marketing is going to fall under the provisions of POPI which means that you, as a marketer, need to pay careful attention to the processing of this data.
In short, yes. If a marketer already has permission, it is fine to keep sending. No need to panic and ask all your current database subscribers to re-subscribe.
If marketers collect information and inform consumers that they are going to use such information to send promotional content, and then give clients the opportunity to unsubscribe in that communication, that will also be fine in terms of POPI.
If a marketer has been emailing a client for a reasonable period of time and the client hasn’t objected thereto, then a concept called “soft opt-in” governs this scenario.
If that same client lodges a POPI complaint after POPI comes into effect, this “soft opt-in” concept governs people attempting to take a chance with marketers post-POPI.
Though the “soft opt-in” principle isn’t codified law, it’s the responsibility of the data collector/marketer to ensure management of their database in a sound, ethical manner to prevent abuse of this concept.
An important point here is that a person can only be approached once to get consent. If consent is refused, it is refused ad infinitum. Another important point to take note of is that marketers must always be able to tell you where they got your information from.
As a direct marketer, the chapter of POPI that governs direct marketing by means of unsolicited electronic communications is chapter 8. The highlighted bits below point us to the main provisions (and we’ve broken this down into simpler English for easier reading):
Key take out: always ask for permission to use personal information
Key take out: You are only allowed to process personal information if you have obtained it via the sale of a product or a service, to market your own other similar products or services and you ALWAYS need to give the customer/subscriber the opportunity to opt-out of communication from your company
Key take out: Always identify yourself, and give the receiver a clear opportunity to opt out of communication.
It’s not just big corporates who will be affected – every business will need to comply by July 2021.
Businesses will need to have an Information Policy, will need to ensure employees know about POPI, and will need to appoint an information officer.
This information officer does not need to be a new employee. You can appoint yourself as an information officer, but it means you’ll be responsible for ensuring the business processes data correctly, in compliance with POPI and has a plan for when to dispose of data. You also need to have a plan in place in case you’re hacked, and someone steals that data.
You will also need to update your company website if you have one. Every business that has a website will now also need to include a privacy notice indicating, inter alia, what you do with customer information, how you process it, and how long you keep it for.
Here are some checks and balances to make sure you as a marketer comply with the provisions of POPI
The risks of non-compliance with POPI can include reputational damage, hefty fines and/or imprisonment, as well as paying out damages claims to data subjects, not to mention lengthy court battles and attorney fees if the claim ends up in court.
Though you may have chosen a reputable bulk email sending platform to use for your email marketing needs, the onus is still on you to ensure you use the data in a compliant way.
Here are some ways we can help:
We know this is a lot of information, and for most people, it feels overwhelming. But if you would like assistance to get your company ready for POPI and the compliance deadline, you can drop us a mail at firstname.lastname@example.org and our team will get in touch with you!