Direct marketing vs POPI
29 May 2017
The Rise of Direct Marketing
Technology is progressively creeping into every segment of our lives. From smartphones to smart cars, from big data to the internet of things – the avenues through which our brains are exposed to direct marketing have become absolutely endless. And with these ubiquitous channels for mind control and manipulation, come the risks of losing our privacy and our identities.
Millions of unsuspecting victims are bombarded on a regular basis by smses and emails offering low-interest loans, funeral plans, gym memberships and insurance. Many more answer cold-calls from unrecognised numbers, thinking it’s a work related matter, or a potential future lover, only to be pestered by a call centre employee in Westville, Durban, trying to sell them a new cell phone contract. Unfortunately, as our personal information and contact details become ever more available, we are increasingly becoming casualties of intrusive, unauthorised, direct marketing.
But where are all these advertisers getting our information? More and more organisations are embracing the latent power of personal information – your name, number and habits have become a valuable commodity. Every time you fill in a form, subscribe to a service online, or simply surf the net, your personal information is being collected, analysed and often sold to information-hungry organisations. And with social media giants such as Facebook, Google, Instagram and Snapchat secretly ruling our lives through our addiction to technology, privacy is becoming a dwindling rarity. As a result, various measures have been taken in an attempt to protect what is left of our ‘private’ lives.
POPI to the Rescue
The Protection of Personal Information Act 4 of 2013 (POPI) was designed to serve as one of the measures to protect us from direct marketing. It is intended to establish conditions which are in harmony with international standards, and which prescribe minimum threshold requirements for the lawful processing of personal information.
POPI was signed and assented to by our President in November 2013 and only certain sections, such as the appointment of the Information Regulator, have already come into effect. The remainder of POPI should hopefully come into effect before the end of 2018.
The proposed Act published in the Government Gazette[1] defines POPI’s function as follows:
“To promote the protection of personal information processed by public and private bodies; to introduce certain conditions so as to establish minimum requirements for the processing of personal information; to provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act, 2000; to provide for the issuing of codes of conduct; to provide for the rights of persons regarding unsolicited electronic communications and automated decision making; to regulate the flow of personal information across the borders of the Republic; and to provide for matters connected therewith.”[2]
Basically, the intention of POPI is to regulate the way in which local entities collect, store, handle, safeguard and use your personal information. Entities in sectors such as financial services and telecommunications, which require the collection of immense amounts of personal information, will be particularly affected. They will have to initiate strict and comprehensive compliance activities and policies at all levels of their organisations. Non-compliance may lead to fines of up to R10 million per incident, and up to 10 years’ jail time, thereby forcing entities and individuals to take POPI very seriously.
So how exactly is POPI supposed to protect your personal information from getting into the hands of tenacious insurance brokers? The Act explains that it is all about ‘consent’. POPI is concerned with the consent of the person giving the information. Accordingly, the information may only be used in a certain way for the specified purpose for which it was given. If it is not used according to the intended purpose of the information provider, the use of such information will be regarded as an act which contravenes POPI, and can subsequently result in significant fines or jail time.
By way of example, when you fill out your information on your health insurance website in the hopes of solving a specific problem, POPI dictates that the information may ONLY be used by your medical aid in assisting you with that PARTICULAR problem. They may not add your email address to their birthday mailing list nor may they sell it to any other company for any reason whatsoever.
A contravention of POPI may also encourage the Information Regulator to issue an “enforcement notice” ordering the relevant organisation to completely stop processing personal information. Such an order can cause tremendous inconvenience and disruption to the con-complying party’s business operations.
What is POPI’s Reach?
Will POPI protect you from international companies acquiring your personal information? Subject to five requirements (section 72), POPI prohibits the transfer of information out of South Africa. One of the requirements is that the foreign third party must have rules or policies in place providing for the adequate protection of the data, which are substantially similar to those provided by POPI. Additionally, POPI requires that the information providers give their prior consent for their data to be transferred across international borders. The Regulator has the power to “facilitate cross-border cooperation in the enforcement of privacy laws by participating in any initiative that is aimed at such cooperation.”
With regards to personal information gathered by CCTV cameras and entrance registers at relevant premises, once again such information may only be used for the intended purpose of the information provider. Such information is generally provided solely for the purpose of complying with reasonable security measures in order to gain access to the premises. Posting CCTV footage on Youtube or selling the information contained in entrance registers will become a serious offence. The entity collecting the personal information bears the responsibility to store, safeguard and use the information for its intended purpose only.
What now?
Until POPI comes into full force, many of us will have to tolerate the willy-nilly distribution of our personal data. In the meanwhile, there is a DMA National Opt-Out Database (Direct Marketing Association of South Africa) which one can register on. One simply needs to provide them with one’s full name, address, phone numbers, email addresses, shoe size (not really), and I.D number, but as the authors have never tried it themselves, we cannot comment as to its efficacy. Additionally, one can only assume that not all the organisations which enjoy harassing us are members of the DMA.
The True Caller mobile app provides another mechanism to minimise spam phone calls. It enables the user to identify the person or company calling before picking up the phone, and can also block spam numbers.
Hopefully, once POPI is officially promulgated into law, the imminent fines will be a sufficient deterrent to unwanted direct marketing. To truly be successful, the executive and judicial arm of the South African government will have to enforce POPI compliance effectively, keeping best practice principles in mind. This will require the allocation of sufficient resources, educational and promotional efforts, and a realistic enforcement strategy.
[1] Government Gazette vol. 581 26 November 2013 no. 37067.
[2] Government Gazette vol. 581 26 November 2013 no. 37067 page 2.
(This article is provided for informational purposes only and not for the purpose of providing legal advice. For more information on the topic, please contact the author/s or the relevant provider.)