For marketers and lead generation companies in particular, there is a great deal of confusion as to what POPI means for existing direct marketing practices and what companies can and cannot do under the data privacy legislation.

In recent years, there has been strong consumer pushback against marketing practices that are widely perceived to be intrusive, surveillance-based and even downright creepy.

Yet, this sentiment has to be carefully balanced with sustainable and respectful marketing strategies that provide value to both businesses and consumers, as well as support business growth in a sustainable way with respect to consumer privacy.

To achieve this balance, it is critical for marketers and lead generation companies / specialists to understand the parameters that POPI has outlined and how to adapt marketing practices (or review them) within the new legal context.

Companies have a lot at risk, as the recent Experian data breach has underscored: the consumer credit reporting company suffered a major breach of customers' personal information. This is affecting an estimated 24 million South Africans and nearly 800 000 businesses.

Such an incident highlights the value of personal information and the many questions (and risks) around the buying and selling of customer data without permission.

Arguably, one of the key areas to examine and understand is lead generation and where / how marketers can obtain leads. It also includes consent from the consumer. Privacy regulators are hyper-focused on this space, so it is really worth understanding the new rules of the road.

Lead generation and record-keeping

Contrary to what many people think, POPI doesn't include a long list of things you can no longer do; instead, it deals mostly with how businesses and marketers now do things. So, where can you get leads?

Today, first-party lead generation is experiencing a resurgence in popularity with companies spending more time around starting conversations with potential customers. That said, a major portion of lead generation is from third-party providers and buying leads.

You can still buy leads but there are certain rules attached to this. For example, if you are looking to purchase leads from a credit bureau, you can buy these leads if there is a clause within the credit bureau's terms and conditions stating that they have obtained permission from prospects / customers to on-sell their information.

They must, however, actually have the customer's permission. Without this permission, you cannot buy the leads because the prospects aren't aware of the fact that their information is being used.

In addition, with regards to using or harvesting personal information from the Internet, including from social media sites, you are technically allowed to do this. Bear in mind, however, that POPI states that, wherever possible, get the information directly from the person (unless it is information that that person has made deliberately public).

In addition, before using electronic marketing to contact someone whose information you have harvested, you must get in contact to tell them you have their information and request consent to use it for direct marketing.

Another key question is, 'Can I use someone else's database?' For example, can a separate company from a separate brand use another company's database? Here, the answer is no because the prospects did not necessarily sign up for direct marketing from the new company (there was no signed consent).

Also, can you buy leads outright? Yes, if you trust that the person selling the leads obtained consent from the prospects to sell their information. But if they didn't, you could be in hot water with the Regulator.

If they don't get consent, then you will have to contact the leads and get a double opt-in yourself. If you are selling the lead, then it's important to consider if your leads are aware you have the information and have given you the permission to sell the information (or you have given them the chance to object).

Notably, even when the same company cross-sells across products or services, POPI states that you don't need opt-in consent for 'the same or similar products'; for example, credit is different to clothes, so you would need consent because they are different categories.

What consent looks like

As it stands, most people / companies are not getting valid consent. Under POPI, consent needs to be informed and specific; it needs to be voluntary and an expression of will (i.e. I have to do something, such as tick a box). You can't 'hide' consent within T&Cs. 

So, when do you need consent? Firstly, if the person doesn't know you, you need consent for electronic marketing. Also, if you never told leads that you are going to use their information for marketing, you need their consent.

Additionally, if you got the information from someone else, you need to ask for permission to have the information from the prospect, as well as consent to use it for direct marketing (double opt-in).

You don't need consent if you got the prospect's information in the context of a sale (they know you), and you told them you would use the details for marketing for similar products / services. This also stands true when you told them they could object every time you contacted them.

That said, what is very problematic for many companies is that proper records are not being kept around obtaining consent, and under what circumstances the permission / consent was obtained.

Remember that if you do re-consent or re-permission your database, you will likely lose up to 90% of your leads. Now, POPI doesn't expressly say you need to re-consent your database; instead, it provides principles that you have to interpret for your own context.

Taking a risk-based approach: Do you need to re-consent your database?

There are several key questions to answer before making this decision. Firstly, do you know where you got the information from? If you don't know, the only way to be 100% safe is to re-consent.

Then, do you have a record of how these people signed up? Also, consider if have you ever contacted them for marketing before. If the answer is yes, every week, then you are probably fine.

Now, if you've never contacted them before and you're sitting with old information that you harvested a while back, you should likely re-consent. Also, if the opt-out was vague or if you have no record of how prospects signed up, this presents a risk for you.

A good rule of thumb is to ask, will this person be surprised (or worse, irritated) to hear from you? The important things here is to weigh up the following: 
  • is your database highly valuable and generating profits?
  • are you being respectful and providing clear unsubscribe processes?
  • are you making an informed, risk-based decision?
Looking ahead, there are some immediate steps to take to ensure you are balancing business growth with the new emphasis on consumer privacy:
  • Use friendly and open pro-POPI messaging in your communication.
  • Package or present the re-consent as an opportunity for your customers to update all their details and do it securely.
  • Incentivise staying or subscribing.
  • Manage complaints quickly and professionally.
  • Decide who in the company is responsible for POPI compliance.
  • Find out where you got the data on your database and what they thought they were getting themselves into.
  • Decide what you are going to do with your existing base.
  • Check your sign-up process (people shouldn't be surprised to get marketing).
  • Audit your unsubscribe process and make unsubscribing easy and foolproof (this should be a priority!).
  • Train your customer-facing teams around POPI.
For more information, visit www.novcon.co.za. You can also follow Novation Consulting on Facebook or on Twitter.