It finally happened. The Protection of Personal Information Act was signed by the President and is officially now known as the Protection of Personal Information Act (No. 4 of 2013). After a mere eight years of discussion, South Africans finally have a law that governs who is allowed to store what kind of data about who, and what they can do with it.
Among those of us who work in legal, technical or marketing fields, the draft legislation was either the subject a conference drinking game (take a sip of your sparkling water and pop a mint every time you hear “POPI”) or a horror story direct marketers tell their kids at night. Or both. It also always seemed a long way off, but now we are really, really on the road to its implementation.
All we need now is the commencement date in a government gazette and the Act should go into effect around a year later.
In addition to be a general privacy law that fleshes out the right to privacy in the Bill of Rights, POPI deals specifically with direct marketing. Those who work in the field should take particular note of section 69 – and those who are on the receiving end of marketing spam should take a read too.
This section prohibits “direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail”, unless the consumers targeted have given certain consents. This marks a complete reversal of the position under the Consumer Protection Act which allows unsolicited direct marketing provided consumers can opt out and provided they are only contacted at certain times.
In other words, POPI, through section 69, switches the consent model from opt-out under the Consumer Protection Act to opt-in. That is a pretty fundamental shift which, in itself, is going to radically change the market.
The consents POPI requires, however, can be either implicit or explicit. Implicit consent is what a brand has when a consumer buys goods from the brand or uses its services and section 69 says that when this happens, the brand can market its “own similar products or services“ directly to the customer as long as it gives the customer an opportunity to opt-out when personal information – such as name, address, email address, identity number – is first collected and each time the brand communicates with the customer.
Explicit consent, meanwhile, is when a consumer typically ticks a checkbox and agrees to receive direct marketing materials from the brand. These consumers must also have an opportunity to opt out when they receive marketing materials. Oh, in case anyone is thinking that these checkboxes can be ticked by default, that won’t work. The person whose data is being captured must physically create the tick with a pen or mouse click for it to count.
Marketers also have to disclose the brand’s identity and make sure there are prominent opt-out details such as an “unsubscribe” link or a phone number the person can call to be removed from a mailing list.
Theoretically, it’s an end to spam. Or, at least, a law which offers consumers some sort of protection against it.
Spam is unsolicited messages. Email and SMS marketers are familiar with anti-spam rules in the ISPA and WASPA Codes of Conduct (respectively) and the hard line those two industry bodies have taken against what they define as spam. Direct marketing using what POPI defines as “electronic communication“ without a consumer’s consent is spam.
Until now, they have been ahead of the current legal position but with POPI’s assent and anticipated implementation, WASPA and ISPA’s Codes are being backed by a law which, in turn, is backed by the right to privacy in the Constitution. That is some pretty heady stuff.
Add to that possible criminal offences and administrative fines imposed by the Regulator – which could be as much as R10 million – and, as the saying goes, this stuff just got real.
(Image – Shutterstock)