POPIA and Email Marketing: What SA Businesses Need to Know

POPIA has real teeth for email marketers. This guide covers what the Act requires, how to handle your existing database, and the practical steps to stay compliant.

email-databaseemail-marketing

South Africa's Protection of Personal Information Act (POPIA) regulates how businesses collect, store, and process personal information. The compliance deadline was 1 July 2021, meaning the Act is fully in force. If you send marketing emails to South African subscribers, POPIA applies to you. You can read the full Act here.

How does POPIA affect email marketing?

At TouchBasePro, we applied POPIA and GDPR principles before either came into effect. The reason is straightforward: deliverability. Our sender reputation depends on keeping spam complaints low. Bulk unsolicited email generates complaints, and those complaints affect how mail servers and spam filters around the world rank our sending infrastructure. To keep deliverability high for our clients, we have to send only to people who want to hear from you.

POPIA formalises what good list hygiene already demands: get permission before you add someone to your database and send them marketing email.

To stay POPIA compliant, you need to:

  • Collect personal information directly from the subscriber
  • Collect it for specific, explicit, and lawful purposes only
  • Process personal information only with the subscriber's consent
  • Delete personal information once it is no longer needed
  • Keep personal information accurate and up to date
  • Protect all personal information you hold
  • Ensure third-party operators are contractually bound to the same standards
  • Be able to report on the data you hold, on request
  • Obtain consent before sending direct marketing
  • Get opt-in consent per channel, email, SMS, WhatsApp, and so on are each separate
  • Act immediately when a subscriber requests a change or opts out of any channel

What happens to customers already on my database?

If you cannot prove that a contact actively requested to receive marketing from you, you need to ask for their permission before sending anything further. If they do not give permission, remove them from your database.

When re-engaging or communicating with existing customers, keep the following in mind:

  • Confirm that you collected their details during the sale of a product or service.
  • Always identify yourself clearly. Include your logo or company name in the email body, and make sure your sender name is recognisable.
  • Send only content that is relevant to the product or service the customer originally enquired about or purchased.
  • Make opting out easy. Every email must include an unsubscribe link.
  • Provide a contact address where subscribers can send a written opt-out request.

The thread running through all of this is permission. A subscriber should never be caught off guard by an email from you. If you want guidance on making your database and sending practices POPIA compliant, book a free POPIA guidance session here.

Frequently asked questions

Does POPIA apply to my email marketing if my business is based in South Africa?
Yes. If you collect or process the personal information of South African data subjects, including email addresses, POPIA applies to you, regardless of your company size or industry.
Can I keep contacts on my email list if I am not sure how they got there?
No. If you cannot prove that a contact consented to receive marketing from you, you need to request permission before sending further emails. If they do not respond or decline, remove them from your database.
Do I need separate consent for email, SMS, and WhatsApp marketing?
Yes. POPIA requires opt-in consent per channel. A subscriber who agreed to receive emails has not automatically agreed to receive SMS or WhatsApp messages.
What must every marketing email include to be POPIA compliant?
At minimum: a clear identification of the sender (logo or company name), content relevant to what the subscriber signed up for, a working unsubscribe link, and a contact address for opt-out requests.