The Protection of Personal Information Act (POPIA) is designed to safeguard personal data and regulate how companies collect, store, and use this information. One of the fundamental principles of POPIA is that personal information should be processed in a lawful and reasonable manner that does not infringe on the privacy of the individual.
Companies frequently collect personal information, such as email addresses and phone numbers, for legitimate purposes. For example, when booking a flight, an airline requires your contact details to send you a boarding pass or update you regarding your flight status. Likewise, an insurance company may require your email address to confirm monthly payments and communicate important policy updates.
Issues arise when companies extend the use of these contact details beyond their original purpose. For example, receiving unsolicited advertisements for additional services, customer satisfaction surveys, or promotional content can feel intrusive, specifically when there is no option to unsubscribe. This practice raises concerns about the boundaries of legitimate use and the rights of individuals under POPIA.
Section 69 of POPIA deals with “direct marketing by means of unsolicited electronic communication” in this regard, POPIA mandates that companies must obtain explicit consent from individuals before processing their personal information for purposes other than what was originally intended.
This includes sending marketing messages or promotional content. The act also emphasizes the right of individuals to object to the processing of their personal information and to withdraw consent at any time.
In the context of unsolicited communications: Section 69(3) of POPIA further directs that companies must provide a clear and easy way to unsubscribe from marketing messages.
Additionally, POPIA prescribes that individuals should be informed about how their data will be used at the point of collection and the use of personal data must align with the purposes for which it was collected unless further consent is obtained.
Accordingly, in terms of POPIA a company marketing a product should allow for a clear opting-out option within their marketing material or initial communication dispatched.
Consider the scenario of an airline requiring your contact details to book a ticket. While it is reasonable for the airline to send you necessary travel information, sending multiple marketing messages without an option to unsubscribe may be considered a breach of POPIA. The lack of an unsubscribe option denies individuals their right to control their personal information, which is a primary principle of the act.
Correspondingly, an insurance company sending monthly payment confirmations along with promotional content without an opt-out mechanism can also be seen as non-compliant with POPIA. Companies must respect the consent parameters set by individuals and provide options to manage their communication preferences.
While some instances of unsolicited communication might fall under poor business practices, they can also constitute violations of POPIA if they involve unauthorized use of personal data. In this regard, Section 68 of POPIA deals with the “effect of failure to comply with code of conduct.” Accordingly, if you fail to comply with Section 69 of POPIA you may be liable for financial penalties, criminal penalties, administrative penalties, reputable damages and legal action.
In addition, it must be noted that, compliance with POPIA is an ongoing process, and organizations must continually monitor and update their practices to ensure adherence with same. In this regard, companies must balance their marketing strategies with compliance requirements to avoid infringing on individuals' privacy rights.
In conclusion, while companies in South Africa can collect and use personal information for legitimate purposes, they must adhere to the principles of POPIA when extending the use of this data. Individuals have the right to be informed about how their data will be used and to opt out of unsolicited communications.
Companies that fail to provide these options risk damaging their reputation and may face penalties in terms of POPIA. It is thus essential for companies to respect personal data and ensure transparent and lawful processing practices.
Click here to cancel reply
Nickname (*)
Email (*)
Website (Blog)
Remember my details Notify me of followup comments via e-mail
Get the latest updates in your email box automatically.
Your nickname:
Email address:
Subscribe