From CompliNEWS | Financial Service Intelligence Watch

Information regulator takes action on direct marketing violations, raises compliance concerns


The Information Regulator recently issued its inaugural Enforcement Notice in response to a complaint about unsolicited direct marketing, marking a significant step in the application of the Protection of Personal Information Act, 2013 (POPIA). The complaint was lodged against FR Ram Consulting for sending unrequested emails concerning courses and webinars, thereby breaching POPIA’s regulations on consent for direct marketing communications.

The notice revealed that FR Ram Consulting had failed to secure the necessary written consent from the data subject before sending direct marketing materials. According to POPIA, the initial communication from a company should seek the recipient’s consent using a specified form (Form 4 under the POPIA Regulations) to ensure compliance. Furthermore, FR Ram Consulting neglected the data subject’s requests to cease such communications, adding to their contraventions.

Consequently, the Information Regulator mandated FR Ram Consulting to stop all unsolicited direct marketing communications to individuals who haven’t given explicit consent. The company is required to first obtain consent in the prescribed manner and maintain a database of individuals who have refused or not given consent for receiving marketing messages, providing the design of this database to the Regulator. FR Ram Consulting faces a 90-day deadline to comply with these directives or risk penalties, including fines up to ZAR10 million and/or imprisonment.

The Regulator also announced plans to release guidelines on direct marketing communications to clarify compliance requirements.

However, there are concerns regarding the Regulator’s stringent interpretation of consent acquisition and its implications for companies’ direct marketing strategies. While the POPIA regulations indicate that a form similar to Form 4 is acceptable for obtaining consent, the insistence on using the exact form could be seen as inflexible. Additionally, the notice’s prohibition against telephonic direct marketing raises questions, given POPIA’s definition of electronic communications does not explicitly cover telephone calls in the same manner as texts, emails, or other electronic messages.

As the business community anticipates the forthcoming guidelines, it’s clear that the Information Regulator is serious about protecting personal information and enforcing POPIA. Yet, the practical challenges and ambiguities highlighted in this enforcement action suggest a need for further clarification to ensure both compliance and operational feasibility for South African companies engaging in direct marketing.