Keeping track of the latest version of impending legislation as it makes its way though the South African parliamentary system can be a nigh on impossible task. So prepping your business for upcoming law – such as the Protection of Personal Information (POPI) Bill – can be a challenging and stop-start affair.
Over the last few weeks, we’ve received further clarity on POPI and its key definitions, allowing businesses to confidently start laying the foundation for regulatory compliance in continuing to market to their customers and prospects via electronic communication channels.
POPI refers to how companies collect and store consumers’ personal information, and then, crucially, how companies can use this information to market to consumers. The good news is that it is a relatively simple matter to ensure your existing customer database is compliant and that any future details you collect are legal.
Key to understanding POPI is section 69 of the bill which deals with unsolicited commercial communications and direct marketing – which we’ll unpack in a bit more detail here.
Which communication channels are affected
In line with international best practice, POPI applies to electronic communications that involve a level of automation, storage and forwarding. This means that SMS and email are included in POPI’s definition of electronic communications, but regular person-to-person (P2P) telephone calls are not. This is pertinent, because it recognizes that the automation of communication is one of the main reasons why spam has become such an issue and needs to be managed via legislation. The point to take home here is that direct marketing via a P2P telephone call is handled on an opt-out basis, while all other electronic communications must be opted into by a consumer.
Customers and prospects opt-in are handled differently
The bill makes a distinction between how existing customers’ and prospects’ personal data is handled in respect to opt-in to receive direct marketing communications. A business’s existing customers need only to have given inferred consent to be sent direct marketing via electronic channels, while prospective customers (that is non-customers) need to have given express consent before receiving the same communications.
Getting inferred consent from customers
Inferred consent means that you have informed your customer how you will be using their personal details when you collected them. In addition, you need to give them the opportunity to opt out of marketing communication at this point.
Customers should also be given the opportunity to opt out of marketing communications on each subsequent communication you send to them. The opt out instructions need to be clear and the process must be free of charge and not bogged down in unnecessary formality.
If you have not done this yet, you can relatively easily get your customer database compliant with POPI. The key is to get consent at the point when you collect the customer data, which is not necessarily at the point of sale. By running a campaign to update your customers’ details you should, at the same time, inform your customers that you will be marketing to them and give them the opportunity to opt out. This process will make your database POPI compliant.
Getting express consent from non-customers
POPI is the first regulation in South Africa to define express consent for non-customers in order to market to them directly via electronic channels. This means that the consumer must agree to their personal information being processed and used for direct marketing. In terms of POPI, consent needs to be specific, voluntary and informed. In other words, at the point when a non-customer is engaged, the following should be asked: “Would you like to receive regular marketing communications from company A? Answer: YES or NO”.
However, ensuring existing non-customer databases are retrospectively made compliant needs to be handled with kid gloves. If you can prove the database has been acquired legally you are free to contact the consumers and ask for their permission to market them – but you can only do this once.
While there are additional technicalities around the wording of opt out messages and related charges, the above guidelines will ensure your databases are POPI compliant.
It is expected that POPI will be passed into law within the next six months, at which time it will be specified how long companies will have to comply with the handling of personal information when using electronic communications to market to existing and prospective customers.