The long-awaited Protection of Personal Information Bill (POPI) was finally approved by the President on 27 November 2013, giving companies approximately 18 months to become POPI compliant.
What is POPI?
The act has been born out of a need for more stringent rules – and harsher punishments – against the protection of personal information of individuals, thereby affording every person further rights to privacy and protection of their personal data.
What does POPI have to do with Email Marketing?
In chapter 8 of the Bill, POPI explicitly outlines the conditions under which electronic communications (such as Email marketing and newsletters) is prohibited. According to section 66, the act does not permit companies to send any form of electronic marketing messages without being granted permission by the recipients to do so.
Until POPI, the only legislation governing electronic communications has been define under the Electronic Communications and Transactions (ECT) and Consumer Protection (CPA) Acts, where both pieces of legislation imply that direct electronic marketing is permitted, even without prior consent form the individual, provided that the recipient is given the option to opt-out of such future communications.
POPI, on the other hand, completely outlaws any form of direct marketing without having first obtained permission from the individual (referred to in the act as the ‘Data subject).
Does POPI apply to ‘older clients’?
Companies with existing marketing database must ensure that they have an audit trail of evidence demonstrating that they have their client’s permission to send marketing communications to them.
Where such (traceable) permission was never obtained in the past, marketers will need to request permission from their existing clients to continue to market to them in the specific manner in which the client has agreed to, and where not, they must be removed from any and all marketing databases.
Becoming POPI Compliant
In summary, POPI says the following about direct marketing and how companies should act in order to remain compliant:
Collect personal information from data subject directly
Collect personal information for specific, explicit and lawful purposes only
Only process personal information if the data subject consents
Do not retain personal information for longer than necessary
Facilitate that personal information remains accurate and updated
Notify the registrar and appoint an information officer
Protect the security and integrity of the personal information
If you have a 3rd party / operator, they must contractually comply
Must be able to report on the data upon request
For direct marketing, you must obtain the consent of the data subject
The data subject must opt-in to every particular channel
Where the data subject has requested a change, or opts out of a particular channel, this request must be honored immediately
According to a previous comment referencing Dr Tobias Schonwetter, director of UCT’s intellectual property unit in the Faculty of Law, direct marketers may approach a new customer once to obtain the required consent for sending direct marketing messages.
What are the consequences for non-compliance?
Before the Act can come into full force, the President must announce the official commencement date. It is anticipated that his may still be about 6 months away. However, from the date on which the effective date is published, companies will be given 18 months to ensure that they are fully POPI compliant, during which time the regulator and administration will prepare to govern the Act.
For those companies who are not compliant after this grace period, they stand to face a number of serious consequences. While the regulator is entitled to issue an enforcement notice in the event of discovering non-compliance within a company, repeat offenders may face criminal liability and/or fines.
It has been reported that non-compliance with POPI (considered a criminal offence) may result in imprisonment of between 12 months to 10 years for violations (depending on the severity of the crime), or at the very least hefty fines that could severely harm the business.
Take action now!
Companies should immediately commence with an audit of their current email marketing tactics. Such an audit should review how they acquire their customer’s information, what permissions they have in place and how they go about acquiring permission.
They should engage in a complete database clean-up, removing any contacts who have not granted permission to be contacted, and cleaning up any hard bounces (emails that get returned due to mailboxes that no longer exist, or where the recipients firewall has blocked your email etc.).
Companies should review how opt-outs are currently being managed and ensure that these are honoured in line with the requirements of the act.
Any agreements with 3rd party suppliers (where personal information is shared) must be reviewed, and where appropriate, contracts reviewed to protect companies against negligence by any service providers that they may use in the ordinary course of business, or for marketing.