POPIA Q&A: Data Privacy Laws & Using Personal Information

In 2020, Everlytic and Elizabeth from Novation Consulting hosted a POPIA Webinar Series to unpack the legalities of the POPIA legislation that will be enforceable in South Africa from 1 July 2021. In this POPIA Q&A blog series, we share some of the questions we received during the three webinars and the answers Elizabeth provided. This blog covers the questions we received about data privacy laws and using personal information.

Data Privacy Laws & Using Personal Information Q&A:

Can I collect and store personal information on the basis that it’s in the legitimate interest of the business?

This is technical and controversial. What we know from overseas Regulators is that they generally don’t accept legitimate-interest arguments for the buying and selling of personal information or for scraping public sources / the internet. We believe our Regulator will probably follow a similar approach.

If you use a system to randomly generate cell numbers, not collecting / buying it somewhere, will that still be deemed personal information, and would we need consent to market to those numbers?

The cell phone on its own doesn’t reveal a person’s identity, but there are ways to reverse-lookup the data using the number. So, even though you don’t have the person’s name, this does still count as personal information. POPIA, therefore, does apply in this case.

At any event, you’ll probably contact the person using this number, which is marketing. So, if you’re sending SMSs, you’ll need to ask for consent to contact them, and for telemarketing you’ll need to respect their request to opt out of your calls if they ask.

Is there any way to continue to market via SMS and email to a prospect base of about 1.5 million consumers if we can prove that we’ve marketed to them many times before POPIA with the brand shown and a clear unsubscribe process?

You’re good to go if:

  • You got the leads in the context of them purchasing your goods or services
  • You told them you’d use their information for direct marketing
  • You’ve always given them the opportunity to reliably opt out
  • It’s the same or similar goods or services that you’re marketing to them

If you can’t meet all these, decide if you’re prepared to take a risk-based approach. If your opt-out process is water-tight, your list may not be 100% POPIA complaint, but your chances of people complaining is significantly lower. And you’ll have a base from which you can discuss with the Regulator if they do.

For more guidance, watch our POPIA webinars, listen to our POPIA podcasts, read our POPIA guide, or chat to a POPIA expert, like Elizabeth de Stadler from Novation Consulting.

Related POPIA Q&As

Found this interesting? Share it!

Ready to transform your communication?

Everlytic isn’t just a platform, it’s your competitive edge! Sign up today to start creating more impactful, engaging communication with ease!
image of a laptop with email marketing analytics on the screen

Book A Demo

See Everlytic in action with a personalised walkthrough from one of our messaging experts.
person looking at their phone while very happy

Get Started

We’ve got a package for you, no matter where you are in your bulk communication journey.