Amendments to the Regulations issued under the Protection of Personal Information Act (POPIA) have introduced stricter consent requirements for sending direct marketing communications to consumers.
The Information Regulator published the amendments in Government Gazette No. 52523 on 17 April. The amendments to the Regulations published in December 2018 came into effect immediately upon publication.
The amendments significantly enhance the rights of “data subjects” and clarify the compliance requirements for “responsible parties”.
POPIA defines a responsible party as “a public or private body, or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”.
In simple terms, a responsible party is a person or organisation that decides what personal information to collect, why the information is being collected, and how that information will be used, stored, and protected.
A “data subject” is person whose personal information is being collected, stored, or used.
Now that the amended Regulations are in force, organisations that want to send unsolicited communications for direct marketing purposes must first obtain the data subject’s consent.
Responsible parties are no longer required to use Form 4 to obtain a data subject’s consent. The amended Regulations allow for consent to be obtained in a form “substantially similar to” Form 4, as long as it is “expedient, free of charge, and reasonably accessible” to a data subject. These channels include email, phone calls, SMS, WhatsApp, fax, or automated calling machines.
If a request for consent is made telephonically or by an automated calling machine, an organisation must keep an electronic recording of the consent, and make the recording, or a transcription thereof, available to the data subject – free of charge – upon request, Nadine Mather and Pascale Towers of Bowmans say in their commentary on the amendments.
They said this requirement aligns with the Guidance Note on Direct Marketing released by the Information Regulator late last year.
Read: Spam calls are now electronic communication: guidance note closes direct marketing loophole
Mather and Towers highlight that the amended Regulations explicitly state that an “opt-out” option does not constitute valid consent; consent must be a positive action.
In addition to the consent requirements for direct marketing, here is an overview of the other key changes introduced by the amendments.
Enhanced rights for data subjects
The amendments significantly strengthen the rights of data subjects, making it easier for them to exercise control over their personal information.
Data subjects no longer have to use Form 1 to object to the processing of their personal information. However, they must do so on a form that is “substantially similar to Form 1” and is free of charge and “reasonably accessible”. These channels include hand delivery, fax, post, email, SMS, WhatsApp, or any other expedient manner.
Moreover, organisations are required to inform data subjects of their right to object when collecting their personal information. This proactive obligation ensures that data subjects are aware of their rights from the outset.
Similarly, data subjects can request the correction, destruction, or deletion of their personal information at any time and free of charge if the personal information is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
Requests for the correction, destruction, or deletion of personal information must be made on a form that is “substantially similar” to Form 2 and is free of charge and “reasonably accessible” – through the same multi-channel options as when lodging objections.
If an objection or a request for a correction or deletion is made telephonically, a responsible party must keep an electronic recording of the objection, and make the recording, including the transcription thereof, available to the data subject upon request.
Organisations must respond to requests for the correction or deletion of personal information within 30 days, notifying the data subject in writing of the action taken.
Improved complaints process
The complaints process has been enhanced to make it more accessible and inclusive.
Complaints can now be lodged by:
- A data subject whose personal information has been interfered with, or someone acting on their behalf.
- Any person with a sufficient personal interest in the subject matter of the complaint.
- A responsible party or data subject who is aggrieved by the determination of an adjudicator in terms of section 63(3) of POPIA.
- Any person acting in the public interest.
Complaints must be submitted in writing using the prescribed form (Form 5, available on the Regulator’s website) and can be delivered via email, fax, post, courier, or by hand.
The Information Regulator is required to assist complainants in reducing their complaints to writing and to accommodate complaints in languages other than English.
Additionally, the Regulator must acknowledge receipt of complaints within 14 days and that the identity of complainants will be protected if the complaint involves information covered by the Protected Disclosures Act.
Responsibilities of Information Officers
The amended Regulations remove the duty of Information Officers to develop a manual under the Promotion of Access to Information Act (PAIA).
However, Information Officers must now ensure that their organisation’s POPIA compliance framework is “continuously improved”.
Administrative fines and payment options
A notable addition is the provision for administrative fines to be paid in instalments. Organisations unable to pay a fine in a lump sum can arrange instalment payments with the Information Regulator. The Regulator will consider the organisation’s financial circumstances and other relevant factors when determining the payment period.
New and clarified definitions
The amended Regulations introduce several definitions to provide greater clarity and certainty in their application. These are:
“Complainant” and “complaint”, which now explicitly recognise that any person may lodge a complaint with the Information Regulator, aligning with specific provisions of POPIA (sections 74, 76, and 92).
“Day” is clarified to mean any calendar day, excluding Sundays and public holidays when calculating time periods, in line with the Interpretation Act.
“Office hours” specifies the operational times for both the Regulator and designated bodies, which further aids in procedural certainty.
“Relevant bodies” is introduced to support industry-specific codes of conduct, acknowledging that any specified industry or profession, or class of industries or professions, that has sufficient representation may apply for the issuing of a code of conduct.
“Writing” is defined to include electronic documents or information that is accessible – creating consistency with the Electronic Communications and Transactions Act.
Transitional provisions
The amended regulations include transitional provisions, ensuring that any actions taken under the 2018 Regulations remain valid under the new framework where applicable. This ensures legal continuity and minimises disruption for organisations already compliant with the previous regulations.
