Aisling McCarthy looks at how the POPI Act will affect marketers in 2019.
The POPI Act was enacted in 2013, but it has yet to commence. And with the GDPR about to celebrate its first anniversary, South African marketers are starting to panic about what the POPI Act will mean for their businesses.
Why do we need the POPI Act?
The aim of the POPI Act is to protect consumers from harm by protecting their personal information. The Act aims to protect consumers from having their money and identity stolen as well as keep their private information private.
To do this, the POPI Act sets out the guidelines for when it is lawful for someone to use and process someone else’s personal information.
What counts as personal information?
In terms of the POPI Act, personal information is data that can be used to identify a person. The Act defines it as
“information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.”
This information about a person includes, but is not limited to:
- Marital status
- National/ethnic/social origin
- Sexual orientation
- Physical or mental health
- Religion / beliefs / culture
- Educational / medical / financial / criminal or employment history
- ID number
- Email address
- Physical address
- Telephone number
- Biometric information
- Personal opinions, views or preferences
How does the POPI Act affect marketers?
Direct marketing becomes opt-in
The Act is set to have the most impact on direct marketing — especially through SMS and email channels. Up until now, most of this marketing has been ‘opt-out’, where consumers receive promotional messaging and can choose to no longer receive these messages.
However, once POPI is in place, direct marketing will have to become ‘opt-in’, where consumers will have to actively agree to receive promotional messaging. Essentially, this means that unsolicited direct marketing via electronic channels will become opt-in only.
The only exception to this, according to the Act, is if the consumer is an existing customer who has already given their personal information to the supplier in the context of a sale for the purpose of direct marketing and "has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality".
Processing and protecting personal information
It’s not only direct marketing that will be affected by the POPI Act — any
form of marketing that involves the processing of personal information will be too.
The Act imposes strict requirements on people holding personal information to keep it safe. This means that marketers will have to ensure that their data security is up to scratch or face severe penalties if personal information is hacked or unlawfully made public.
Penalties for non-compliance
Marketers who do not comply with the POPI Act can result in both civil and criminal charges. Fines can go up to R10-million Rand and, in extreme cases, there is also the possibility of spending up to 10 years in jail.
The Act has specifically allowed for class action lawsuits, so if your practices don’t comply, you can expect every person on your mailing list to potentially bring a claim against you.To POPI-proof your marketing, keep these basic tips in mind:
Are there any other implications that you think the POPI Act will have for marketers? Let us know in the comments section below.
*Image courtesy of Vecteezy
- Respect the consumer’s choice to opt-in OR out
- Be clear that you are requesting consent for a specific purpose, such as contacting them about insurance policies
- Give consumers a clear way to express their choice by giving them the option to click a button or mark a checkbox
- Keep records of when and how consent was obtained and exactly what it covers