The days are numbered for companies engaging in direct marketing through unsolicited electronic communications.
This week, the Information Regulator (IR) issued an Enforcement Notice against FT Rams Consulting, a Roodepoort-based online training institution. This is the first such notice issued by the regulator because of a direct-marketing complaint.
IR chairperson Advocate Pansy Tlakula said unsolicited electronic communications will no longer be tolerated.
“Our leniency regarding direct marketing through unsolicited electronic communications is going to be a thing of the past because responsible parties (public or private bodies) ignore the provisions of section 69 of POPIA and infringe on the rights of data subjects,” said Tlakula.
Moonstone reached out to FT Rams, but the training institution declined to comment.
Non-compliance with personal information protection laws
In a media statement released on 27 February, the IR cited violations of several sections of the Protection of Personal Information Act (POPIA) as the reason for the notice.
According to the regulator, it received a complaint from a “data subject” (a person to whom the personal information relates) who was bombarded with direct marketing messages from FT Rams Consulting about its courses and webinars.
It is alleged that despite multiple attempts to “opt out” and requests to stop, FT Rams kept flooding the person’s inbox with marketing emails.
Section 69(1) of POPIA states that the processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication is prohibited unless the data subject has given consent to the processing.
POPIA defines consent as voluntary, specific, and informed expression of will in terms of which permission is given for the processing of personal information.
Section 69(2) states that a responsible party may approach a data subject who has not previously withheld such consent only once to request the data subject’s consent.
“This means that the first message which FT Rams Consulting was supposed to send to the data subject was one in which it requested the data subject’s consent,” the regulator explained. “If the data subject consented to receiving direct marketing messages, they also had to indicate the preferred means of communication.”
The IR stated that by sending repeated marketing emails to the person without first obtaining the person’s permission, FT Rams had failed to adhere to POPIA.
Additionally, even though the person was given the choice to “opt out”, this did not remedy the situation. FT Rams was also required to use a recommended form to obtain the person’s written consent but failed to do so.
90 days to comply
FT Rams has been ordered, among other things, to:
- immediately stop sending unsolicited direct marketing messages by means of any electronic communication, including telephone, fax, SMS, email, or automated calling machine, to any data subject who has not consented, including the complainant;
- ensure that the first communication sent to data subjects is one in which FT Rams requests their consent (a data subject may only be approached once to obtain such consent);
- use the form prescribed by the IR for this purpose (the use of this form is compulsory); and
- ensure it only sends such a message to a data subject who has not previously withheld his or her consent.
In addition, the regulator ordered FT Rams to compile and maintain a database of all data subjects who have previously withheld their consent or did not consent to receiving unsolicited direct marketing messages and submit a design of such a database to the IR.
“This will ensure that the data subjects on the database are not contacted again,” the regulator said.
FT Rams has been given 90 days from receiving the notice to adhere to these instructions.
The regulator said that non-compliance with an Enforcement Notice was regarded as a contravention of the law and could, upon conviction, result in a fine of up to R10 million or imprisonment for a period not exceeding 10 years or to both such a fine and imprisonment.
Commentary from legal experts
Era Gunning, an executive in ENSafrica’s banking and finance practice, and senior associate Priyanka Naidoo said although the Enforcement Notice shows that the IR is taking its mandate seriously, they have some reservations about the regulator’s “rigid approach” in requiring responsible parties to use Form 4 when requesting consent from a data subject to send direct marketing communications.
“The POPIA regulations make it clear that a form substantially similar to Form 4 would suffice. In addition, the Information Regulator seems to disregard the fact that direct marketing by electronic means can be sent to customers without their consent. This may present a practical hurdle to many companies,” they said.
Gunning and Naidoo said they were also concerned that the Enforcement Notice prohibited FR Rams Consulting from sending unsolicited direct marketing messages by means of telephone to any data subject who had not consented.
“Section 69 of POPIA regulates direct marketing sent over electronic communication only. POPIA defines electronic communications as ‘any text, voice, sound, or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient’. By definition, this excludes communications over the telephone, as marketing messages cannot be stored in the network or in the recipient’s terminal equipment,” they said.
The IR has been engaging stakeholders for the past two years to draft a guidance note on the interpretation of section 69. According to Nomzamo Zondi, senior manager: communication and media at the IR, the guidance note was being finalised and will be ready for consultation with stakeholders at the end of March.