POPIA Guest Post: Don’t Throw the Database Out with the Bath Water

The long-awaited Protection of Personal Information Act (POPIA) finally came into effect on 1 July 2020. The announcement by the President triggered the start of a one-year period for South African organisations to make sure that they comply. So D-day is 30 June 2021.

Marketers will perhaps feel the effect of POPIA more than most. This is because POPIA changes the rules about consent for direct marketing. Even though a lot of the focus has been on consent, how the marketer got the lead in the first place may be even more important.

Before we get started, a word of caution: POPIA is old, but also brand new. What this means is that different legal advisers will have different views. Check with your legal adviser before you make any decisions.

Now, let’s take it from the top…

According to the POPIA, direct marketing is ‘electronic’ communication that is directed at a person and that promotes or offers to supply any goods or services, or requests donations from that person.

• emails
• SMS messages
• direct messages sent via social media platforms
• advertising sent to a custom audience via social media platforms (where you know exactly who you are targeting by name)

Once you have established that it is direct marketing you want to send out, your next step is to establish whether you need to get an opt-in consent from the person before you start marketing to them.

What about telemarketing? Section 69 (direct marketing by means of unsolicited electronic communications) does not apply, but the rest of POPIA still does. More about that in section 6 below.

If you are contacting a person for the first time, you will need to obtain consent for any unsolicited electronic marketing. In other words, where you want to contact a person for the first time with marketing communication that they didn’t ask for, you must obtain consent before sending your marketing.

The consent must:

• be a voluntary, specific, and informed expression of will.
  • Voluntary means that the consent must be a genuine choice.
  • Specific and informed means that it must be clear what direct marketing the person is consenting to.
  • Expression of will means that the person must give consent through a clear, unambiguous affirmative act. The use of pre-ticked opt-in boxes, or double negatives are not allowed.
• be an opt-in, which means that if the person does nothing (i.e. does not tick the box), that person will not receive marketing.
• contain the identity and contact information of the marketer as well as a person designated to act on behalf of the marketer (usually the information officer or the deputy information officer).
• contain the full name of the person who gives consent.
• be signed in person or electronically.
• Include:
  • the date and location where consent is given
  • the goods or services that will be marketed (in general terms or classes of goods)
  • the method of communication (e.g., email, SMS).

Some important good news: You don’t need to use the Regulator’s form 4 word for word. Just make sure that the form you use is clear, understandable, and substantially similar.

There will be many instances when you don’t need an opt-in consent for electronic direct marketing. In general, if the person you want to market to has an existing relationship with you, it won’t be necessary to get consent. For instance, if the person applied for your products or services already, they subscribed to your newsletter before, or they asked you for more information.

Direct marketing consent is not required from a person if:

• you collected the person’s personal information while they were enquiring about or purchasing your goods or services,
• the person was told that their personal information would be used to send marketing communications,
• you only send marketing communication for your own goods or services, and those goods or services are similar to the ones the person contacted you about or purchased,
• the person is given an opportunity to unsubscribe at the time their information was collected (i.e. they were given an opportunity to opt out), and
• the person can unsubscribe every time they receive marketing communications from you.

You need to comply with all of the above requirements. If any of the requirements are not met, an opt-in consent must be obtained before marketing communications can be sent.

To avoid having to get an opt-in consent, you need to comply with all the requirements we’ve listed, and you must be able to prove that you comply. This means that you need to know where you got the information in your database, the circumstances under which you got it, and what privacy notices or terms and conditions were in place at the time and that you have an ironclad unsubscribe process in place.

On that note, where you got the lead from in the first place is very important.

Here is a typical list of where direct marketers get information from and what the implications are from a POPIA perspective:

Here are two interesting cases about data broking or lead generation from the European Union:

• A company called Bisnode was fined €220 000 for failing to inform 6 million individuals that it was using their personal information.
  • The company collected the information from government public registers and then sold the information, but because it was too expensive to inform everybody on its database of the processing activity, Bisnode merely published a notice on its website and only contacted those individuals for whom it had email addresses.
  • The Polish regulator held that these steps were insufficient and, in addition to fining the company, ordered it to notify all individuals on the database despite the company’s objection that it would cost €8 million to do so.
• A company called Bounty was fined £400 000 for repeatedly sharing the information of more than 14 million people with third parties for purposes of electronic marketing.
  • The information was shared more than 17 times per year which the UK Information Commissioner’s Office (the ICO) considered ‘an unprecedented number’. Bounty was fined because it did not disclose who the information would be shared with to the affected individuals. Stating that it will be shared with ‘selected third parties’ who were not specifically named was not sufficient.

This illustrates what TechCrunch said, namely that ‘the strength of data protection under GDPR is a lot more than the deterrent of top-line fines. It’s accompanying orders that can really rearrange business practices.’

POPIA is very similar to the EU’s General Data Protection Regulation – so we pay attention to what happens over there.

Yes, it is true that you don’t need consent to do direct marketing via the telephone (unless you are a robot or you leave a message). However, the reason why you obtained the information will still matter. You may still need consent, unless the telephone number:

• was given to you by the person, so you could call them for purposes of direct marketing, or
• you got the telephone number from a public record administrated by a public body (so, not the internet), or
• you can prove that the person deliberately made their telephone number public.

If none of these three things apply, you will still need to obtain consent to use that telephone number for direct marketing, because it will be seen as further processing. For the lawyers, go read section 15. So, telemarketing is not that different to electronic marketing after all.

Please do not throw the database out with the bath water. Some of you may know exactly where your data came from and have a database that already complies with POPIA. See paragraph 4 above.

For those of you who are not that privileged, you still need to think long and hard before you decimate your database with a re-consent campaign. We recommend that you take a risk-based approach. If your database is driving enough sales, maybe taking a risk is okay? We recommend this when:

• Your ROI on marketing to this base is high
• They gave you their personal information themselves for another reason (i.e. they know what you have their information)
• You have marketed to them before, so they know to expect marketing from you
• You are going to send them the same type of marketing as before, about products they expect to receive marketing about
• You have always given them the opportunity to unsubscribe easily, and you listen to them when they do
• You have sent them a message to say ‘POPIA is coming, here is our new privacy notice. We will miss you, but please let us know if you don’t want to hear from us again.’
• No one has ever complained to you about having their personal information and using it for direct marketing

Teeeeechnically, there is an argument to be made that you don’t comply with section 69(3) and should have re-consented your base. What is the worst that can happen? Most people will just unsubscribe if you irritate them. Worse case scenario, someone complains to the Information Regulator and they tell you to stop and might fine you, but if the ROI justifies the risk? At least have the conversation.

Data privacy and POPIA compliance is a big trend in 2021. Other trends include internal communication strategies, data science, marketing after the sale, and more.