The intention of the Guidance Note is to assist responsible parties in the interpretation of POPIA in relation to direct marketing, but it also expands the ambit of POPIA. Notably, it is advisory and not binding, with POPIA’s general provisions preceding.

Refresher on the direct marketing provisions under POPIA

Section 69 of POPIA regulates direct marketing restrictively for any direct marketing in the form of electronic communication (e.g. email, SMS). Data subjects must “opt-in” to the processing of personal information and the responsible party must obtain the consent of the data subject before sending a direct marketing communication to any data subject. The responsible party may only approach the data subject once to obtain consent.

If the data subject is an existing customer of the responsible party, it must give the customer the opportunity to object to the processing of their personal information and the responsible party may only send a direct marketing communication to the customer if:

• the responsible party has obtained the customer’s contact details in the context of the sale of a product or service and the marketing is in relation to its own products or services that are of a similar nature; and
• the customer is provided with a reasonable opportunity to object to the processing.

The Guidance Note speaks to two types of direct marketing: direct marketing via non-electronic communications (including letters by post, or delivered in person), and direct marketing by means of electronic communications. There are different compliance requirements for the different types of marketing.

Direct marketing via non-electronic communications mediums

• Direct marketing can be justified by the legitimate interests of the data subject or the responsible party.
• The Information Regulator provides examples of direct marketing that protects a legitimate interest of the data subject and to rely on legitimate interests, the responsible party must conduct a legitimate interest assessment before processing.
• Processing after receipt of an objection must stop, and the responsible party must not contact the objecting data subject.
• The responsible party must maintain a database of all data subjects that have objected and avoid contact with them.

Direct marketing via electronic communications

• The Information Regulator defines “electronic communication” as any message sent over an electronic communications network, stored in the network or recipient’s terminal equipment.
• Telephone calling, including Voice over Internet Protocol (VoIP), is considered an electronic communication.
• Methods of electronic communication include push notifications, direct messaging on platforms like Instagram or LinkedIn and the use of cookies, and these fall under the application of POPIA.
• The Guidance Note also clarifies how direct marketing can be conducted without the data subject being a customer. Consent must be obtained before sending the communication, using Form 4 – Application for consent of a data subject.
• If a customer was not asked about consent in relation to marketing specifically, it cannot be deemed that the customer has given consent, as silence does not constitute consent.
• Any further communications sent must contain the prescribed information under section 69(4) of POPIA.
• A database of consumers who have withheld consent must be kept by the responsible party.

Other provisions of the Guidance Note

The Guidance Note discusses the Consumer Protection Act 68 of 2008’s registry of pre-emptive blocks, stating that direct marketers cannot contact data subjects without consent, and outlines compliance with POPIA’s eight conditions of processing.

How to apply the provisions of the Guidance Note

• Distinguish between direct marketing via non-electronic or electronic communications and implement tailored strategies depending on the type of marketing conducted.
• In respect of non-electronic marketing, relying on legitimate interests (either of the data subject or the responsible party) introduces the challenge of conducting and documenting a legitimate interest impact assessment before conducting direct marketing.
• Consider what investment would be required to maintain a database of objections that includes real-time updates and strictly adhere to no-contact rules.
• In respect of electronic marketing, organisations will now have to consider the use of telephone calls, and how to embed consent and opt-out mechanisms.

Conclusion

Reference to VoIP technology under the Guidance Note has expanded the scope of electronic communications, including telephone calls, push notifications, direct messaging and cookies. This broadens compliance, as marketers must embed consent and opt-out mechanisms in other direct marketing activities.

While the Information Regulator acknowledges that the Guidance Note is non-binding, it provides guidelines for responsible parties conducting direct marketing. Data subjects expect companies to comply and challenge them if their personal information is handled in a way that does not comply with the Information Regulator’s recommendations. Organisations should carefully consider their direct marketing approaches and ensure they comply with POPIA and the Guidance Note’s requirements.