Over the last few years, South African legislation has slowly started catching up with electronic communications, and I had high hopes that the Protection of Personal Information Bill (POPI) would provide the final piece of the puzzle to both protect consumers and allow businesses to continue to market directly to people in an ethical way.
Unfortunately, recent amendments to the Bill, thanks to lobbying by direct marketers have watered it down substantially, especially when it comes to email and SMS marketing. The current version of the POPI Bill is still better than the existing law when it comes to protecting personal information, but I have some serious concerns about the practicality of the latest changes and how they will impact on the effectiveness of the bill when it is passed into law.
Opt-in vs opt-out
Initially, my hope in the POPI Bill was due to the fact that for the first time it included the requirement that people opt-in to direct marketing, rather than opt-out. This is in line with the regulations of industry bodies such as the Wireless Application Service Providers’ Association (WASPA) and the Internet Service Providers’ Association (ISPA). In contrast, existing legislation in the form of the Electronic Communications and Transactions Act (ECT) and the Consumer Protection Act (CPA) works on an opt-out basis. The Direct Marketing Association of South Africa (DMASA) regulations are also based on the consumer needing to opt-out of unsolicited direct marketing.
The problem with opting out
There are a couple of problems with using opt-out principles to protect consumers from unwanted commercial messages, known as spam.
Firstly, in the case of third-party databases that are bought and sold, it is almost impossible for a member of the public to remove their name from the master list once and for all. They might remove their name from company A’s version of the list, but will continue to receive spam from companies B, C, D and whoever else has bought the list. And there could be hundreds of lists circulating at any one point in time.
The DMASA and CPA have tried to tackle this via a Do Not Contact register (DNC). In the case of the DMASA, this register only applies to its members, and is further flawed by the DMASA emailing this list of people to its members. This is clearly a massive security risk and recent reports in the media indicated that this list of contact details, identity numbers and addresses has already been leaked.
Furthermore, a Do Not Contact register does nothing to prevent the buying and selling of personal data. Once this information lands in the wrong hands, such as an identity thief, it could be used for fraudulent purposes. The cost of opting out The second reason why an opt-in system is preferable is that when it comes to SMS, there is a monetary cost attached to responding to the communication in order to opt-out in the form of the reply SMS. Looking at direct marketing from the point of view of protection of property, as per our Constitution, it is clearly unethical to require someone to spend money to remove themselves from a database they did not ask to be added to.
The dilution of POPI
POPI proposes that individuals who are not a customer of a company need to explicitly opt- in to direct marketing from a company. It should be easy to opt-out, and the opt-out methods should be made clear at the time of signing up, and with every subsequent communication. In this case, it is not unreasonable for customers to pick up the once-off cost of unsubscribing with a standard-rate SMS.
Unfortunately, however, a recent change to the bill has weakened this opt-in approach. Possibly as a result of lobbying by direct marketers an additional clause was added that allows companies to approach a consumer via an unsolicited email or SMS, and ask them if they would like to receive future marketing communications, thus building an opted-in database.
This is problematic for a number of reasons. Firstly, it begs the question where the company got the contact details in the first place. Secondly, it would be very easy to include a marketing message in the initial communication. Finally, what is to stop a company changing its identity and simply sending the message again in another guise?
Unfortunately, this once-off permission system could very quickly become meaningless. It opens the door to the buying and selling of contact details. If the customer gives consent in the first place, then the previous wording is enough to both protect consumers and allow business to continue with legitimate direct marketing to non-customers.
Companies should rather focus their attention on building legitimate opted-in databases by leveraging other channels, such as above-the-line advertising, promotions, loyalty campaigns and so on. Companies should include a reply path on any marketing material whether by SMS, email, social network or even snail mail. This explicit permission would also mean that they would not have to query the DNC registry, as per the CPA, on every communication.
Time and time again it has been proven that an opted-in database gets better results. Whereas an opt-out system becomes unworkable after time and eventually destroys the effectiveness of a communications channel. It is to the benefit of everyone to follow opt-in principles.