The Protection of Personal Information Bill (POPI) has been passed by the National Assembly and is likely to be signed into law as an enforceable Act before the end of this year. The intention of POPI is sound in terms of establishing a protection of personal information regime in South Africa in line with international standards. However the compliance ramifications for marketers are immense and will require intensive planning, preparation and legal counsel to ensure that businesses do not fall foul of the law in terms of their direct marketing activity.
This is according to Murray Hewlett, managing director and founder of Affinity Data, a leading lead generation, database management and marketing list provider. “Once POPI becomes an Act, businesses will have just one year to become compliant. However this is not a lot of time when one considers the impact it will have on governance, IT and database management within an organisation. Essentially if your business stores, processes or engages in any direct electronic communications with customers and prospects, you should be well done the line in preparing for POPI. If not, you could find yourself out of time and falling foul of the law,” says Hewlett.
“While larger corporations have started the process towards compliance, backed with the benefit of having substantial legal and compliance resources, the real concern lies in small and medium sized businesses that are likely to struggle with firstly the interpretation of POPI, as well as the significant costs of compliance. Once the grace period has passed, stiff penalties of R10million fines and jail terms can be imposed on transgressors,” warns Hewlett.
POPI protects personal information by restricting how this data may be collected, processed and used by a direct marketer and is set up around eight principles of Accountability, Processing limitation, Purpose Specification, Further Process Limitation, Information Quality, Openness, Security Safeguards and Data Subject Participation.
Specifically relating to electronic marketing communications, such as e-mail and SMS campaigns, direct marketers may not use any personal information for direct marketing purposes unless permission was granted by the consumer in the form of an opt in.
Denis Warren-Tangney, a Director at Thomson Wilks Attorneys explains that in terms of POPI, the bill currently defines “personal information” as all information relating to an identifiable, living natural person and where applicable, an existing juristic person - all such persons being defined as "data subjects", and defines “processing” in very wide terms to cover any activity by automatic or manual means pertaining to the collection, receipt, collation, storage, updating and use of such personal information.
“There will be regulations published in terms of the Act once it is signed, and we do not yet have any indication of the effective date of such regulations. It is the regulations that will contain the teeth to enforce POPI, so at this stage references made prior to this are still subject to the as yet unknown regulations. However, it is important to note various important provisions of POPI as there are penalties for non-compliance.
“The effect of POPI is generally viewed in a very positive light, as it protects the individual’s constitutional right to privacy. However, for those companies that deal in direct marketing, there are significant compliance requirements. Perhaps the most significant is the fact that POPI will require a specific “opt in” in order to gather and make use of a person’s personal information. In terms of the Consumer Protection Act, there is provision for the opting out of receiving direct marketing material. POPI goes a lot further in relation to how the information is handled, stored, used and most notably, the consent required to handle such information,” explains Warren-Tangney.
Under a POPI regime, direct marketers will have to receive consent from individuals to collect, retain and/or share personal information and send them marketing communications. At present, marketers may retain contact information and communicate with an individual until he or she “opts out” in terms of the Consumer Protection Act. Until now, there has not been an opt-in requirement, whereby explicit voluntary consent is required prior to marketing directly with an individual.
“Marketers will now have to get permission from an individual first before they can obtain and retain personal information and communicate with an individual. Future email and SMS communication will require prior approval before the communication takes place. The subscriber will still have the option to “opt out” which the marketer will be obliged to honour. In addition, marketers will be obliged to comply with a request to disclose any personal information held by them to the individual to whom such information relates, and will have to do so at the cost of the marketer,” adds Warren-Tangney.
Social media marketing however is totally compliant with POPI regardless of the legislative changes. “For example, if someone uses LinkedIn to connect, they are providing approval to communicate. If a person follows you on Twitter, you have every right to share information with them until they “unfollow” you,” adds Warren-Tangney.
Murray Hewlett of Affinity Data adds that it’s likely that we will see a significant investment in social media marketing as a means to overcome the constraints POPI imposes on other digital channels such as e-mail and SMS. “However, email and SMS marketing remain an essential and preferred means of communication for most sophisticated consumers, so online marketers need to get their house in order sooner rather than later,” adds Murray.
The way forward
“The time to get your house in order is now, since a request for consent from a consumer once POPI is in force will, in itself, amount to communication using personal information, which could be an offence,” explains Denis Warren-Tangney of Thomson Wilks Attorneys.
Penalties in terms of POPI are significant: A fine of ten million rand may be levied, and imprisonment for a period not exceeding ten years may be a result of non-compliance. “The fine portion is an administrative fine, and can be levied prior to the commencement of the criminal proceedings in terms of POPI, and will be payable immediately. As is the current trend, these penalties apply to the directors of the company concerned. For any business R10 million or jail time is a serious blow, all the more so for a small or medium sized business. For many it would spell immediate insolvency and shutdown.
POPI should not be taken lightly, and a wait-and-see approach is absolutely foolhardy,” he warns.
The application of POPI becomes even more crucial in the instance of rented or third party marketing lists. “If a direct marketer obtains a list of prospects from a data provider, the data vendor will have infringed POPI by passing the list on to the direct marketer unless the individuals on the list specifically consented to their information being passed on. In this regard, the use of ethical and POPI-compliant data providers is critical to ensure that the marketer is not in breach of POPI, and that the data provider can validate firstly the opt in, and secondly that permission was granted for the consumer’s data to be passed on.
“The DMASA’s “Centres of Excellence” D-Lists recognises companies that have undergone successful data audits under the Centre of Excellence programme by independent auditors. It is crucial that marketers obtain their databases from verified, compliant providers who can validate that their data complies with the provisions of POPI,” adds Murray Hewlett of Affinity Data.
“The reality is that POPI will level the playing fields and root out unscrupulous data providers who are illegally obtaining subject data and then selling it on, fuelling criminal activities such as identity theft and credit card fraud. Ethical data providers who have invested in the infrastructure, technology and governance to manage data in a professional and ethical manner are embracing POPI, as it will without doubt clean up the industry and leave only the professionals standing. Marketers need to do their homework and make sure their data providers adhere to the highest levels of professional practice as defined by POPI,” says Hewlett.
Although it may not seem so, POPI is good for marketers and consumers alike. Consumers will only receive communication from companies they want to deal with and consumers can rest assured that their personal information is protected. Marketers should find that their hit-rate increases, and there is little in the way of wasted communication.
“There can be no lax or DIY approach to POPI compliance for any marketer. Given the scope of compliance requirements, and the penalities for failing to do so, investment in astute legal counsel and IT in establishing a compliance framework to ensure that you are not falling foul of the law is essential,” concludes Hewlett.
Murray Hewlett, managing director and founder of Affinity Data