The Information Regulator (IR) is putting the phone down on digital marketers who have been violating the Protection of Personal Information Act (POPIA).
The IR is empowered to monitor and enforce compliance by public and private bodies with the provisions of the Act, as well as the Promotion of Access to Information Act. The independent body has announced that it will be issuing, within the week, the first enforcement notice because of a direct marketing complaint.
In 2022, Moonstone reported that the IR expressed concern about consumers receiving excessive unsolicited direct marketing messages that fail to comply with POPIA.
Read: Information Regulator unhappy with the flood of unsolicited direct marketing
With the IR’s Enforcement Committee established that same year, the public watchdog was legally enabled to enforce its powers and provide an effective remedy to complainants whose right to privacy and right of access to information have been infringed.
Read: Information Regulator publishes prescribed form for reporting data breaches
According to Nomzamo Zondi, senior manager: communication and media at the IR, the public watchdog received 925 complaints in the past fiscal year, of which 150 were related to direct marketing.
Zondi said the IR was in the process of issuing 14 notices in total to companies operating in the finance and telecommunications industries.
“Not all enforcement notices are as a result of direct marketing. They vary in terms of the violation of POPIA. We cannot give an indication of when the next 13 will be out. The notices are being processed,” she said.
Zondi said some notices stemmed from public complaints, while others came from the IR’s assessments for compliance. She added that the names of the companies could not be released until they have been formally issued with the notices, nor could she share details of which provisions of POPIA have been violated.
“This will be contained in the enforcement notices that will be issued and made public. We cannot pre-empt this. We also publish the enforcement notices on our website,” she said.
The IR has the authority to issue infringement notices to companies that do not comply with the directives contained in the enforcement notices.
“For non-compliance with the enforcement notice, we are empowered to issue an infringement notice, which can carry a fine of up to R10 million,” Zondi said.
Legal loophole
Section 69 of POPIA prohibits direct marketing by means of unsolicited electronic communications, including automatic calling machines, facsimile machines, SMSs, or email, unless a data subject has given his or her consent to the processing or is a customer of the responsible party.
Until now, opportunistic direct marketers have been taking advantage of what has been called a “loophole” – the debate on whether a phone call falls under electronic communication according to POPIA.
The Act defines “electronic communication” as any text, voice, sound, or image message sent over an electronic communications network that is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.
The IR has been engaging stakeholders for the past two years to draft a guidance note on the interpretation of section 69. Zondi said the guidance note was being finalised.
“It will be ready for consultation with stakeholders at the end of March,” she said.
In 2022, the IR also announced that – following information provided by the National Credit Regulator – it had started a “systemic” investigation into the unlawful trading of consumers’ personal information.
When asked for an update on the probe, Zondi said the investigation was ongoing.