How POPIA Affects Your Email Marketing in South Africa

POPIA is South African law, and email marketers need to understand what it means for consent, sign-up forms, and unsubscribe processes. This article breaks down the practical steps.

email-databaseemail-marketingimportant-announcements

On 1 July 2021, the Protection of Personal Information Act (POPIA) came into full effect in South Africa. The Act regulates how companies collect, store, and process personal data, and it applies to businesses of all sizes operating in the country.

Email marketing sits squarely in POPIA's scope. An email address is personal information. So is a name, phone number, ID number, and location data. If you are collecting and using any of that to send marketing communication, the Act applies to you.

How POPIA impacts email marketing

POPIA builds on earlier legislation, PAIA (the Promotion of Access to Information Act) and ECTA (the Electronic Communications and Transactions Act), and extends their reach into the digital space. It also applies to companies outside South Africa that store or process the personal data of South African citizens.

The personal information most commonly used in direct email marketing, and therefore governed by POPIA, includes:

  • Full name
  • Email address
  • Phone number
  • ID number
  • Physical or postal address
  • Location data

If your marketing relies on any of these data points, you need to handle them in line with the Act.

Make sure of client opt-in

Many companies have been emailing people whose details were added to a list without a clear opt-in. This includes existing customers added to newsletters, or contacts collected by a sales team that started receiving marketing emails without explicitly asking to.

The good news: you do not automatically need to re-permission your entire existing list. You can continue sending to people who were already subscribed before 1 July 2021. However, from that date forward, the Act requires that all data subjects have given consent after the first communication. If someone does not consent after that first contact, you must stop sending to them.

The practical upshot is this: start asking for consent now, for every new contact you add, and build that process into every channel where you collect data.

How to gain consent

Before POPIA, a web enquiry form or a pop-up was often enough justification to add someone to a mailing list. That is no longer sufficient.

New contacts must explicitly opt in. A pre-ticked checkbox does not count. Burying your communication policy in a privacy policy page does not count either. The subscriber must take a deliberate action, ticking a box, clicking a button, that clearly signals they agree to receive marketing from you.

You also need to be specific about the channels you will use. If you plan to send emails, SMS messages, and browser notifications, say so. Blanket consent for unspecified communication is not compliant.

Updating your sign-up forms

If any of your existing sign-up forms assume permission, pre-ticked opt-in boxes are the most common example, you need to fix them.

Each form should:

  • Require an active opt-in action (an unticked box the user must tick)
  • State clearly what the subscriber will receive
  • Include a link to your privacy policy

TouchBasePro gdpr-compliant-web-froms-online (1)

Image credit: https://www.sendmode.com/gdpr-definitive-guide-consent

Once your forms are updated, you need to record that consent in a way that is auditable. Most reputable email service providers have tools that handle this automatically, logging when and how a subscriber opted in.

Dealing with opt-outs

Every marketing email must include a visible, functional unsubscribe link. This is not optional under POPIA, and the process must be straightforward. A subscriber who clicks unsubscribe should be removed quickly, without being made to jump through additional steps.

TouchBasePro Email-laws-unsubscribe-link

Image credit: https://www.campaignmonitor.com/resources/guides/understanding-emails-laws-regulations/

Once someone unsubscribes, the safest approach is to delete their personal data. Holding on to data you no longer have a lawful reason to retain increases your exposure in the event of a breach. Keep only what you need, for as long as you need it.

Is your business ready?

POPIA is not just a compliance hurdle. Marketers who build their lists properly, through genuine opt-ins from people who want to hear from them, typically see better engagement rates and stronger brand trust than those who rely on purchased lists or assumed consent.

The shift is straightforward: stop marketing to everyone you can reach, and start marketing to people who have asked you to.

If you want help getting your email marketing processes aligned with POPIA, reach out to our team at des@touchbasepro.com. We have been running POPIA workshops focused specifically on direct marketing compliance.

Frequently asked questions

Does POPIA require me to get fresh consent from my existing email subscribers?
Not automatically. You can continue emailing people who were already subscribed before 1 July 2021. However, the Act requires that all data subjects provide consent after the first communication sent under POPIA. If a contact does not consent following that first post-POPIA email, you must stop sending to them.
What counts as valid consent under POPIA for email marketing?
Consent must be explicit and active. A pre-ticked checkbox or a privacy policy that mentions marketing is not sufficient. The subscriber must take a deliberate action, such as ticking an unticked box, that clearly shows they agree to receive marketing from you. You also need to specify which channels you will use.
What do I need to include on my email sign-up forms to comply with POPIA?
Your forms must require an active opt-in (no pre-ticked boxes), clearly state what the subscriber will receive, and include a link to your privacy policy. You also need to record and store proof of that consent in an auditable format.
What are my obligations when someone unsubscribes from my mailing list?
You must include a visible unsubscribe link in every marketing email. When someone clicks it, they should be removed quickly and without unnecessary steps. POPIA also recommends deleting the personal data of anyone who has opted out, to limit your exposure in the event of a data breach.