Will privacy laws like GDPR and POPI kill the direct marketer?
02 Nov 2018
Currently, the Electronic Communications and Transactions Act, 2002 (the ECTA) and the Consumer Protection Act (the CPA) regulate the sending of unsolicited commercial communications (emails, texts and the like). An unsolicited communication can be sent, unless the recipient has requested the marketer to refrain from sending such communications (opted out). The ECTA specifically provides consumers with the option to cancel mailing list subscriptions. Consumers can also request the identifying particulars of the source from which that person obtained the consumer’s personal information. Under the ECTA it is also an offence to keep on sending unsolicited communications after the recipient has opted out.
The CPA also follows an opt-out regime and gives consumers the right to object to unwanted direct marketing. If a consumer objects, a marketer must desist from sending further direct marketing. The CPA also makes provision for creation of a “do not contact” registry. Once this registry has been established, consumers will also be able to register pre-emptive blocks against unwanted direct marketing.
So how does the GDPR affect marketers in South Africa?
The EU’s General Data Protection Regulation (GDPR) came into force on 25 May 2018. A South African marketer will need to comply with the GDPR’s requirements if it processes personal information of EU residents, but only if they process personal information in relation to the marketing of goods or services or the monitoring of behaviour that takes place in the EU. (Behaviour is monitored, for example, if a marketer’s website tracks behaviour by using cookies that store personal information.) Even if the GDPR applies to a South African market, it remains to be seen how this will be enforced against parties outside the EU.
The safest way to conduct direct marketing in compliance with the GDPR is to send direct marketing communications only to recipients who have provided their consent. On the basis that it is in their legitimate interest (one of the processing grounds in the GPDR), marketers could also consider sending such communications to persons who have not consented. However, marketers would have to evaluate this option carefully and ensure that they the actually comply with the GDPR’s requirements in this regard.
The future position in South Africa
The Protection of Personal Information Act, 2013 (POPI) has been signed by the President, but, apart from some preliminary provisions, it has not yet entered into force. The position regarding direct marketing will change from opting out to an opt-in regime once POPI comes into force.
Under POPI, marketers will only be allowed to send unsolicited electronic communications to persons who have provided their consent or who are existing customers. A marketer will only be allowed to send unsolicited communications to someone on the basis that they are a customer if the marketer has obtained the customer’s contact details in the context of the sale of products or services and it relates to the marketer’s own similar products or services. In addition, the customer must have been provided the opportunity to opt-out, which must free and informal, at the time of collection of the information and on the occasion of each communication.
As far as telephone calls are concerned, POPI will only cover direct marketing by way of electronic communications, which includes automatic calling machines but excludes telephone calls. This means that opt in will not be required for unsolicited telephone calls for purposes of direct marketing, however, the current opt-out rules will still apply.
- GDPR in South Africa
- Data protection and security as it relates to the Internet of Things
- Understanding your legal rights after personal information leaks
- Direct marketing vs POPI