The long-promised crackdown on unsolicited marketing has moved from proposal to law.
On 15 April 2026, the Department of Trade, Industry and Competition gazetted amendments to the Consumer Protection Act (CPA) regulations, formally introducing a national opt-out registry and stricter rules for direct marketers.
The regulations came into effect on publication, meaning the framework is now legally in force.
The move follows a consultation process that began in 2024. On 28 October 2024, Minister of Trade, Industry and Competition Parks Tau published draft amendments to the CPA regulations, inviting public comment within 45 days. The deadline was later extended to 15 January 2025.
Read: No more spam calls? Proposed amendment introduces opt-out registry
In a media statement on 1 November 2024, the ministry pointed to a surge in unsolicited marketing, stating that consumers were increasingly being bombarded with intrusive calls and messages.
What has changed
The amendments give practical effect to a right that has existed in the CPA since 2011 – the right to block direct marketing.
Consumers can now register a “pre-emptive block” on an official opt-out registry managed by the National Consumer Commission (NCC).
In simple terms: once a consumer registers, direct marketers may not contact them.
The regulations define this clearly. A “pre-emptive block” is described as registering a block on the registry “to prevent any unwanted electronic communication from direct marketers”.
Consumers must provide identifying details when registering and are required to keep that information up to date.
The regulations also include a prescribed registration form, also published in the Government Gazette, which sets out the information consumers must submit to place a block. This form standardises the process and gives effect to the registry in practice. In practice, the form will be made available through the NCC as part of the opt-out registry system.
New obligations for marketers
The biggest shift is on the industry side.
Direct marketers must now:
- Register on the opt-out registry and renew that registration annually.
- Cleanse their databases regularly by removing consumers who have opted out.
- Not contact any person who has registered a block.
- Ensure their contact details are clearly identifiable.
- Avoid using untraceable or anonymous communication channels.
The regulations define “cleansing” as removing opted-out consumers from databases “ensuring that they are no longer contacted”. In practice, this requires marketers to ensure their databases are aligned with the registry before contacting consumers.
The NCC, as custodian of the registry, is required to use the information only for purposes of operating the opt-out system and may not disclose confidential information to third parties without consent, unless required by law.
Do spam rules cover phone calls?
The regulations refer to “electronic communication” but do not expand the definition.
The Information Regulator’s Guidance Note on Direct Marketing under POPIA treats telephone calls – including live calls and automated messages – as electronic communications. However, parts of the direct marketing industry argue that phone calls do not meet the legal definition because they are not stored in a network or device before being received.
Read: Spam calls are now electronic communication: guidance note closes direct marketing loophole
In November 2025, the Information Regulator said it was preparing a test case to settle whether telemarketing falls within the definition of electronic communication under the Protection of Personal Information Act (POPIA).
Read: Regulator seeks court test to settle whether telemarketing falls under POPIA
It has indicated that enforcement action in a live case could be used to obtain judicial clarity on whether telemarketing falls within the scope of POPIA.
Fees now locked in
The Gazette also formalises the fee structure.
New tariffs will be published every three years.
What this means in practice
The shift is significant. Until now, the CPA allowed consumers to opt out in theory, but there was no central, enforceable system. That gap is now closed.
The amendments create a single, regulated database that marketers must align with when conducting direct marketing. Failure to comply may constitute a contravention of the CPA.
Consequences of non-compliance
The regulations operate within existing CPA enforcement mechanisms.
Non-compliance can trigger complaints to the NCC, with matters escalated to the National Consumer Tribunal.
Under section 112 of the CPA, administrative fines can reach the greater of 10% of annual turnover or R1 million.
In practice, this means:
- Contacting a consumer who has opted out equals potential contravention.
- Failing to register on the opt-out registry equals non-compliance.
- Not cleansing databases equals ongoing breach.
For high-volume marketers, the exposure is material.
Where this leaves financial services
One unresolved issue remains. Much of the financial services sector falls outside the CPA because it overlaps with laws such as the FAIS Act.
Read: CPA amendments: will financial services face stricter direct marketing rules?
However, the amendments do not expressly exclude financial marketing.
Industry experts have previously indicated that co-operation between regulators – particularly the NCC and Financial Sector Conduct Authority – could bring financial services into scope where direct marketing is concerned. That position is now likely to be tested in practice.
