How POPI will impact direct marketing

The long-awaited Protection of Personal Information Act will be of full force and effect from 1 July this year, and it is vital that retailers understand the potential implication on any of their direct marketing operations prior to this deadline. To date, direct marketing has been governed by the Consumer Protection Act (“CPA”) and the Electronic Communications and Transactions Act (“ECTA”), and there are some significant differences to be aware of.


What is direct marketing in terms of POPI

Simply put, direct marketing is where a retailer or supplier approaches a person for the purposes of selling their goods or services (as opposed to the person approaching the retailer).

Section 69 of POPI outlaws direct marketing by any form of electronic means (e-mails, SMSes and automatic voice calling machines), unless a data subject has given their consent. This understanding of what constitutes direct marketing under POPI is important, because it only relates to electronic forms of direct marketing. Therefore, direct marketing in other forms, for example the handing out of brochures, is not governed by POPI and will continue to be governed by the CPA.


By now you will be aware that a large focus of many provisions in POPI is the issue of obtaining consent from a data subject to process their information, and that is amplified for the purposes of direct marketing. When a retailer wants to engage in direct marketing via electronic means, they have one opportunity to obtain consent from the data subject to contact them for the purposes of direct marketing. If consent is not given, the retailer cannot continue to approach the data subject for the purposes of obtaining consent.

However, if the data subject is an existing customer, the retailer does not have to obtain consent, provided that:

    • the details were obtained in the course of a sale;
    • the direct marketing relates to similar products or service as the sale when the details were obtained; and
    • the data subject is given a reasonable opportunity to object to the direct marketing, both at the time the details were collected, as well as in all communications going forward.

This distinguishes POPI from the CPA, which provided for an “opt-out” mechanism, whereas POPI specifically requires that the data subject “opt-in” to receive communication.

Prescribed manner & form

There is not only an obligation on retailers to obtain consent, but it needs to be in a prescribed manner and form as set out in Form 4 of the POPI Regulations, which essentially details:

    • the identify the data subject,
    • the identify the responsible party and provide their contact details,
    • the identify the person designated to sign for the responsible party,
    • enable the data subject to consent to receive direct marketing for specified goods or services by specified methods of electronic communication, and
    • the signature of both the person designated by the responsible party and the data subject.


All communications to data subjects need to provide the data subject the opportunity to unsubscribe, at any time. This applies whether the data subject is a new or existing customer. Retailers will need to ensure that any software they utilise for the purposes of direct marketing allows for this feature, and more importantly, that once a data subject elects to unsubscribe, that their details are in fact removed from the database.

Practical implementation

The thought of POPI coming into effect can be daunting for retailers, however, once a process is in place, ensuring compliance will become second nature. 

It should be re-iterated that the obligations on marketing existing customers will be more practical from a retailers point of view, and therefore mechanisms should be put in place to obtain details and consent at the point of sale. Where retailers are attempting to market new customers, it is important to bear in mind that you may only make contact once for the purposes of obtaining consent.

Should a retailer be utilizing the services of an external marketing company, it is also suggested that the retailer as the responsible party ensures that the marketing company is complying with the relevant POPI provisions with regards to obtaining consent and unsubscribing tools. It is also important to note that when communicating with a data subject the retailers details should be easily ascertainable to the data subject, so as to comply with the requirements of POPI to allow for the consent obtained to be “informed, specific and voluntary”.