By David Jenkin
When is the Protection of Personal Information Act No 4 of 2013 likely to come into full effect?
The process is coming along quite nicely. We have a short list of who the Information Regulators will be and once they are appointed, that will be the last major hurdle for the Act to come into full effect. We are expecting this process to be finalised before the end of the year, and if we give some time for regulations to be drafted, we are expecting commencement early in 2017. Keep in mind that even after commencement there will be a one year grace period, so compliance will only be required mid-2018.
How is the Act going to affect online marketers (email and SMS marketers in particular) in terms of contact/address databases and how that information is obtained, utilised and managed?
POPI is going to put some restrictions on how marketers collect personal information, and particularly how they can send unsolicited marketing messages. The key sections for online marketers are s11, 12 and 69 of the Act.
Section 11 requires that you have the person’s (or "data subject", as POPI refers to them) consent before you process their personal information. Processing includes collecting their information, storing, sorting and sending marketing messages. However, s11 also has broad grounds to be exempt from this requirement, which the majority of digital marketers will qualify for. Even if you are exempt, s11 grants the data subject a right to ‘object’ to your processing, which essentially gives them an opt-out right that will prevent marketers from collecting their personal information and sending marketing messages to them.
Section 12 of the Act only applies when collecting personal information, but it requires that you collect the personal information directly from the data subject. Like s11, there are broad exemptions that will apply to most marketers so the requirement is less onerous that it sounds.
The big issue for online marketers, especially through the channels of SMS and email, is Section 69. S69 applies to all electronic communications used for direct marketing purposes. The big requirement that this section imposes is that one needs explicit consent from the data subject to market to them (or rather, they need to "opt-in" to your marketing). There is no exception to this requirement (unlike s11 and s12), unless you are marketing similar goods or services to your existing customers AND when you collected your customers’ personal information, you gave them the option to opt-out of the marketing messages. Essentially, this means that unsolicited direct marketing via electronic channels will become opt-in only.
Lastly the act imposes quite strict requirements on people holding personal information to keep it safe. This means that marketers will need to ensure their information and data security is up to scratch as they could face severe penalties if they are hacked or the information they hold is unlawfully made public.
Does the Act affect other types of marketing and, if so, how?
Any form of marketing that involves processing personal information in any form will be effected by POPI. It is likely that s11 and s12 will have the most direct influence on these activities, but by processing someone’s personal information, organisations will have to ensure that they comply with all of the requirements of the Act.
What kind of penalty will likely result from a marketer breaching the Act?
Non-compliance with the Act can result in both civil and criminal charges being laid against the marketer. The Act specifically allows for class action lawsuits, so if you haven't complied, you could expect every person on the mailing list or database to potentially bring a claim against you. From a criminal perspective, fines can go up to R10-million rand. In extreme cases, there is also the possibility of jail time of up to 10 years.
How is the Act likely to be enforced?
A new body called the Information Regulator is being setup that will monitor and ensure compliance. However, the Act also allows enforcement to be driven by complaints, so expect disgruntled data subjects to go directly to the courts or the regulator if they feel that you have been abusing their personal information in your marketing activities.
For more information, visit
www.michalsons.co.za. To view the POPI Act in its entirety, visit
www.justice.gov.za.