At 3 Way Marketing we take all legislation seriously. This applies especially to the release of the Protection of Personal Information Act (POPI).

The guide below will answer Frequently Asked Questions (FAQ) regarding the impact that the Protection of Personal Information Act (POPI) will have on direct marketing. POPI will not bring an end to direct marketing. Direct marketing happens worldwide, in many countries that have had data protection laws in place, for decades. Direct marketing is a legitimate avenue that organisations can utilise to find new customers.

However, you need to be careful who you ask to assist you with direct marketing. You should choose a reputable company like 3 Way Marketing: a company that takes its legal obligations seriously… a company that you can trust.

In the future, everyone in South African has to try to protect the personal information that they process. Any person who processes personal information must comply with the conditions as set out by POPI. POPI aims to protect the personal information of people (such as consumers and employees) so that they do not become victims of things like identity theft, which can have very serious consequences. However, POPI does not aim to stop the free flow of information. It recognises that there is a need for balance.






What is POPI? Is it a kind of doll?

No, it is not a doll of any kind. It is the Protection of Personal Information Act, a law passed by the South African parliament, which sets the conditions that you must follow to lawfully process the personal information about persons.

Why did POPI come into existence?


The protection of personal information is definitely needed now, more than ever. With the rise of
computing power and devices like tablets and smart watches, personal information is at greater risk
than ever before. POPI will enable personal information to be transferred to South Africa, which will
bring economic benefits for the country.


When will POPI come into force? When must you comply by?

The President has signed it, so it will not change. The regulations will not be significant so we know what we need to comply with. It will only commence on a date to be proclaimed by the President, which will probably be in early 2015. There will be a one-year grace period from then until early 2016 within which all processing must be made to conform with POPI.

So, we have about 18 months from now to make sure that all our processing of personal information complies. There is time and there is no need to panic, but responsible parties need to take action now.

Key points and possible actions
• POPI is not going to change.
• Your processing of personal information only needs to comply with the conditions in POPI in about mid 2016.


Does POPI put an end to direct marketing?


No. POPI is not going to put an end to direct marketing. Direct marketing happens all over the world in many countries that have had data protection laws for decades. Direct marketing is a legitimate interest that organisations can pursue to find new customers. The big change or implication of POPI is that in future (about mid 2016) direct electronic marketing to prospects will be opt-in.


Have email, AVM and SMS marketing become illegal?

No, definitely not. There are both serious (a fine or up to 10 years in jail) and minor offences (a fine or up to 12 months in jail) in POPI. None of these offences relate directly to marketing. It is not even an offence if you do not get a person’s consent, when POPI requires you to get consent. It is only an offence if the Information Regulator tells you (in the form of an enforcement noticeii) that you have to get someone’s consent and you don’tiii. You must take any enforcement notice you receive from the Information Regulator seriously.

Key points and possible actions
• Jump when the Information Regulator says jump.
• Put a complaints procedure in place so that people can lodge complaints.
• Be extra careful if you are processing bank account numbers.

Has Internet marketing become illegal?


No, definitely not. POPI places some conditions in place that you must comply with when marketing, but it has not become illegal. For example, affiliate marketing web sites have not become illegal. POPI has very little impact on website design, analytics, search engine optimisation (SEO), and pay per click (PPC).


Does POPI put at end to lead generation?


No, definitely not. Once again there will be some conditions that you need to comply with, but POPI will not put an end to it. If you plan to send the lead emails or SMSs, you will need to have their consent to do so. POPI wants to put an end to mindless spamming – the sending of bulk mail to everyone in the hope that someone might be interested. Finding quality leads and then targeting just those quality leads who are interested in particular goods or services is inline with what POPI wants to achieve. A good list (of leads) can be used in compliance with the law and will generate few (if any) complaints.

Key points and possible actions
• Only get your leads from a reputable company who takes their legal obligations seriously and whom you can trust.
• Focus on quality leads.
• Ensure that lists are up-to-date and accurate.
• Know what you plan to do with the leads.
• If consent is required, record the consent in a reliable way.


Is direct marketing a legitimate interest?


Yes, it is. Direct marketing is recognised by our legislators, other countries and courts in other countries to be a legitimate interest. You can therefore justify your processing of personal information for marketing because it is in your legitimate interests(iv). But bear in mind that you need consent from prospects for direct electronic marketing(v).


Can you phone someone to offer them something?


Yes, even if they have not consented to you doing so. And even if it is a cold call. The table below helps to explain what you must and must not do when you are direct marketing to people. POPI defines direct marketing very broadly. Any form of push marketing where you are communicating to a person is probably direct marketing. If you are in doubt, assume that it is direct marketing. Electronic communications is also quite broadly defined and includes the typical things like email, SMSs, AVM, and faxes.



Can you post physical mail to someone offering to sell them something?

Yes, even if they have not consented to you doing so. If they tell you to stop, you must stop.

Can you email or SMS someone to sell them something?

Yes, you can.

POPI will have a big impact on email and SMS marketing. You can currently email market on an optout
basis. This means you can send anyone emails until the person says stop. After POPI, you will
only be able to email market on an opt-in basis – you can email them only once to get their consent to
send them more emails.

Key points and possible actions
• Think of clever ways on getting opt-in consent, like a promotional competition, a loyalty program, or in exchange for access to great content (like a book or guide).
• Ensure that the copy of the opt-in request is really good, including specifying clearly what the benefits are to the person of opting in. For example, “By consenting you will be the first to know of great deals”.

When do you need opt in consent?

You need consent when you want to direct market by electronic means (like email and SMS) to prospects, however you don’t need opt-in consent when marketing to your existing customers.

How must you get consent?

• A person must have a choice whether to consent or not. (it must be voluntary)
• The consent must relate to a specific purpose (for example, to contact me about insurance products). You must specify your purpose.
• You must notify the data subject of various things as set out in section 18 of POPI.
• You must inform the person sufficiently to enable them to make a decision.
• The person must express their will in some form. For example, tick a tick box, or click on a link or a button, or order something.
• Another important point is that POPI does not require you to get the consent of the data subject in all instances. There are many other justifications in section 11 that you can rely on to process lawfully. Consent can be very useful, but it is not the only justification. (vi)

Key points and possible actions
• If possible, try to get the consent of people to market to them.
• Use opt-in boxes.
• Record when and how you got consent, and what it covers.
• Check your existing marketing consent clauses to ensure they comply with POPI and allow you to market to people in the ways you want to.

Must we get consent from prospects to whom we have been communicating?

This is a tricky one and there are arguments both ways. Some say yes. Others say no. If possible, get their consent.

Do you need to check the national opt-out register? How often?

Yes, you should check any register where people have said please do not direct market to me.

The National Consumer Commission (NCC) has not yet set up a national opt-out register, but this will probably be implemented before the end of 2014. There are currently two registries you should check:
1. The DMA National OPT OUT Database
2. The TrustFabric Opt-Out List

You do not have to check these lists, but if you are a member of the Direct Marketing Association
(DMA) you have to check the first one. (vii)

You should also check your own opt-out lists.

You should check all of these opt-out lists before each time you plan to communicate to the list. It often creates an administrative hurdle to sending your communication, but it must be done.

Key points and possible actions
• Do not market to people who have asked not to be contacted.
• Never communicate with someone who has opted out.
• Decide whether you want to be a member of associations or not.

Must you provide an opt-out option on all communications?

Yes. Provide a simple way for them to opt out of marketing messages and have a system in place for dealing with complaints. For example, an unsubscribe link on an email is fine. Putting “Reply STOP to opt-out” in an SMS is also fine.

Key points and possible actions
• Do not charge people to opt-out.
• Keep a list of anyone who opts-out.
• Be granular – allow people to specify how and when they can be contacted. Often people do not want to unsubscribe from all communications, just some.
• Use a mass communication tool (like a mass mailer or bulk SMS system) to manage your unsubscribe list.
• Use the correct tool (email marketing system) to send bulk mass communications like email and SMS.

Can you still market to your customers?

Yes, but:

1. they must be your customers,

2. you must allow them to opt-out.
The key to determining who your customers are, is to identify who the responsible party is. The responsible party is the person who determines why and how personal information will be processed.

Key points and possible actions
• Don’t place restrictions on yourself. Wait for the Information Regulator to restrict everyone in the same way.
• Interpret POPI in your favour.

Who is defined as a customer of yours?

Any person whose contact details you have obtained in the context of the sale of a product or a
service(viii). Until the Information Regulator sets restrictions, it can be:

• a free product or service,
• a recent or old customer,
• a product or a service,
• an information service.

What can you market to your customers?

You should only market your own similar products or services to them. There are currently no guidelines as to what is similar to what. This is the kind of thing the Information Regulator may make a ruling on in future.

Can you buy a list from someone?

Yes. As a general statement, it is not unlawful to buy and sell personal information. But you must comply with the conditions for lawful processing in future. List builders (or brokers) who do it badly will struggle and their activities will probably become unlawful. But those that do it well, in many cases, already comply with most of the conditions. Consumers will also have a lot more access to information, power and control over their personal information.

Key points and possible actions
• Only buy lists from reputable list providers.
• Check where the list came from and whether it is accurate.
• If you plan to market electronically to the list, check that the people on the list have consented to that. Check when and how consent was obtained, and what it covers.

Can I collect the personal information of people to sell them things?

Yes, you can collect it from various sources, including:

• public directories, and
• people when they send an email, register on a website, subscribe to offers or alerts, download an app, enter a competition, or use a price-comparison site to get a quote.

You do not need a person’s consent to collect their personal information. However, if you plan to send them electronic communications for the purposes of direct marketing, you need to get their consent to use it in that way. But you don’t need consent to collect it.

If reasonably practicable, you should collect it directly from the personix. So, for example try to get the person to complete a web form, enter a competition, or ask to be contacted. If you ask a person to provide their friends contact details, you must ask that person to get their friends consent first.

You should collect the personal information for a specific purpose, like to market insurance products to the person. What a “specific purpose” is, is open to interpretation.

If reasonably practicable, you should make the person aware that you are collecting their personal information and whyx. You should have a privacy statement, notice or policy, which is easy to read and accessible. It should be in clear plain language. If you plan to pass their details on to third parties, you should ensure that the person knows this.

Key points and possible actions
• If possible, collect personal information directly from the person.
• If you plan to direct market to them electronically, get consent to send them emails or SMSs when you collect it.
• Specify to whom you will provide the person details once collected.
• Do not obtain leads under false pretences.
• Be open and honest about your activities concerning personal information.

Must I tell someone where I collected their information?

Yes, currently under section 45 of the ECT Act companies must tell consumers where they got their information. POPI will repeal section 45, but POPI also requires responsible parties to be open about their processing and allow the data subject to participate in how their personal information gets processed. Consumers will have various remedies, like complaining to the Information Regulator and suing for damages in a civil action.

What must appear on the electronic communications you send people?

You must include certain things in all communications for direct marketing.
• Your full company name.
• Your registration number.
• If you are a registered credit provider, your number.
• Contact details for the recipient to opt-out.

Essentially, POPI requires you to identify yourself.

Obviously it is not possible to fit all of that information on some forms of communication (like an SMS). In that case, you can provide a link (in the form of a tiny URL like “T&C”) to a webpage that sets out the information.

Who can I market to?

Anyone. But it is important for you to categorise your targets. You should know if a person is a prospect of yours or a customer of yours.

It is also important for you to know as much about them as possible.

Key points and possible actions
• Add fields to your database or spread sheet of contacts so you can segment your list into prospects or customers.
• Profile your contacts accurately.

What about children?

Essentially, you can only market to a child (under 18) if you have their parent’s consentxi. So your options are either:
• Not to market to children,
• Get their parents consent.

What could happen to you if you do not comply?

There are significant consequences for non-compliance, including:

• Suffer reputational damage.
• Lose customers and fail to attract new ones.
• Pay out millions in damages to a civil class actionxii.
• Be fined up to R10 million or face 10 years in jail for committing an offence(xiii).

The reputational damage is probably the biggest risk.

There are not many offences in POPI (for example it is not an offence if you fail to comply with the conditions) and generally speaking you will know when you commit one. It will be quite hard to commit an offence. But if you do, the Information Regulator is able to fine you if it alleges you to have committed an offence.

Key points and possible actions
• It will be hard for you to commit an offence, but if you do you will be in trouble.
• It is unlikely that anyone will go to jail.
• If you get fined, seriously consider paying the fine. If you don’t, you could get a criminal record, suffer reputational damage, have to pay huge legal fees, risk a Magistrate making an adverse finding against you.

What laws are linked to POPI?

There are various other laws that also protect personal information. The key ones are:

1. Consumer Protection Act (CPA)
2. National Credit Act (NCA)
3. Regulation of Interception of Communications …. Act (RICA)
4. Promotion of Access to Information Act (PAIA)

Other key laws that are relevant to marketing are:

1. Consumer Protection Act (CPA)
2. Electronic Communications and Transactions Act (ECT Act), section 45 (which is going to be repealed by POPI)

If there is a conflict between POPI and another law, POPI prevails. But if another law gives greater
protection to personal information, the other law will prevail. For example, if POPI says you do not need to get consent to market to someone and another law (like the NCA) says you do, the NCA will apply and you will have to get the persons consent.

There are various codes that are also relevant. The default position is that you do not have to comply with a code. However, if you are a member of the association that has issued the code, you have to comply or you face being excluded. Some relevant codes are:

• The Direct Market Association (DMA) Code of Conduct
• The Internet Service Providers Association (ISPA) Code of Conduct
• The IAB South Africa (formerly known as the Digital Media & Marketing Association of South Africa (DMMA)) Code of Conduct
• The Wireless Application Service Providers’ Association (WASPA) Code of Conduct
• The Credit Bureau Association (CBA) Code of Conduct
• The Association for Savings & Investments SA (ASISA) Codes, Standards and Guidelines
• The Mobile Marketing Association of South Africa Code of Conduct

Key points and possible actions
• Be aware of all laws that relate to marketing.

About this guide

Copyright © 2002 – 2014. Michalsons. All rights reserved. Copyright subsists in this work under the
Copyright Act 98 of 1978. Any unauthorised act infringes copyright. We trust you to respect our

1. The content is provided for the jurisdiction of South Africa and is not suitable for other jurisdictions.
2. We give no warranty about it, and none may be implied. We are not responsible for any mistake in the information or any direct or indirect loss that may follow from it.
3. The guidance has been prepared by Michalsons and is based on their interpretation of the principles of South African law at the time of publication. The law may change due to future legislative enactments and court decisions.
4. It is a summary or opinion on general principles of law and is published for general guidance purposes only. The content does not constitute specific legal, tax, investment, accountancy or other professional advice.
5. Seek individual advice from a suitably qualified professional adviser before dealing with any specific situation.

i  http://www.michalsons.co.za/identity-theft-victim/12347
ii POPI section 95.
iii POPI section 103(1)
iv POPI section 11.
v POPI, section 69.
vi http://www.michalsons.co.za/consent-popi-and-other-legal-requirements/12623
vii Consumer Protection Act, section 11.
viii POPI, section 69(3).
ix POPI, section 12.
x POPI, section 18.
xi POPI, section 34 and 35.
xii POPI, section 99
xiii POPI, section 109.