Direct Marketing Under South Africa's Protection of Personal Information Act - Part 1
This three-part mini-series will consider the regulation of Direct Marketing under data protection law. Part 1 will consider the position in South Africa under the Protection of Personal Information Act 4 of 2013 (“the POPIA”). Part 2 shall consider consider the position under the European Union’s General Data Protection Regulation (“GDPR”), as well as Recommendations and Guidelines from European Data Protection Authorities. Finally, in Part 3 the regulation of Direct Marketing under South Africa’s POPIA will be contrasted against that under the GDPR.
How Does POPIA Define Direct Marketing?
Under Section 1 of the POPIA Direct Marketing is defined as the:
“[approaching] of a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of — (a) promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or (b) requesting the data subject to make a donation of any kind for any reason”.
What does POPIA say about Direct Marketing?
Firstly, it is important to remember that Direct Marketing is a form of information processing and therefore:
POPIA’s 8 Conditions relating to the processing of personal information apply to all Direct Marketing activities; and The rights afforded to data subjects contained in the POPIA are secured for all data subjects who are subjected to Direct Marketing - including a specific right to object to Direct Marketing under Section 11(3)(b).
Having said that, POPIA does contain additional provisions specifically relating to Direct Marketing which are found under Chapter 8 of the POPIA (specifically under Section 69 thereof).
By default, direct marketing is prohibited under Section 69(1) - this includes direct marketing undertaken by means of any form of electronic communication, including automatic calling machines, fax machines, SMS or e-mail. Importantly, the wording of this provision is wide enough to include marketing through the internet and social media.
Section 69(1) provides for two possible scenarios where direct marketing would be considered lawful under the POPIA.
Scenario 1: where a data subject has consented to the processing; and
Scenario 2: where a data subject is already a customer of the responsible party.
Both of these scenarios require further discussion in order to properly set out the position under POPIA.
Regarding Scenario 1, a data subject will have consented to the processing where /a voluntary, specific and informed expression of will has been provided for the purpose of the processing of personal information/ (in this case, for direct marketing purposes) - in other words, a data subject must ‘opt-in’ to receive direct marketing from an organisation. Section 69(2) requires that a responsible party may approach a data subject for consent (unless a data subject has already been approached and withheld consent), only once in order to request the consent of a data subject. Furthermore, any collection of a data subject’s consent should, at the least, be accompanied by relevant policies/agreements setting out specifics of the purpose and scope of the intended processing.
Regarding Scenario 2, an organisation with pre-existing customers may engage in Direct Marketing practices to those customers (except where a data subject opts-out/withdraws consent). Interestingly, POPIA does not define the term ‘customer', however, Section 69(3) may provide direction as to what a ‘customer’ may mean. Section 69(3) reads verbatim as follows:
A responsible party may only process the personal information of a data subject who is a customer of the responsible party in terms of subsection (1)(b)—
(a) if the responsible party has obtained the contact details of the data subject in the context of the sale of a product or service;
(b) for the purpose of direct marketing of the responsible party’s own similar products or services; and
(c) if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details —
(i) at the time when the information was when the information was collected; and
(ii) on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use.
Accordingly, it may be inferred that a ‘customer’, so far as Section 69 is concerned, refers to a data subject who has been sold a product or a service.
In the event that an organisation is entitled to conduct Direct Marketing, any communication for the purpose of Direct Marketing must contain the details of the identity of the sender, or the person on whose behalf the communication has been sent; and an address or other contact details to which a data subject may send a request that such Direct Marketing communications cease - Section 69(4)(a) and (b).
What Are The Implications For Organisations Engaging In Direct Marketing?
Considering the above, organisations should consider:
Providing appropriate terms and policies to regulate the collection and use of personal information when collecting personal information during Direct Marketing operations;
Ensuring that they have appropriate measures in place to process personal information lawfully when conducting Direct Marketing;
Keeping accurate and up to date records of their customer base; and
Keeping accurate and up to date records indicating where consent has been obtained and withheld.
When POPIA comes into effect (which is looking to be in the new financial year of 2020), the unlawful processing of personal information during Direct Marketing may result in organisations being the subject of complaints to the Information Regulator, fines up to R10 million and jail sentences of up to 10 years - depending on the severity of the offence, and even civil proceedings.
In Part 2, I will assess how the GDPR regulates Direct Marketing, and consider Recommendations and Guidelines from Data Protection Authorities.
Disclaimer: the information contained in this Article is for awareness and discussion purposes only and does not constitute legal advice. For any enquiries, please get in touch with me at firstname.lastname@example.org