The Protection of Personal Information Act (PoPIA) has shifted various crucial areas and processes within organisations across South Africa. These adjustments have been created for the important protection of personal information. While areas such as data collection and storage may come to the fore when thinking about compliance to PoPIA, direct marketing will also require a new approach entirely.
The Protection of Personal Information Act (PoPIA) has shifted various crucial areas and processes within organisations across South Africa. These adjustments have been created for the important protection of personal information. While areas such as data collection and storage may come to the fore when thinking about compliance to PoPIA, direct marketing will also require a new approach entirely.
To aid organisations in achieving and maintaining compliance, Impressions Signatures, a local provider of e-signatures, freely provides crucial information to businesses regarding the Act through its PoPIA Campaign. In a discussion with Carrie Peter, Solution Owner at Impression Signatures, some vital points with regards to direct marketing compliance came to light.
Direct marketing is the act of directly or indirectly engaging with a data subject with the purpose of either promoting or offering to supply goods and/or services, or to request a donation from the data subject. This applies to communications that are done in-person, telephonically, via automatic calling-machines, or on-line. According to Peter, Section 69 of the Act prescribes that direct marketing is now covered by additional legislation and has been prohibited, unless direct consent has been obtained from the data subject.
“If an organisation has requested consent from a data subject, and that subject has refused, then the organisation may not approach the same subject again. The Act specifies that a data subject may only be approached once for consent,” explains Peter.
Additionally, organisations may now only approach data subjects that are already existing customers. When these data subjects are approached it can only be for the promotion of the organisation’s own products and/or services, and only if the data subject has been given the opportunity to object to the use of their data. Organisations may not charge data subjects for this objection.
When the latter requirements are met and the business engages in direct marketing, it is imperative that the business details are included in all forms of communication, including a business address and contact number. This is needed to allow the customer the opportunity to request that the communication not continue and to opt out of future direct marketing.
“The stipulations in PoPIA have made it exceedingly clear that the data subject – namely, the organisations customer - must feel in control of the communication that is being received. This customer must have given permission for the direct marketing and must at all times, without fees or needing to give a reason, be allowed to opt out of any direct marketing communication,” continues Peter.
This new legislation changes the face of direct marketing in many ways. It means that purchased marketing databases are no longer allowed to be utilised. When organisations do periodic sales updates, they may only email their existing client database and must ensure that it is an updated list with any unsubscribed clients removed. This existing client database will also have had to have given consent to be contacted via that communication channel for the purpose of direct marketing. Once an approved customer list with appropriate consent is compiled and the marketing is disseminated, it is vital that the organisation’s details are provided and that the option and means to unsubscribe from such communication are made explicitly clear in each email and/or communication sent.
“Before a data subject’s name and/or information can be included in a direct marketing directory, the purpose and use of the directory must be overtly explained to the data subject in order to obtain consent,” concludes Peter.
She concludes that Section 70 of the Act indicates that if a data subject was included in a directory prior to the Act’s commencement, that data subject may remain in the directory. However, the data subject must receive a notification about their inclusion, the purpose of the directory, and be given the opportunity to opt out. If any data subject, at any point in time, refuses to be added or requests removal, they may not be approached again for the same directory.