The Information Regulator’s Guidance Note on Direct Marketing under POPIA has put an end to the debate: telephone calls are now officially considered electronic communication. Why? Because telephone technology has evolved into the digital age, making it part of the electronic communication landscape.
Section 69 of the Protection of Personal Information Act (POPIA) prohibits direct marketing by means of unsolicited electronic communications. The Act defines “electronic communication” as any text, voice, sound, or image message sent over an electronic communications network that is stored in the network or the recipient’s terminal equipment until the recipient collects it.
The debate over whether a telephone call constitutes an electronic communication in terms of POPIA has been used by many a direct marketer as a loophole to the great irritation of consumers.
Advocate Pansy Tlakula, the chairperson of the Regulator, has repeatedly in the media addressed concerns about direct marketing through unsolicited electronic communication, acknowledging the public’s frustration with the increase in spam calls.
Earlier this year, the Regulator announced it had drafted a guidance note on direct marketing to help public and private entities comply with POPIA when processing personal information for marketing purposes.
In June, the Regulator shared this draft with stakeholders in the direct marketing sector and on 25 September engaged with them on the final version of the guidance note.
The final version of the guidance note released this week “assists in the interpretation of POPIA in relation to direct marketing as defined in POPIA”.
Section 69 of POPIA
Section 69 lays out strict rules on how personal information can be used for electronic communication such as calls, SMS, emails, and faxes, balancing marketing interests with consumer privacy rights.
At the heart of this section is a fundamental principle: no unsolicited communication without consent. Whether it is an SMS promoting a special offer or an automated call about a new service, marketers must secure the data subject’s explicit permission – unless they’re dealing with an existing customer.
However, even that exception has strings attached. If the customer’s contact details were collected during a previous transaction, marketing is only allowed for similar products or services, and the customer must have a simple, free option to opt-out at any time.
Businesses are given one chance to seek consent from non-customers. But after that, if the individual says no, it’s game over. And for those wondering about those annoying automated calls, POPIA makes it clear: machines that dial without human intervention are included in these restrictions.
Section 69 further notes that in every direct marketing message, the sender must be clearly identified, and a contact method must be provided for recipients to opt-out.
Telephone calls redefined as electronic communication
Traditional telephone calls now fall squarely within the category of electronic communication.
This shift is rooted in the evolution of telephone technology. The Regulator explains that with the move from analogue systems to Voice over Internet Protocol (VoIP), phone calls are no longer simple voice transmissions. Instead, they involve a complex process where analogue signals are converted into digital data packets, transmitted over the internet, reassembled, and corrected for errors before reaching the recipient. According to the Regulator, this transformation from public-switched telephony to packet-switched telephony places telephone calls on the same technological footing as other digital communication methods.
The Regulator also expands the definition of unsolicited electronic communication for direct marketing beyond traditional phone calls, emails, and SMS to include:
- automatic calling machines;
- facsimiles (fax);
- push notifications;
- direct messaging on platforms such as Instagram and LinkedIn;
- the use of cookies for targeted marketing.
Crucially, the Regulator notes that these methods are not exhaustive, leaving room for new forms of electronic messaging that may emerge in the future.
When the data subject is not a customer
As already mentioned, under POPIA, a responsible party must obtain explicit consent from a data subject before sending unsolicited electronic communications for direct marketing purposes, particularly if the data subject is not a customer. This means that the first communication sent must be solely to request consent for marketing, sales, or donation purposes.
The guidance note introduces the use of Form 4 (or a similar version that is accessible and free of charge), prescribed by the Regulator, to obtain consent.
The form must include:
- Consent to receive marketing messages via unsolicited electronic communication.
- A clear description of the goods or services being marketed, ensuring voluntary and informed consent.
- The preferred communication method of the data subject, which the responsible party must honour.
The guidance note states that for electronic methods such as fax, SMS, or email, Form 4 can be submitted digitally. The form should include the options “I give my consent” or “I do not give my consent,” with the data subject’s choice recorded.
If consent is obtained via telephone or automatic calling machines, the responsible party must read out the form’s contents or ensure the recorded message includes all the required information. The data subject’s response must also be recorded.
Importantly, the onus of proving consent rests with the responsible party. Data subjects can withdraw consent at any time, but this will not affect any direct marketing messages already received before the withdrawal.
Form 4 can be obtained from the Information Regulator’s website here.
When the data subject is a customer
The guidance note clarifies that when the data subject is a customer, the responsible party may send unsolicited direct marketing messages if they have obtained the data subject’s contact details in the context of a product or service sale. For example, when a customer opens an account at a retail store, their contact details can be recorded for this purpose.
Direct marketing can only be for similar products or services. In a clothing store, this might include items such as shoes, belts, or accessories. However, products such as funeral insurance would not be considered similar.
The note also underscores that the data subject must be given a reasonable opportunity to object to the use of their contact details for direct marketing.
This can occur at two points:
- At the time of data collection: For instance, when opening an account at a clothing store, the responsible party should ask the data subject if they object to receiving direct marketing messages for similar products. If the data subject objects, marketing messages cannot be sent.
- After the initial consent: If a data subject initially consented to receiving direct marketing messages, they must be given the chance to object with each subsequent communication. Importantly, if the data subject was not asked for consent at the time of opening the account, silence cannot be interpreted as consent. Consent must be voluntary, specific, and informed.
Any communication sent by the responsible party for direct marketing must include the following information:
- The identity of the sender, or the entity on whose behalf the communication is being sent.
- An address or other contact details through which the recipient can request that such communications cease.
Additionally, the responsible party is required to maintain a database of data subjects who have either withheld their consent or objected to receiving such communications.
Lead generation and profiling – where the Regulator stands
The guidance note also delves into complex issues in the direct marketing field, such as lead generation and profiling.
Leads are typically identified through methods including, but not limited to, “sign-up forms, pop-ups, landing pages, and social media posts”.
The Regulator explains that these techniques allow for the collection of personal information and the generation of contact lists for data subjects.
“Where the responsible parties share the contact details of data subjects with other responsible parties and where third parties sell or rent lists in the context of direct marketing, this is deemed as further processing.”
Therefore, it must adhere to the processing requirements outlined in POPIA, the Regulator notes.
Profiling, although not defined in POPIA, is also addressed in the guidance note. The Regulator highlights that data subjects have the right “not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of his, her or its personal information intended to provide a profile of such person” as provided for in POPIA.
The process of generating leads often involves collecting vast amounts of personal information, requiring automated methods of processing. Section 71(1) of POPIA limits automated decision-making under the following conditions:
- A data subject is subject to a decision that results in legal consequences or significantly affects them.
- The decision is based solely on automated processing of personal information.
- The processing is aimed at creating a profile that relates to, but is not limited to, the data subject’s performance at work, creditworthiness, reliability, location, health, personal preferences, or conduct.
For section 71(1) to apply, all these conditions must be met, the Regulator notes.
“Compliance with the conditions for lawful processing of personal information while processing personal information for the purposes of lead generation, profiling, information matching programme and automated decision-making, is expected of the responsible party. Non-compliance will be deemed to be in breach of POPIA,” the Regulator states.
Regarding the legal effect of the guidance note, the Regulator clarifies that it is advisory in nature and does not constitute legal advice. In cases of any inconsistency, the provisions of POPIA and its regulations will take precedence over the guidance note.
Read the full guidance note here.
Who/how can I report email address please?