Information Regulator unhappy with the flood of unsolicited direct marketing

Posted on

The Information Regulator says it is concerned that consumers continue to be bombarded with unsolicited direct marketing messages that do not comply with the Protection of Personal Information Act (Popia), and it will draft a guidance note on the interpretation of section 69 of the Act.

In an address to the media on 29 June, IR chairperson Pansy Tlakula also said the regulator is investigating the sale of consumers’ personal information.

She said most of the 700-plus complaints the IR has received and “pre-investigated” since its enforcement powers came into effect in July last year related to direct marketing. She said this was a “grave concern” and an indication that responsible parties were not complying with sections 69 and 11 (consent, justification and objection) of Popia.

Section 69 of Popia prohibits direct marketing by means of unsolicited electronic communications, including automatic calling machines, facsimile machines, SMSs or email, unless the data subject has given their consent to the processing or is a customer of the responsible party.

Tlakula said there is a debate whether a telephone call constitutes an electronic communication in terms of Popia.

The Act defines “electronic communication” as any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.

The IR will engage “relevant stakeholders” and draft a guidance note on the interpretation of section 69.

Consent for direct marketing

In the meantime, Tlakula said it was clear that section 69 prohibited direct marketing through unsolicited electronic communication unless a data subject has given their consent to such processing or is a customer of the responsible party.

Popia defines consent as “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”. Tlakula said this means that simply requesting a data subject to opt-out does not constitute consent.

She said such consent was also subject to the following conditions:

  • The data subject must be contacted only once for the purpose of obtaining their consent.
  • The responsible party must have obtained the data subject’s contact details lawfully. This means the responsible party must have obtained them from a public record, or the subject must have “deliberately” made their contact details public.
  • A data subject who has been contacted and has withheld their consent cannot be contacted again.

Furthermore, any direct marketing communication must contain the identity of the sender or the person on whose behalf the communication has been sent and an address or contact details to which a data subject can send a request for the communication to stop.

Warning to data traders

Tlakula warned credit providers and direct marketers that trading consumers’ personal information was a violation of Popia and must stop.

“We say to those that offer to sell these lists and those that buy them, do not allow yourself to be the first example of the regulator’s bite.”

Following information provided by the National Credit Regulator, the IR has started a “systemic” investigation into the unlawful sale of personal information, Tlakula said.

‘Alarming rate’ of data breaches

South Africa was experiencing “an alarming rate” of data breaches, and the IR has recorded more than 330 incidents since July last year, Tlakula said.

When a security compromise occurs, or if the IR believes that personal information is not being processed lawfully, the regulator has the power to conduct an assessment.

She said assessments involving WhatsApp, TransUnion, and the Department of Justice and Constitutional Development were “at an advanced stage”.

Due to the prevalence of data breaches, the IR has established a dedicated Security Compromise Unit, which will conduct “extensive” investigations or assessments into data breaches and issue reports with findings and recommendations. These reports will be enforcement notices in terms of section 91(3) of Popia, Tlakula said.