A South African guide to direct marketing

05 Nov 2021

Direct marketing is primarily governed by two pieces of legislation in South Africa; namely, the Protection of Personal Information Act, 4 of 2013 (POPIA) and the Consumer Protection Act, 68 of 2008 (CPA).

General marketing requirements under POPIA

Whenever processing a data subject’s personal information under POPIA, responsible parties must satisfy all their compliance requirements under POPIA, which include:

• There being a lawful basis for the collection and use of the personal information. Usually this will be reliance on the data subject’s consent or the responsible party’s legitimate interests.
• Notifying data subjects that their personal data will be used for marketing purposes.
• Securing the integrity and confidentiality of personal information in the responsible party’s possession or under its control by taking reasonable, technological and organisational measures to protect the personal information being processed. This will include making sure that there are written contracts in place with service providers that send direct marketing on the responsible party’s behalf, such as external advertising agencies, that contain appropriate data protection obligations.
• Not transferring personal information outside of South Africa unless there is adequate protection in place on its receipt.

Direct marketing requirements under the CPA

The CPA protects both natural persons and juristic persons where a juristic person’s annual turnover is below two million Rand (being the current threshold set by the Minister of Trade and Industry).

Right to opt-out

Under the CPA, all consumers have the right to opt-out of direct marketing sent by whatever means. In this regard, a person authorising or conducting any direct marketing must:

• implement appropriate procedures to facilitate the receipt of any opt-out demands; and
• not charge a consumer a fee for exercising their right to opt-out.

Where data subjects exercise their opt-out rights, responsible parties should suppress rather than delete their contact details (i.e. retain a record of those individuals that may not be sent marketing communications, unless and until they change their mind and opt back in at a later date). For this reason, responsible parties should always cleanse, cross-reference, and update their contact lists against their internal opt-out records before initiating marketing communications.

In addition, the Consumer Commission may establish a national opt-out register for the purpose of direct marketing. To date the Consumer Commission has failed to set-up such registry. However, the Direct Marketing Association of South Africa (DMASA) hosts a national opt out register (accessible Here), whereby users can indicate their intention to not receive direct marketing messages.

Prohibited times for direct marketing

The CPA further sets out specific times that consumers may not be contacted for the purposes of direct marketing. A marketer may not engage at all in any direct marketing directed to a consumer at home on:

• Sundays or public holidays;
• Saturdays before 9am and after 1pm; or
• on all other days, after 8pm or before 8am,

except to the extent that the consumer has expressly or implicitly requested or agreed otherwise.

Direct marketing requirements under POPIA

Under section 69 of POPIA, it is clear that direct marketing by means of any form of electronic communication (i.e any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient) is prohibited unless the data subject:

• is an existing customer of the responsible party (see the soft opt-in rule set out below);
• is not a customer of the responsible party, but has provided consent to the direct marketing;
• has not previously withheld consent; and
• consent was obtained in the prescribed manner and form.

The general rule under POPIA is that most forms of digital marketing, other than telemarketing, require the prior opt-in consent of the intended recipient. The exception is the soft opt-in rule.

Soft opt-in rule

POPIA allows a limited exemption from the strict opt-in consent requirement for direct marketing by means of electronic communication to data subjects whose details the responsible party obtained in the context of the sale of a product or service.

This allows responsible parties to send electronic communications on an opt-out basis provided that:

• the responsible party obtained the data subject’s electronic mail contact details “in the context of the sale of a product or a service”;
• the responsible party sends direct marketing to those data subjects about “its own similar products or services” only; and
• the responsible party clearly and distinctly gave those data subjects the opportunity to opt-out of marketing by electronic communications in a way that is simple and free of charge both (i) at the time their details were initially collected; and (ii) in each subsequent marketing communication.

Telemarketing and cold calling

As person-to-person marketing (or telemarketing) does not fall within the ambit of “direct marketing by means of any form of electronic communication” contemplated in section 69 of POPIA, there is no express requirement to obtain a data subject’s consent to telemarketing. However, it is noted that opt-in consent is necessary for direct marketing by means of automated calling machines.

In the absence of the requirement for the data subject’s consent to direct marketing by means of telemarketing, responsible parties must instead look to rely on their legitimate interests as an alternative lawful ground to conduct telemarketing. A responsible party will therefore need to balance its interests against the rights and interests of the data subject. Factors to consider include:

• Whether the data subject is an existing customer of the responsible party, making it more likely that the data subject would expect to receive marketing from the responsible party.
• The nature of the products and services the responsible party wishes to market and whether the data subject would have an expectation that the responsible party would send them marketing about those products and services.
• Whether the responsible party has previously told the data subject that it will not send any direct marketing communications. Again, in this circumstance, the individual should not be sent any marketing.

If, considering the above and any other relevant factors, the responsible party finds itself unable to rely on the legitimate interest ground, consent of the data subject will normally be needed to legitimise the telemarketing.

B2B direct marketing

POPIA will apply whenever an individual’s personal data is processed to conduct direct marketing, and this will be the same when processing employees’ contact details for business-to-business (“B2B”) direct marketing. Responsible parties must therefore have a lawful basis under POPIA to process employees’ personal information before initiating B2B direct marketing to those employees. Accordingly, there is not generic exception for B2B direct marketing.

Cautionary note

Where companies are marketing goods or services to individuals based in other countries, other privacy or consumer legislation may be applicable. Such additional legislation may include the General Data Protection Regulation (GDPR), Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive) and specific national data privacy or consumer legislation. Accordingly, companies cannot adopt a one-size-fits-all approach to their marketing communications.

In addition, there may be additional privacy considerations for companies to consider when using online behavioural advertising or location-based marketing. Please contact us should you require any assistance with complying with both national and international direct marketing requirements.

See also:

• The POPIA prior authorisation conundrum – What is prior authorisation, and do you need it for your business?
• Will privacy laws like GDPR and POPI kill the direct marketer?
• POPIA: Focus on consent and legitimate interest
• Keep the Consumer Protection Act in mind when facilitating promotional competitions
• A brief look at consumer rights in terms of the Consumer Protection Act

(This article is provided for informational purposes only and not for the purpose of providing legal advice. For more information on the topic, please contact the author/s or the relevant provider.)