From spam to slam: First enforcement notice issued by the Information Regulator

The Information Regulator of South Africa (Information Regulator) has sent a stern warning to direct marketers that are sending out marketing messages and calls which do not adhere to the current laws applicable to direct marketing.

6 Mar 2024 3 min read Technology & Communications Alert Article

At a glance

  • The Information Regulator of South Africa (Information Regulator) issued its first enforcement notice following a complaint from a data subject that a company was sending countless 'spam' direct marketing messages to them, despite multiple requests from the data subject to opt out of receiving such communication.
  • This is indicative that flagrant breaches of the Protection of Personal Information Act of 2008 by direct marketers will no longer be accepted without consequence.
  • The regulator’s actions are a move towards tightening compliance around direct marketing and to also ensure that companies engaging in direct marketing do so responsibly and within the ambit of the prescribed legislation.

On 27 February 2024, the Information Regulator published a statement indicating that its first enforcement notice was issued to FT Rams Consulting (the company), following a complaint from a data subject that the company was sending countless ‘spam’ direct marketing messages to them, despite multiple requests from the data subject to opt out of receiving such communication.

Many consumers convey similar frustrations around receiving unwanted spam. The Information Regulator has previously acknowledged consumers’ frustrations in relation to direct marketing and, after evaluating this complaint, it found that the company had acted in contravention of section 69 of the Protection of Personal Information Act of 2008 (POPIA) and issued the company with an enforcement notice.

The enforcement notice ordered the company to immediately stop sending direct marketing messages to the data subject, and also ordered it to take the following actions:

  1. Procure consent from data subjects to receive direct marketing communications by way of a consent form prescribed by the Information Regulator.
  2. Only procure consent from data subjects who had not previously already withheld consent.
  3. Compile and maintain a database of all data subjects who had previously withheld or did not consent to receiving unsolicited direct marketing messages, and submit the database to the Information Regulator.

The company was given 90 days to comply with the enforcement notice, and was warned that its failure to comply could constitute an offence that would carry a minimum sentence of 10 years’ imprisonment, a fine of R10 million, or both a fine and imprisonment.

This is the first enforcement notice issued by the Information Regulator and the Chairperson of the Information Regulator, Advocate Pansy Tlakula, indicated that it marks a shift towards clamping down on companies that are engaging in direct marketing without following the applicable legislation and stated that “our leniency regarding direct marketing through unsolicited electronic communications is a thing of the past”.

Processes for direct marketing

Implicit in this statement is that non-compliance with POPIA requirements in terms of direct marketing will no longer be accepted by the Information Regulator. Section 69 of POPIA prescribes two distinct processes for companies engaging in direct marketing. For existing customers, direct marketing is allowed if an organisation obtained the customer’s contact details in the context of a sale and if they are promoting similar products or services. All direct marketing communications must include the sender’s identity and contact details, or the process for opting out. For non-customers, direct marketers can only contact data subjects once to request consent to opt in to any unsolicited direct marketing.

The Information Regulator’s reference to fines and imprisonment in relation to section 69 is indicative that flagrant breaches of POPIA by direct marketers will no longer be accepted without consequence. This shift will require organisations to re-examine policies and procedures on direct marketing and ensure that client relationship databases are more strictly managed.

Consumers will view this as a welcome intervention as spam has long been an irritation for many South Africans. It is important to note that the intention is not to prohibit direct marketing but instead ensure that it is managed proactively and responsibly. The Information Regulator has committed to providing more guidance on this in due course.

It is unlikely that this will eliminate the influx of spam calls, but consumers will be more empowered to hold direct marketers accountable to do the right thing.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.