Direct marketing consent in South Africa

Direct marketing to existing customers of the marketer can continue as regulated under the CPA. Once the POPIA deadline for compliance is reached, non-customers may only be approached once for consent. Colin Victor explains.

Two primary pieces of legislation regulate direct marketing activities, namely the Consumer Protection Act 68 of 2008 (CPA) and the Protection of Personal Information Act 4 of 2013 (POPIA). The National Credit Act 34 of 2005 (NCA) regulates certain direct marketing activities of credit products and the Electronic Communications and Transactions Act 25 of 2002 (ECTA) spells out requirements for sending unsolicited commercial communication to consumers.

Section 11 of the CPA describes the right to restrict unwanted direct marketing. It states that:
(1) The right of every person to privacy includes the right to − (a) refuse to accept; (b) require another person to discontinue; or (c) in the case of an approach other than in person, to pre-emptively block any approach or communication to that person if the approach or communication is primarily for the purpose of direct marketing.

(2) To facilitate the realisation of each consumer’s right to privacy, and to enable consumers to efficiently protect themselves against the activities contemplated in subsection (1), a person who has been approached for the purpose of direct marketing may demand during or within a reasonable time after that communication that the person responsible for initiating the communication desist from initiating any further communication.

Two points are noteworthy. Firstly, there is no requirement for ‘opt in’ in the CPA. A person is not required to give marketing consent but has the right to ‘opt out’ when being directly marketed. Secondly, the right applies when the approach of the communication is primarily for the purpose of direct marketing. Communication whose primary purpose is operational but that includes direct marketing as a secondary purpose is therefore excluded from this right. (More on this when we discuss POPIA.)

Section 74 of the NCA requires the following:
(6) When entering into a credit agreement, the credit provider must present to the consumer a statement of the following options and afford the consumer an opportunity to select any of those options:

(b) to be excluded from any − (i) telemarketing campaign that may be conducted by or on behalf of the credit provider; (ii) marketing or customer list that may be sold or distributed by the credit provider, other than as required by this Act; or (iii) any mass distribution of email or SMS messages.

The NCA requirement differs from CPA in that the customer must be given the option to ‘opt out’ of direct marketing when entering into a credit agreement and not only when receiving direct marketing material. It is limited to credit providers.

Section 45 of the ECT requires that –
(1) Any person who sends unsolicited commercial communications to consumers must provide the consumer − (a) with the option to cancel his or her subscription to the mailing list of that person, and (b) with the identifying particulars of the source from which that person obtained the consumer’s personal information, on request of the consumer.

Section 69 of POPIA views direct marketing from a processing of personal information angle. This changes the landscape of direct marketing and requires marketing consent (opt in) rather than objection (opt out). Section 69 requires −

(1) The processing of personal information of a data subject for the purposes of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or email is prohibited unless the data subject −
(a) has given consent to the processing; or
(b) is, subject to subsection (3), a customer of the responsible party.

Subsection (1)(a) above refers to direct marketing to persons who are not customers of the responsible party. The person may only be approached once to obtain consent (opt in). Furthermore, the consent must be requested in the prescribed manner and form. This brings us to Regulation 6 that requires marketers to follow the format of Form 4 when requesting consent. Form 4 requires the following text:
I, _____________________________[full names of data subject] hereby:
[Unticked/ticked box] Give my consent

To receive direct marketing of goods or services to be marketed by means of electronic communication.

Marketers may want to change the wording to something more palatable and may use any form which is ‘substantially similar’ to Form 4.

Subsection (1)(b) above refers to current customers of the marketer. Subject to a number of conditions customers can continue to be marketed as before. One of the conditions is that the contact details of the customer were obtained in the context of the sale of a product or service. This will make marketing using contact details obtained from lead generation businesses difficult. Companies will have to manage customer databases more effectively to ensure compliance with POPIA.

As we saw under the CPA, only communication whose primary purpose is marketing is in scope. Under POPIA all direct marketing is included.

There is no conflict between the laws regulating marketing consent. The most stringent requirements in the different pieces of legislation must be complied with.

Note
The POPIA deadline for compliance is 1 July 2021. POPIA was enacted in 2013 and given the long delay to become effective, it is unlikely that the information regulator will extend the POPIA compliance deadline.
AUTHOR | Colin Victor, member of SAICA’s Legal Compliance Committee and compliance officer at ABSA Group