Dec 5,2018 / News / Legal Brief

The POPIA[1] centres around eight Conditions detailing how personal information should be handled while regard is given to the privacy of the individual and information. These Conditions give individuals specific rights in relation to their personal information and place certain obligations on those companies that are responsible for processing it.

POPIA both impacts and restricts the way companies can carry out unsolicited direct marketing. Direct marketing must comply with the conditions set out in POPIA. The most relevant conditions are –

  • companies must process personal information lawfully. In particular, companies will usually need to tell the individuals concerned who they are and that they plan to use those details for marketing purposes. Also, companies will need to inform people if they plan to share those details with anyone else, including selling or sharing the data for marketing purposes;
  • companies must only collect personal information for specified purposes, and cannot at a later stage decide to use the personal information for other ‘incompatible’ purposes. Therefore, people’s details cannot be used for marketing purposes if this detail was originally collected for an entirely different purpose; and
  • companies must ensure that personal information is accurate and, where necessary, kept up to date. So a marketing list which is out of date, or which does not accurately record people’s marketing preferences, could very well constitute a POPIA breach.

Section 69 of POPIA also gives individuals the right to prevent their personal information being processed for direct marketing. An individual must be given reasonable opportunity to object to a company using their details for direct marketing. In other words, companies must stop any marketing directed at a particular individual if that person objects to receiving such marketing.


Consent is central to the rules on direct marketing. Companies will generally need an individual’s consent before they can send marketing SMSes, emails or make calls. They will also usually need consent to pass customer details on to another company.

It is accepted that to be valid, consent must be knowingly and freely given, clear and specific. Therefore, it is important that companies keep clear records of what an individual has consented to, and when and how this consent was obtained, so that they can demonstrate compliance in the event of a complaint.

Careful consideration should be given to electronic marketing messages. In particular, mechanisms should be considered in terms of which:

  • the individual must notify consent to the company sending the marketing. A company must be very careful when relying on third party consent, which was originally given to another company. The individual must have clearly intended for their consent to flow through to the company doing the marketing;
  • consents must be in place; and
  • the individual must specifically consent to the type of communication in question and further, it should be clear whether an individual consented to receiving emails, SMSes or a phone call.


Although companies can generally only send marketing SMSes or emails with specific consent, there is an exception to this rule for existing customers. This means companies can send marketing messages if:

  • they have obtained the contact details in the course of a sale of a product or service to that individual;
  • they are only marketing their own similar products or services; and
  • they gave the person a reasonable opportunity to object to receiving marketing, both when first collecting the details and in every message after that.


Marketing lists can be compiled in different ways and vary widely in quality. A good marketing list will be up to date, accurate and reliably record specific consent for marketing. A list like this can be used in compliance with the law and should generate few – if any – complaints. However, other lists may be out of date, inaccurate and contain details of people who have not consented to their information being used or disclosed for marketing purposes. Using such a list is likely to result in a breach of POPIA.

Understanding the basic principles of POPIA is of great importance going forward for any company engaging in direct marketing and even those companies that wish to keep in contact with their customers.

Marketing is important and direct marketing is a strategic tool of value. It will all come down to how and on what basis companies continue direct marketing initiatives once POPIA is fully promulgated.

If you would like to learn more about Data Privacy please visit our practice area page.

[1] The Protection of Personal Information Act, Act 4 of 2013 (“POPIA“).
[2] Refer to the Information Commission’s Office, should you wish to understand this topic in more detail as well as the GDPR: