17 January 20255 minute read

Data Protection - Guidance Note on Direct Marketing

The Information Regulator in South Africa has issued a guidance note relating to the processing of personal information for the purposes of unsolicited direct marketing by non-electronic communications in terms of section 11 of POPIA and by electronic communications in terms of section 69 of POPIA (Guidance Note). This is aimed at clarifying the Information Regulator's position regarding marketing communications given the large number of complaints that have been lodged with the Information Regulator. The Guidance Note is advisory in nature and POPIA and the Regulations will prevail over the Guidance Note in the event of inconsistency.

In terms of POPIA and the Guidance Note there is a distinction between unsolicited direct marketing by electronic communications (ie sms / email / use of Cookies) and direct marketing by non-electronic communications (ie in person / by post or hand-delivered mail). While direct marketing by non-electronic communications can usually be done without consent provided that there is an opportunity to opt-out of receiving further marketing communications, direct marketing by electronic communications generally requires consent subject to certain exceptions (ie where the data subject is an existing customer and the requirements in section 69(3) of POPIA have been met).

What is most notable in the Guidance Note is the Information Regulator's view in relation to telephone calls. In this regard, the Information Regulator views a telephone call as an electronic communication with the effect that a data subject must consent to receiving direct marketing via telephone call, unless the data subject is an existing customer and the requirements for marketing to existing customers in section 69(3) of POPIA are met. This will have a major impact on telemarketers who have historically relied on the provisions of the Consumer Protection Act to govern such communications, in terms of which there must be an opportunity to opt-out but there is no requirement for an opt-in consent. The Information Regulator's opt-in approach for marketing by telephone calls is likely to be challenged.

In addition, the Guidance Note provides as follows:

  • Any electronic communication sent by a responsible party for the purpose of direct marketing must contain the following information as stipulated in section 69(4) of POPIA: the identity of the sender or the person on whose behalf the communication has been sent; and an address or other contact details to which the recipient may send a request that such communications cease. Furthermore, the Guidance Note states that the responsible party must compile and maintain a database of data subjects who have withheld their consent to direct marketing.
  • When using an outbound telephone call to market to a data subject the consent of the data subject must be obtained and the telemarketer must read out the contents of Form 4 of the Regulations to POPIA during that telephone call. This means that the goods or services to be marketed must be specified as well as the method of communication that will be used for the marketing. Furthermore the telephone call must be recorded.
  • When there is direct marketing by non-electronic communications, for example, in-person marketing, consent to marketing is not required if the responsible party is able to rely on legitimate interests and is able to identify the legitimate interest relied upon. The onus is on the responsible party to justify the use of legitimate interests as the relevant basis for the processing of personal information. The Guidance Note also states that in order to rely on legitimate interests as a lawful basis for processing of personal information for direct marketing purposes, the responsible party must undertake a three-stage assessment before processing personal information for direct marketing purposes:
    • The first assessment relates to the purpose test that helps to objectively identify a legitimate interest;
    • The second assessment relates to the necessity test which considers the connection between the processing and the interests pursued as well as the purpose stated in the first test (above). The responsible party should determine whether the processing of personal information is necessary to achieve the specified purpose; whether the processing is proportionate to what the responsible party is trying to achieve with the processing; whether the processing can proceed with less processing of personal information or with no processing of personal information at all; and whether the processing method (including the communication method) is the least intrusive method available to achieve the specified purpose; and
    • The third assessment relates to the balancing test. In this regard, the responsible party should balance its legitimate interest against the interests and rights of the data subject. The rights of the data subjects will override the interests of the responsible party or a third party. The responsible party should ask the following questions: whether the personal information is such which data subjects are likely to consider as ‘private’; whether the personal information is about the data subjects in their personal or professional capacity; what the reasonable expectations of the data subject who will be affected by the processing are; and what the likely impact of the processing on the data subject is and whether any safeguards can be put in place to mitigate the negative impacts.
  • An example of processing personal information for direct marketing purposes on the basis that it is to protect the legitimate interests of the data subject is where the data subject may be eligible for a discount for products. An example of where the processing of the personal information is for the pursuit of the responsible party's legitimate interests is where the purpose of the marketing is to increase sales.
Print