In February, the Information Regulator issued a noteworthy enforcement notice against a local training institution following a complaint regarding the company’s direct marketing practices.
The complaint was filed by an individual – or “data subject” – who, after multiple attempts to opt out and requests to be removed from the company’s emailing list, continued to receive countless direct marketing messages from them.
After investigating the complaint, the Information Regulator found that the training institution interfered with the protection of personal information of the data subject, thus breaching the conditions for the lawful processing of personal information.
Moreover, it was also found to be in contravention of Sections 69(1) and (2) for sending unsolicited electronic communications through emails pertaining to the courses and webinars which it offered, without first obtaining consent.
The training institution was ordered to implement the remedial actions mentioned in the enforcement notice within 90 days. Failure to adhere to an enforcement notice is a contravention of the law, and upon conviction, it can result in a fine of up to R10 million or imprisonment for a period not exceeding ten years (or both).
What constitutes electronic communication in POPIA?
Section 69 of POPIA regulates direct marketing by means of unsolicited electronic communications but what exactly falls under the definition of “electronic communications”?
Section 1 of POPIA defines electronic communication as any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.
Section 69(1) further specifically mentions automatic calling machines, facsimile (fax) machines, SMSs or email. Section 69(5) defines an automatic calling machine as a machine that can make automated calls without human intervention.
There is a grey area in the law when it comes to telephone calls where there is human intervention – for example, a call centre agent who persistently calls, trying to sell you something. There are conflicting views about whether telemarketing is allowed or prohibited under POPIA because telephone calls are received instantly and is not stored in the network (as is required by the definition of electronic communication). Thus, it would appear that telephone calls don’t meet the definition of electronic communications for the purposes of POPIA.
However, you can argue that other provisions of POPIA, such as consent, justification and objection for the lawful processing of personal information, still apply to telemarketing.
Interestingly, the Information Regulator covered telephone use in the enforcement notice against the training institution. It ordered the company to, amongst other things, immediately stop sending unsolicited direct marketing messages by any means to any data subject whose consent is required and who has not consented to receiving such messages. In this case, any form of electronic communication included email, SMS, fax machine, automatic calling machine or telephone.
The Information Regulator has taken notice of the public’s frustration with the surge in direct marketing calls and messages. Addressing this concern, Information Regulator Chairperson Advocate Pansy Tlakula stated: “Our leniency regarding direct marketing through unsolicited electronic communications is going to be a thing of the past because responsible parties [public or private bodies] ignore the provisions of Section 69 of POPIA and infringe on the rights of data subjects. In response to this, we are also putting together a guidance note which will clearly spell out the dos and don’ts of processing personal information for the purposes of direct marketing by means of unsolicited electronic communication.”
A draft guidance note on direct marketing is expected to be issued soon and will be open for public consultation before the final version is published.
What can direct marketers do to remain compliant with POPIA?
If you conduct direct marketing practices, here is what you need to do:
- Obtain consent: Ensure you obtain the necessary consent from individuals before engaging in direct marketing activities. This consent should be requested in a clear and transparent manner during the initial contact and should only be sought once. Additionally, you need to ask the data subject what their preferred method of communication is and respect their choice. Don’t contact someone who had previously withheld consent. (Note that direct marketing by electronic communications can be sent to individuals that are your customers without their consent, provided that certain conditions are met.)
- Use the correct forms: When getting consent, use the prescribed paperwork. The POPIA Regulations specifies Form 4 for obtaining written consent for the purpose of direct marketing by electronic communication. Alternatively, the Regulations permit any form that is substantially similar to Form 4.
- Keep a database: It is advisable to maintain a record of all data subjects who have given their consent to receive direct marketing messages, as well as of those that withheld consent. Keeping and using a database is necessary and can help prevent the business from contacting individuals who have withheld consent or who, having initially provided consent, later opted out or withdrew their consent.
- Implement a compliance framework: Get a compliance framework in place in terms of Regulation 4(1)(a) of POPIA. The framework can include policies, procedures and controls for ensuring POPIA compliance specific to direct marketing in your business. For example, what information must be contained in your direct marketing communication as prescribed by Section 69(4) of POPIA.
- Train your team: Make sure your staff understands POPIA and keep a record of all training activities. The training should cover direct marketing as set out in Sections 69 and 11(3) and (4) of POPIA.
Navigating regulatory complexity?
The recent enforcement notice by the Information Regulator serves as a stark reminder for direct marketers and businesses to follow best practices to prioritise POPIA compliance.
Despite grey areas in the law regarding direct calls by human telemarketers, the enforcement notice indicates that the Regulator expects businesses to respect individuals’ privacy rights and ensure the lawful processing of personal information.
For any business, having an effective POPIA compliance framework in place, along with sufficient staff training, is crucial. By prioritising transparency, consent and adherence to regulatory frameworks, direct marketers can navigate complexities while effectively safeguarding individuals’ privacy rights.
(A Section 89 PoPIA Assessment: What to expect).