How consumer rights can protect you from direct marketing

We used to think direct marketing by phone was the most irritating thing in our day, but now direct marketing is everywhere. In your email inbox, on your social media pages and even in your WhatsApp inbox.

Direct marketers find you everywhere and although you try every trick in the book to stop them, they do not always stop or others find a way into your communication channels. What are your rights then and how are they protected?

Direct marketing is primarily governed by two pieces of legislation in South Africa: the Protection of Personal Information Act (POPIA) and the Consumer Protection Act (CPA), Tyron Fourie, partner in the commercial department and Kelly Nevin, a partner at law firm Eversheds Sutherland, say.

ALSO READ: Spam calls driving you nuts? Here are your rights regarding direct marketing

General marketing requirements under POPIA

Whenever processing someone’s personal information under POPIA, responsible parties must satisfy all their compliance requirements under POPIA, Fourie and Nevin say, which include:

• a lawful basis for the collection and use of your personal information. Usually this will rely on your consent or the responsible party’s legitimate interests
• notifying you that your personal data will be used for marketing purposes
• securing the integrity and confidentiality of personal information in the responsible party’s possession or under its control, by taking reasonable technological and organisational measures to protect it. This will include making sure that there are written contracts in place with service providers that send direct marketing on the responsible party’s behalf, such as external advertising agencies, which contain appropriate data protection obligations
• not transferring personal information outside of South Africa unless there is adequate protection in place on its receipt.

ALSO READ: These are your rights when it comes to spam calls and emails

Direct marketing requirements under the CPA

The CPA protects natural persons as well as juristic persons where a juristic person’s annual turnover is below R2 million, the current threshold set by the minister of trade, industry and competition.

Nevin and Fourie point out that under the CPA, all consumers have the right to opt out of direct marketing sent by whatever means. In this regard, a person authorising or conducting any direct marketing must:

• implement appropriate procedures to facilitate the receipt of any opt out demands and
• not charge a consumer a fee for exercising their right to opt out.

They say when you exercise your right to opt out, the responsible parties should suppress rather than delete your contact details to keep a record of people they cannot send marketing communications to, unless and until they change their mind and opt back in at a later date.

“Therefore, responsible parties should always cleanse, cross-reference and update their contact lists against their internal opt-out records before initiating marketing communications.”

The National Consumer Commission can also establish a national opt-out register for the purpose of direct marketing, but it has failed to set up such registry so far. However, the Direct Marketing Association of South Africa (DMASA) hosts a national opt out register where you can indicate that you do not want to receive direct marketing messages.

Prohibited times for direct marketing

The CPA also sets out specific times that consumers may not be contacted for the purposes of direct marketing. A marketer may not engage at all in any direct marketing directed to a consumer at home on Sundays or public holidays, Saturdays before 9:00 and after 13:00 or on all other days after 20:00 or before 08:00, except if you expressly or implicitly requested or agreed otherwise.

ALSO READ: Your personal information will become protected in 41 days

Direct marketing requirements under POPIA

When it comes to POPIA, direct marketing is when any business approaches you directly through mail or other forms of electronic communication to promote or offer its products or services or to request that you make a donation.

In this instance, electronic communication includes any text, voice, sound or image message sent over an electronic communications network such as email, SMS and WhatsApp which is stored in the network or in your terminal equipment until you collect it.

Fourie and Nevin says under section 69 of POPIA, it is clear that direct marketing by means of any form of electronic communication is prohibited unless you:

• are an existing customer of the responsible party
• are not a customer of the responsible party, but has provided consent to the direct marketing
• have not previously withheld consent and
• consent was obtained in the prescribed manner and form similar to Form 4 published by the Information Regulator.

“The general rule under POPIA is that most forms of digital marketing require the prior opt in consent of the intended recipient, with this consent obtained in the prescribed manner. However, the soft opt in rule is the exception.”

ALSO READ: Everything you need to know about your rights with false advertising

Responsible party must provide its own details

They say Form 4 essentially requires the responsible party to provide its own details (enterprise description, contact number and email address, as well as the details of the person signing the form on behalf of the responsible party) and asks for your express consent to process your personal information for the purposes of direct marketing.

“The form must also detail the methods the responsible party may use to market its goods and services to you, such as by text message or email. If your consent to direct marketing is not in accordance with the prescribed format, it will be invalid.”

If the responsible party did not already obtain your consent in the prescribed manner, they must, in their first electronic communication to you, request permission to process your information for direct marketing purposes and must state the products or services it wishes to market prior to advertising the product or service, Fourie and Nevin say.

The soft opt in rule

POPIA allows a limited exemption from the strict opt in consent requirement for direct marketing by means of electronic communication to people whose details the responsible party obtained in the context of the sale of a product or service.

This allows responsible parties to send electronic communications on an opt-out basis provided that:

• the responsible party obtained your electronic mail contact details “in the context of the sale of a product or a service”
• the responsible party sends direct marketing to people about “its own similar products or services” only and
• the responsible party clearly and distinctly gave you the opportunity to opt out of marketing by electronic communications in a way that is simple and free of charge at the time your details were initially collected and in each subsequent marketing communication.

ALSO READ: How to cancel those gym, cell phone, and other fixed term contracts

Telemarketing and cold calling

Fourie and Nevin point out there is some debate whether person-to-person marketing or telemarketing falls within the ambit of “direct marketing by means of any form of electronic communication” contemplated in section 69 of POPIA.

“Accordingly, there is ambiguity about whether there is an express requirement to obtain your consent to telemarketing. The Information Regulator has communicated to the media that it considers telemarketing to be a form of electronic communication and is subject to the direct marketing standards of POPIA.”

However, they say, the Information Regulator took no steps to enforce the direct marketing provisions specifically in relation to telemarketers but has indicted that it will release a direct marketing guidance note which will clarify the ambit and application of direct marketing in relation to telemarketing.

“Until a guidance note is released and the Information Regulator specifically clarifies that telemarketing falls within the ambit of direct marketing under POPIA, telemarketers do not strictly require your consent in the prescribed manner. However, they will need to comply with all other POPIA and CPA requirements regarding their telemarketing activities.”

Nevertheless, the prescribed opt-in consent is required for direct marketing by means of automated calling machines.

“In the absence of the requirement for your consent to direct marketing by means of telemarketing and until the Information Regulator has issued a guidance note on direct marketing, responsible parties must instead rely on their legitimate interests as an alternative lawful ground to conduct telemarketing.

A responsible party will therefore need to balance its interests against your rights and interests and factors to consider include:

• whether you are an existing customer of the responsible party, making it more likely that you would expect to receive marketing from the responsible party
• the nature of the products and services the responsible party wishes to market and whether you would have an expectation that the responsible party would send you marketing about those products and services
• whether the responsible party previously told you that it will not send any direct marketing communications. Again, in these circumstances, they must not send you any marketing.

If, considering this and any other relevant factors, the responsible party finds itself unable to rely on the legitimate interest ground, your consent will normally be needed to legitimise the telemarketing.

ALSO READ: South Africa’s Information Regulator acts against FT Rams over privacy law breach

Enforcement by Information Regulator

In February 2024, off the back of a direct marketing complaint, the Information Regulator issued its first enforcement notice to FT Rams Consulting. In this case, FT Rams Consulting sent countless direct marketing messages to various people and refused to cease doing so after multiple attempts to opt out of the communications.

The Information Regulator determined that FT Rams Consulting breached the conditions for the lawful processing of personal information as well as the direct marketing sections of POPIA.

Fourie and Nevin say the Information Regulator made it clear that it is taking a pro-active approach against anyone who infringes the provisions of POPIA and that the unlawful processing of people’s information “is going to be a thing of the past”. Failing to comply with the provisions of POPIA could lead to a conviction and fine of up to R10 million or imprisonment of up to 10 years.