Member Article

The Information Regulator has published a newGuidance Note on Direct Marketing(“Guidance Note”) under the Protection of Personal Information Act, 2013 (“POPIA”) outlining its views on the legal requirements for processing personal information for direct marketing.

In this article, we touch on key points outlined in the Guidance Note:

• Does the Regulator give clarity about what communications section 69 applies to?

Yes. Section 69 of POPIA applies to direct marketing sent by the responsible party to a data subject using an electronic communication. This is the section that requires responsible parties to obtain opt-in consent from prospective customers (who are not existing customers). The Regulator emphasises in the Guidance Note that section 69 applies to any form of unsolicited electronic direct marketing.

• What is covered by electronic direct marketing?

The Regulator provides a non-exhaustive list of what constitutes electronic direct marketing:

• telephone (see below)
• automated calling machines
• facsimiles
• SMSs
• email
• push notifications
• direct messaging on social media

*Authors’ note: This is a departure from POPIA, with the additional examples given by the Regulator relating to telephone, push notifications, social media direct messaging, and cookies.

• What about non-electronic direct marketing?

Classic examples of non-electronic direct marketing are door-knocking, or communications delivered by post or hand-delivered mail.

The restrictions in section 69 of POPIA do not apply to non-electronic direct marketing. The Regulator’s guidance is that the responsible party can still send communications to a data subject without their consent if it complies with section 11(d) or (f) of POPIA, namely legitimate interests of the responsible party, a third party, or the data subject. Where a responsible party does this, it is expected to conduct alegitimate interest assessment.

The Regulator acknowledges that legitimate interests are not defined in POPIA, and offers guidance on what this would be, relying on the dictionary and the European advisory body called the Article 29 Working Party.

Our view is that the Regulator’s guidance on legitimate interests is not relevant just to direct marketing, but to any processing that relies on sections 11(d) and (f). So, organisations relying on legitimate interests arguably are expected to conduct the type of assessment described by the Regulator in this guidance note, i.e.: purpose, necessity, and balancing.

• Is telephonic marketing regulated as direct marketing by means of electronic communication in terms of POPIA?

In the Regulator’s view, YES. The Regulator’s view is that telephonic communications now have a digital nature as they use Voice over Internet Protocol (VoIP), which is a form of packet-switched telephony rather than the older public-switched telephony used for analogue communications.

*Authors’ note: This is a material departure from how POPIA has been interpreted by many legal experts (the authors included) as marketing via telephone was understood to be non-electronic. The nuance added by the Regulator on VoIP and the digital nature of telephonic communications is an interesting point. However, our view remains that it was never the intent of the legislature to include telephone calls as part of electronic communications (as defined in POPIA). The Regulator’s view begs the question, why are analogue calls excluded from the ambit of s69, but not VOIP calls? The matter may likely only be settled officially in a court of law if this is enforced.

What on earth is VoIP?

VoIP calls travel over the internet instead of traditional phone lines. This is the technology behind apps likeSkype,WhatsApp, orZoom, and it’s also used by many phone companies to provide regular calling services more efficiently. In lay terms (as explained by our friend ChatGPT): “It's kind of like sending a puzzle in lots of pieces, and then putting it all back together when it arrives! VoIP lets you talk over the internet instead of using an old-fashioned phone line, and that's what makes calls cheaper and sometimes clearer too.”

Note: not all telephone calls will use VoIP, but most do nowadays. Traditional phone lines (also called landlines), which are still used by some homes and even some older businesses, do not use VoIP.

*Authors’ note: we question whether VoIP calls are “stored in the network or in the recipient’s terminal equipment until it is collected by the recipient” as required for a communication to be regarded as an “electronic communication” as defined in POPIA.

Is there any guidance on how to practically implement Form 4?

Partly, yes. Responsible parties must still use Form 4 (or something similar) to obtain consent from a data subject to send them direct marketing by means of electronic communication.

The Regulator provides the following guidance on using Form 4:

• Always use Form 4 (or something similar) when seeking consent for direct marketing by electronic communication from data subjects who are not existing customers;
• The key aspects of Form 4 which must be addressed are:
  • opt-in consent by the data subject;
  • description of the goods or services intended to be marketed;
  • opt-in for the type of method of communication to be used to send the communication ;
• The responsible party bears the onus of proving that a data subject has given consent (our advice: keep detailed records of the completed Form 4 for each data subject who has provided consent.)

Regrettably, there is no guidance around sample wording that organisations can use for opt-in requests enabled on websites, SMS (with limited space) or email communications. However, it is acknowledged that a responsible party who uses methods of communication such as a fax machine, an SMS or an email can use an electronic version of Form 4 to obtain consent of a data subject if it contains all the information prescribed in that form.

Additionally, according to the guidance, organisations can implement Form 4 if direct marketing is done over the telephone or an automated calling machine by reading out the contents of Form 4 to the data subject.

Does the Regulator give guidance on lead generation?

Yes. The Regulator recognises that leads are identified through various ways, including “sign-up forms, pop-ups, landing pages, and social media posts”. Parties must comply with sections 12(1) and (2) of POPIA, which deals with the collection of personal information from the data subject and exceptions to this requirement. Importantly, the Regulator guides that where responsible parties share the contact details of data subjects with other responsible parties and where third parties sell or rent lists in the context of direct marketing, it amounts to further processing and in terms of section 15, such processing must be compatible with the reason for collection. Further, this processing must also comply with the notification requirements set out in section 18 of POPIA.

Does the Regulator address a national opt-out database?

No.However, see below the mechanism of pre-emptive blocking under the Consumer Protection Act, 2008 (“CPA”).

Does the Regulator give guidance on how to manage objections by data subjects?

Yes. This will depend on whether the communication was sent through electronic means or non-electronic means.

• Non-electronic: The data subject must use Form 1 to object to the processing. Responsible parties are required to compile and maintain a database of all data subjects who have objected to direct marketing using non-electronic means.
• Electronic: The data subject must be given an opportunity to opt-out, and if they make this decision, the communications must stop.

The Regulator also refers to the “pre-emptive block” in terms of the CPA which allows a person to register a pre-emptive block against unwanted electronic direct marketing communications. The Regulator cautions companies that even if a person has not enabled this mechanism, it cannot be taken as an implicit consent to receive marketing communications. Companies must still follow the prescribed procedure in section 69 of POPIA.

What now?

As acknowledged by the Regulator, the guidance note is not legally binding and does not constitute legal advice. The provisions of POPIA and the Regulations will prevail over the guidance note in the event of any inconsistency. However, it does indicate how the Regulator interprets the law. If a responsible party chooses not to comply with the guidance note, it could be challenged by the Regulator or a data subject and would need to justify its processing activities.

Companies should carefully evaluate whether their existing policies, processes, and opt-in wording need revisions considering this guidance note. Furthermore, companies may seek a declarator from a court to clarify the interpretation of POPIA, particularly regarding the requirements for telephonic marketing, which ENS are able to provide assistance with.

A direct marketer or industry association could challenge the Regulator’s interpretation of POPIA as set out in the guidance note in court, by means of a declaratory order. Alternatively, the contents could be challenged on appeal by an organisation that has received an enforcement notice or fine for breach thereof.

 

Era Gunning

Executive Banking and Finance

[email protected]

 

Wilmari Strachan

Executive Corporate Commercial: Technology, Media and Telecommunications

[email protected]

 

Priyanka Raath

Senior Associate Corporate Commercial: Technology, Media, and Telecommunications

[email protected]