In 2020, Everlytic and Elizabeth from Novation Consulting hosted a POPIA Webinar Series to unpack the legalities of the POPIA legislation that will be enforceable in South Africa from 1 July 2021. In this POPIA Q&A blog series, we share some of the questions we received during the three webinars and the answers Elizabeth provided. This blog covers the questions we received about data privacy laws and using personal information.
Data Privacy Laws & Using Personal Information Q&A:
Can I collect and store personal information on the basis that it’s in the legitimate interest of the business?
This is technical and controversial. What we know from overseas Regulators is that they generally don’t accept legitimate-interest arguments for the buying and selling of personal information or for scraping public sources / the internet. We believe our Regulator will probably follow a similar approach.
If you use a system to randomly generate cell numbers, not collecting / buying it somewhere, will that still be deemed personal information, and would we need consent to market to those numbers?
The cell phone on its own doesn’t reveal a person’s identity, but there are ways to reverse-lookup the data using the number. So, even though you don’t have the person’s name, this does still count as personal information. POPIA, therefore, does apply in this case.
At any event, you’ll probably contact the person using this number, which is marketing. So, if you’re sending SMSs, you’ll need to ask for consent to contact them, and for telemarketing you’ll need to respect their request to opt out of your calls if they ask.
Is there any way to continue to market via SMS and email to a prospect base of about 1.5 million consumers if we can prove that we’ve marketed to them many times before POPIA with the brand shown and a clear unsubscribe process?
You’re good to go if:
- You got the leads in the context of them purchasing your goods or services
- You told them you’d use their information for direct marketing
- You’ve always given them the opportunity to reliably opt out
- It’s the same or similar goods or services that you’re marketing to them
If you can’t meet all these, decide if you’re prepared to take a risk-based approach. If your opt-out process is water-tight, your list may not be 100% POPIA complaint, but your chances of people complaining is significantly lower. And you’ll have a base from which you can discuss with the Regulator if they do.
For more guidance, watch our POPIA webinars, listen to our POPIA podcasts, read our POPIA guide, or chat to a POPIA expert, like Elizabeth de Stadler from Novation Consulting.
Related POPIA Q&As
- What is Direct Marketing?
- Who’s Responsible for POPIA & What will Happen if They Don’t Comply?
- What You Can Do Before POPIA Becomes Enforceable
- Data Collection, Privacy & Storage
- Harvesting Data from the Internet & Social Media
- Getting Consent for Direct Marketing
- Marketing to Certain People Without Extra Consent
- Third-Party Consent for Direct Marketing
- Dealing with Unsubscribes from Your Direct Marketing
- Data Privacy Laws in Other Countries
- Other POPIA Rules
