The Information Regulator has been clamping down on entities failing to ensure compliance with the direct marketing provisions of the Protection of Personal Information Act 2013 (POPIA). Following the first enforcement notice issued in respect of direct marketing earlier this year, the Information Regulator published the much-anticipated Guidance Note on Direct Marketing in terms of POPIA on 3 December 2024 (Guidance Note).
The Guidance Note provides guidance to organisations on how personal information should be processed for purposes of direct marketing in compliance with the conditions for lawful processing.
What you need to know
POPIA draws a distinction between two types of direct marketing, namely (i) direct marketing other than by means of unsolicited electronic communication (for example, marketing by means of post, hand-delivered mail or in person), and (ii) direct marketing by means of unsolicited electronic communication (for example, telephone, email, automated calling machines, SMSs, or direct messaging on social media platforms).
Direct marketing other than by means of unsolicited electronic communication
Where direct marketing communication is by non-electronic means, an organisation may process personal information for direct marketing purposes provided that it has a legal justification for doing so.
To dispense with the requirement of obtaining consent from a data subject, an organisation will be required to demonstrate that the processing is necessary to protect the legitimate interests of the data subject (for example, where the data subject will receive discounts or, based on buyer behaviour history, the data subject would be interested in the product or service), or that the processing is necessary to pursue the legitimate interests of the organisation (for example, to increase sales or to educate customers about the organisation’s products).
Whilst the term ‘legitimate interest’ is not defined in POPIA, in the direct marketing context, the Guidance Note explains that a legitimate interest in essence provides justification that is to the advantage or benefit of a customer, the organisation or third party, which can be defended or validated.
The onus is on the organisation to justify the use of legitimate interests as the basis for processing and, to do so, the organisation must undertake a legitimate interests assessment before engaging in the direct marketing activity.
Where an organisation fails to establish a legitimate interest, and in the absence of consent, it will not have a lawful basis for processing and will be in breach of the provisions of POPIA.
Notwithstanding a legitimate interest, customers may object to the direct marketing communications, in which case they may not be contacted again by the organisation.
Direct marketing by means of unsolicited electronic communication
In respect of direct marketing by means of unsolicited electronic communication, POPIA distinguishes between a data subject who is a customer, and a data subject who is not a customer.
Where the data subject is a customer, an organisation can send direct marketing communications to the customer provided that:
- The organisation has obtained the contact details of the customer in the context of a sale of a product or service (for example, a data subject opens an account at a retail store and provides contact details for purposes of opening the account);
- The direct marketing communications are for purposes of marketing the organisation’s similar products or services (for example, in a clothing retail store, similar products include shoes, belts etc. Funeral insurance cover will not constitute a similar product in this context); and
- The customer was given a reasonable opportunity to object, free of charge, to the use of their/ its information at the time the information was collected (for example, at the time of opening a credit account at a retail store, the customer was given the opportunity to specify that they do ‘not give consent’ to direct marketing), and on the occasion of each communication for purposes of direct marketing if the customer has not initially refused consent.
Where the data subject is not a customer, an organisation can only send direct marketing communications with the data subject’s prior consent. In this regard, the Guidance Note provides that:
- The first communication sent by the organisation must be a communication requesting the consent of the data subject to market their goods or services. This approach may only happen once and only to a data subject who has not previously withheld consent.
- An organisation that wishes to obtain the consent of the data subject must obtain the written consent by making use of Form 4 annexed to the POPIA Regulations or in any form which is substantially similar to Form 4 and in a manner that may be expedient, free of charge and readily accessible to the data subject. This form requires (i) the data subject to consent to receive direct marketing messages through unsolicited electronic communication, (ii) the organisation to specify the goods/ services intended to be marketed, and (iii) the data subject to specify the method of communication that can be used to send the communications.
Practically, this means that where, for example, an SMS or email is used to obtain consent, Form 4 or a document that is substantially similar can be used, which form should allow the data subject to choose whether ‘I give my consent’ or ‘I do not give my consent’, and the method of communication they would like to be used.
Where a telephone call or automated calling machine is used to obtain consent, the organisation must read out, or the recorded message must contain, the information required, and the call (including the data subject’s response) must be recorded. It is the organisation that bears the responsibility to prove that data subjects have provided their informed consent to direct marketing.
In respect of all forms of direct marketing, the Guidance Note provides that the marketing communications must contain the details of the identity of the sender or the person on whose behalf the communication has been sent and an address or other contact details to which the data subject may send a request that such communications cease. Further, an organisation must compile and maintain a database of data subjects who have objected to direct marketing or withheld their consent to receive direct marketing communications.
For completeness, the Guidance Note also provides direction relating to (i) registering a pre-emptive block in terms of the Consumer Protection Act, (ii) how to comply with the eight conditions for lawful processing when engaging in direct marketing activities, and (iii) lead generation and profiling in the direct marketing context.
Whilst the Guidance Note is advisory in nature, it underscores the Information Regulator’s commitment to ensuring that organisations prioritise transparency and accountability in their marketing efforts. As enforcement measures gain momentum, businesses are encouraged to re-evaluate their direct marketing strategies with reference to the Guidance Note.
--
Read the full publication at Bowmans