So, what’s the story with POPI?

As of July 2020, the majority of the Protection of Personal Information Act of 2013 (“POPI”), South Africa’s equivalent of the EU GDPR, came into effect. Businesses have one year to comply with the regulations, meaning the deadline for compliance is the 1st of July 2021. POPI sets some conditions for responsible parties (called controllers in other jurisdictions) to lawfully process the personal information of data subjects (including both natural and juristic persons). In other words, it sets the conditions to lawfully process the personal information of both people and companies.

According to the  POPI Act, personal information is defined as data that can be used to identify a person, explained as “information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person.”

This essentially means companies need to ask your permission to send you, or your company, marketing material. If you’ve given that permission, they can contact you until you ask them to stop or ‘opt out’.

The buying and selling of such information is also prohibited. Certain companies have built up massive databases of contact details, including phone numbers and email addresses, and these get bought and sold on the open market. This is also no longer allowed (and is pretty unethical anyway). Rather refer to our previous blogs over here and here for tips on how to build a quality database.

What counts as personal information?

Below is a list of personal information which is important to direct marketing, which includes, but is not limited to:

  • Gender
  • Age
  • Religion / beliefs / culture
  • Language
  • Email address
  • Physical address
  • Telephone number
  • Location
  • Personal opinions, views or preferences

This means that some of the most commonly utilised data in direct marketing is going to fall under the provisions of POPI which means that you, as a marketer, need to pay careful attention to the processing of this data.

Do I have permission to contact consumers already on my mailing lists, post-POPI?

In short, yes. If a marketer already has permission, it is fine to keep sending. No need to panic and ask all your current database subscribers to re-subscribe.

If marketers collect information and inform consumers that they are going to use such information to send promotional content, and then give clients the opportunity to unsubscribe in that communication, that will also be fine in terms of POPI.

If a marketer has been emailing a client for a reasonable period of time and the client hasn’t objected thereto, then a concept called “soft opt-in” governs this scenario.

If that same client lodges a POPI complaint after POPI comes into effect, this “soft opt-in” concept governs people attempting to take a chance with marketers post-POPI.

Though the “soft opt-in” principle isn’t codified law, it’s the responsibility of the data collector/marketer to ensure management of their database in a sound, ethical manner to prevent abuse of this concept.

An important point here is that a person can only be approached once to get consent. If consent is refused, it is refused ad infinitum. Another important point to take note of is that marketers must always be able to tell you where they got your information from.

Image of code on a computer

The Important Part: Chapter 8 of POPI

As a direct marketer, the chapter of POPI that governs direct marketing by means of unsolicited electronic communications is chapter 8. The highlighted bits below point us to the main provisions (and we’ve broken this down into simpler English for easier reading):

  • The processing of personal information of a data subject (a human or a company)  for the purpose of direct marketing, by means of any form of electronic communication is prohibited unless a data subject (a human or a company):
    (a) has given their consent to the processing; or
    (b) is a customer of the responsible party.

Key take out: always ask for permission to use personal information

  • A person or company may only process the personal information of a data subject (a human or a company) who is a customer of the person or company:
    (a) if the person or company has obtained the contact details of the data subject (a human or a company) in the context of the sale of a product or service;
    (b) for the purpose of direct marketing of the person or company’s own similar products or services; and
    (c) if the data subject (a human or company) has been given a reasonable opportunity to object, free of charge or hassle, to the use of their electronic details –
    (i) at the time when the information was collected; and
    (ii) on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use.

Key take out: You are only allowed to process personal information if you have obtained it via the sale of a product or a service, to market your own other similar products or services and you ALWAYS need to give the customer/subscriber the opportunity to opt-out of communication from your company

  • Any communication for the purpose of direct marketing must contain:
    (a) details of the identity of the sender or the person on whose behalf the communication has been sent; and
    (b) an address or other contact details to which the recipient may send a request that such communications stop.

Key take out: Always identify yourself, and give the receiver a clear opportunity to opt out of communication. 

Image of a mailbox

What does this mean for your company?

It’s not just big corporates who will be affected – every business will need to comply by July 2021.

Businesses will need to have an Information Policy, will need to ensure employees know about POPI, and will need to appoint an information officer.

This information officer does not need to be a new employee. You can appoint yourself as an information officer, but it means you’ll be responsible for ensuring the business processes data correctly, in compliance with POPI and has a plan for when to dispose of data. You also need to have a plan in place in case you’re hacked, and someone steals that data.

You will also need to update your company website if you have one. Every business that has a website will now also need to include a privacy notice indicating, inter alia, what you do with customer information, how you process it, and how long you keep it for.

General Good-Practice Checklist

Here are some checks and balances to make sure you as a marketer comply with the provisions of POPI

  • Did you receive a subscriber’s details in the process of selling a product or service?
  • Did you display your logo or company name in the body of the email? Did you also display your sender name to identify yourself?
  • Is your communication to customers related to your products or services?
  • Can your customer opt-out at the time the information is collected, and each time communication is sent?
  • Does your content only relate to your own or similar products or services?
  • Have you provided an address or a link to which the customer can send a request to opt-out?

The risks of non-compliance with POPI can include reputational damage, hefty fines and/or imprisonment, as well as paying out damages claims to data subjects, not to mention lengthy court battles and attorney fees if the claim ends up in court. 

Though you may have chosen a reputable bulk email sending platform to use for your email marketing needs, the onus is still on you to ensure you use the data in a compliant way. 

Here are some ways we can help:

  • We can assist in ensuring your business address and contact details are always included, usually, in the footer of the emails you send from the platform as well as opt-ins and opt-outs (unsubscribes) being handled automatically and hassle-free
  • Data is stored securely, and you can control who in your organisation has access (we do the same on our side). This is one of the parts where the onus is on you to ensure compliance and is where most data breaches occur, so having some form of internal guideline or process is key.
  • Depending on how you use our systems, it may assist in informing you and keeping track of how you got the person’s information. Sign-up forms handle this automatically or, if you are importing a list, naming your mailing lists appropriately helps mitigate accidental transfers of data across lists.
  • We can also help with basic email validation. For instance, broken email addresses are identified and excluded by the system from email sends. We can take this further with our dedicated email verification services which scores, checks and validates the likelihood of an email being delivered or having a high sending quality, prior to sending.

We know this is a lot of information, and for most people, it feels overwhelming. But if you would like assistance to get your company ready for POPI and the compliance deadline, you can drop us a mail at and our team will get in touch with you!