POPI and what online merchants need to know

Interview with Warren LaRey, Faithful to Nature
19th April 2018
Looking ahead
16th May 2018
Show all

POPI and what online merchants need to know


We’ve all fallen victim to unsollicited emails, phone calls and mail even though we were sure we ticked (or unticked) the right boxes. But there is hope. POPI (South Africa’s Protection of Personal Information Act) will come into effect in the next two years, meaning digital marketers and the brands they work with need to start preparing now to deal with the changes.

Current South African law stipulates you can contact whoever you want through digital channels, such as email or SMS, until they tell you to stop. However, POPI will turn this on its head by changing the digital marketing model from an opt-out form of consent to an opt-in one.

This is not necessarily a bad thing for brands because they’ll likely end up with smaller contact lists, but of higher quality, because consumers have chosen to invest in them and have a vested interest. But if you are in the business of buying and selling leads, POPI may be more troublesome, as you will effectively need double consent from consumers: To sell their info and to provide it to a third party who would then contact them.

Start preparing now

While POPI is still roughly two years away from full implementation, digital marketers and brands can still make moves now to ensure they are prepared for the transition.

  • Do some investigative research and ensure you know where your contact data came from.
  • Implement a strategy to clean the data (i.e. get consent from those on the list to be included).
  • Ensure that an unsubscribe option is present in all your direct marketing material.

Two important notes for brands: Firstly, customer consent must be voluntary, specific and informed, and if their saying ‘no’ means they don’t have access to a service, then that becomes extortion. Secondly, you need to get consent from your current contact lists, unless you told them they would be marketed to and there is always an unsubscribe option available. Also crucial to note is there’s a big difference between unsolicited digital marketing and your consumers signing up for your newsletter. They have already given their consent for the latter.

The POPI Act provides eight information protection principles to govern the processing of personal information.

People often provide information for one reason and do not realise that it may be used for other purposes as well. Therefore POPIA prescribes eight specific principles for the lawful processing and use of personal information. In a nutshell, the POPIA principles are:

  • The processing of information is limited which means that personal information must be obtained in a lawfully and fair manner.
  • The information can only be used for the specified purpose it was originally obtained for.
  • The POPI Act limits the further processing of personal information. If the processing takes place for purposes beyond the original scope that was agreed to by the data subject, the processing is prohibited.
  • The person who processes the information must ensure the quality of the information by taking reasonable steps to ensure that the information is complete, not misleading, up to date and accurate.
  • The person processing the personal information should have a degree of openness. The data subject and the Information Regulator must be notified that data is being processed.
  • The person processing data must ensure that the proper security safeguards and measures to safeguard against loss, damage, destruction and unauthorised or unlawful access or processing of the information, has been put in place.
  • The data subject must be able to participate. The data subject must be able to access the personal information that a responsible party has on them and must be able to correct the information.
  • The person processing the data is accountable to ensure that the measures that give effect to these principles are complied with when processing personal information.

So, whether one has totally embraced POPI or not – or truly understands the legal responsibilities it enforces upon businesses and organisations, there is no denying it has altered the scope of data protection, management and governance in South Africa.

Daniel Gross – CEO

Comments are closed.