How South African companies can avoid becoming a spammer under the CPA

PRESS RELEASE ‐ SOUTH AFRICA ‐ June 2011

By Dr Pieter Streicher, MD of BulkSMS.com

There is no denying that the launch of a “do not contact registry” to allow South African customers to permanently opt-out of all unsolicited marketing communications is a massive step forward for consumer rights. But customers need to understand the limitations of the mechanism, companies need to be ready to comply with the new law, and especially smaller companies need to consider the implications of having to regularly query the database.

Thanks to the Consumer Protection Act (CPA), consumers will be able to add their contact details to the registry and so block unsolicited direct marketing communications from all companies. But consumers need to realise that the registry is somewhat of a blunt instrument – once you have added your details, you might have to sign up again with companies that you do want to hear from.

The other warning for consumers is that, despite the CPA finally coming into effect on 1 April 2011, the development of the registry has only just gone out to tender. Building the registry is no small task, as it needs to allow companies to quickly query it on a regular basis, and a best guess is that it will take several months to be set up.

Despite my comments about it being a blunt instrument, the registry is a vast improvement on the current system from a consumer’s point of view:

  • Currently the Direct Marketing Association (DMA) manages an opt-out list that only its members are obliged to comply with. Under the CPA, anyone marketing to a consumer has to comply.
  • While the DMA emails the list to its members – which is clearly a massive security risk - the CPA registry will keep the contact details secure. Companies will submit their lists to the registry and then be told who they can legitimately contact.
  • The DMA list only applies to third party lists, and not to companies that the customer initially gave their contact details to directly. The CPA registry will also apply to direct marketing messages to recent clients, unless these clients have given explicit consent for such messaging.
  • The CPA could fine companies who spam consumers, whereas the DMA works on an industry regulation basis and merely reprimands members.

From an SMS point of view, the registry will go a long way to cutting down on SMS spam, but only for those on the registry. Recently spammers have been bypassing industry regulations such as the WASPA Code, by using international messaging routes. The CPA will apply to all companies including network operators, regardless of which messaging routes they use.

For those consumers not on the registry, the CPA provides no protection against spam or the buying and selling of their personal details. This might change once the Protection of Personal Information Bill (POPI) is enacted. POPI requires that businesses obtain personal details directly from the data subject. Businesses may not obtain personal details elsewhere unless they have explicit consent. Note that this bill has not been finalised, and could still be watered down due to lobbying from the DMA.

Companies should be gearing up to comply with the CPA once the do not contact registry becomes available.

But smaller companies who can’t afford the financial and operational overheads of querying the database themselves need to tread carefully. Companies that do not query the registry will be unable to legally send direct marketing communications to their own customers unless they have received explicit consent, because according the law, if a company doesn’t check the database, it has to assume that everyone is registered on the do not contact registry.

A solution for these companies is to take advantage of a third party channel that does interrogate the do not contact registry. Businesses should ensure that the WASP they choose to send SMS communications does check the registry once this becomes available, and be sure they are complying with the law.

So smaller companies do have alternatives to the overheads of querying the registry themselves or face a marketing channel being unavailable to them. Of course, at the end of the day, playing by the rules is better for the consumer and the efficacy of companies’ marketing messages.