The POPI Act was enacted in 2013 and, seven years later, it is finally about to come into practice. As of 1 April 2020, South Africans will be bound by the Act, which was based on the European Union’s General Data Protection Regulation (GDPR).

The initial talks of implementation sent marketers and business owners into a frenzy, making sure their practices do not contradict the Act. Now that it is that much more real, with its implementation date set in stone, let's rewind and take a look at the most important elements involved.

What is the POPI Act all about?

The POPI Act aims to encourage the protection of personal information that is processed by both public and private bodies. To do this, the Act will introduce certain conditions that will establish the minimum requirements that businesses must comply with when processing personal information.

The Act also is aimed at providing rights to people when it comes to unsolicited electronic communications.

Basically, it’s a code of conduct that all businesses must comply with.

But, why do we need the POPI Act? 

The aim of the Act is to protect consumers from harm by protecting their personal information. It aims to protect consumers from having their money and identities stolen, as well as keep their private information private.

To do this, the Act sets out the guidelines for when it is lawful for someone to use and process someone else’s personal information.

What counts as ‘personal information’?

In terms of the Act, personal information is data that can be used to identify a person. It is defined as “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.”

This information about a person includes, but is not limited to:
  • race
  • gender
  • sex
  • pregnancy
  • marital status
  • national / ethnic / social origin
  • colour
  • sexual orientation
  • age
  • physical or mental health
  • disability
  • religion / beliefs / culture
  • language
  • educational / medical / financial / criminal or employment history
  • ID number
  • email address
  • physical address
  • telephone number
  • location
  • biometric information, and
  • personal opinions, views or preferences.

Hold up, is POPI the same as GDPR?

Sort of, but not really. It’s best to think of them as different flavours of the same thing. Pretty much, if you’re GDPR compliant, you’re basically POPI-compliant.

They are similar in some ways. Namely, they both lay down the law for processing and storing personal information and the rules for notifying third parties if there are security breaches.

However, they vary in the sense that the security regulations differ slightly, as follows:
  • GDPR: “The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security and appropriate to risks represented by the processing and the nature of the personal data to be protected.”
  • POPI: “A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures.”
Furthermore, the penalties for a breach of each differs; a breach under the GDPR can be a fine of up to 4% of annual global turnover or €20-million — whichever is greater. This kind of fine would cripple most South African companies.

Who will be affected by the Act?

Put simply — just about everyone.

All companies will be affected by the Act, but in particular, it will be the companies that deal with a large amount of personal information — think of banks, insurance companies, medical aids, etc.

However, all companies need to have systems in place to deal with personal information. Plus, the POPI Act also has guidelines about direct marketing — so any brand sending messages or emails to consumers without them opting in, beware!

So, how will the POPI Act affect marketers?

Direct marketing becomes opt-in

The Act is set to have the most impact on direct marketing — especially through SMS and email channels. Up until now, most of this marketing has been ‘opt-out’, where consumers receive promotional messaging and can choose to no longer receive these messages.

However, once POPI is in place, direct marketing will have to become ‘opt-in’, where consumers will have to actively agree to receive promotional messaging. Essentially, this means that unsolicited direct marketing via electronic channels will become opt-in only.

The only exceptions to this, according to the Act, is if the existing consumer has already given their personal information to the supplier in the context of a sale for the purpose of direct marketing. Also, if the consumer "has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality".

Processing and protecting personal information

It’s not only direct marketing that will be affected by the POPI Act — any form of marketing that involves the processing of personal information will be too.

The Act imposes strict requirements on people holding personal information to keep it safe. This means that marketers will have to ensure that their data security is up to scratch or face severe penalties if personal information is hacked or unlawfully made public.

Penalties for non-compliance

Marketers who do not comply with the POPI Act can result in both civil and criminal charges. Fines can go up to R10-million and, in extreme cases, there is also the possibility of spending up to 10 years in jail.

The Act has specifically allowed for class action lawsuits, so if your practices don’t comply, you can expect every person on your mailing list to potentially bring a claim against you.

To POPI-proof your marketing, keep these four basic tips in mind:

  1. Respect the consumer’s choice to opt-in or out.
  2. Be clear that you are requesting consent for a specific purpose, such as contacting them about insurance policies.
  3. Give consumers a clear way to express their choice by giving them the option to click a button or mark a checkbox.
  4. Keep records of when and how consent was obtained and exactly what it covers.

Are there any other questions about the POPI Act you’d like us to answer? Let us know in the comments section below.

Whew, that was a lot to get through! If you want to stay up to date with the latest news, subscribe to our newsletter.

If you want to better understand the jargon that’s used in the POPI Act, check out The POPI Act glossary of terms: 15 terms for marketers.