What is POPIA?
POPIA stands for Protection of Personal Information Act which protects data (personal information) of identifiable individuals and organisations. Personal information includes but is not limited to:
- Name and surname.
- Race and gender.
- Contact information.
- Financial information.
- Medical information.
- Employment and criminal history.
Companies are required by law to comply with the POPI Act from 1 July 2021.
What is Direct Marketing?
The Consumer Protection Act defines direct marketing as the “means to approach a person, either in person or by electronic communication, for the direct or indirect purpose of promoting or offering to supply, in the ordinary course of business, any goods or services to the person; or requesting the person to make a donation of any kind for any reason.”
In Section 69 of the POPI Act, direct marketing includes “any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail”.
From the above definitions, we can conclude that social media posts and newsletters are seen as direct marketing and that users need to give you, as a company, permission to target them directly on social media and to receive your newsletters respectively.
For example, if users go to your website to subscribe to your newsletter, they have given consent to receive newsletters from you. However, if you download this database to target subscribers directly on Facebook, you might be in breach of the POPI Act. You are only allowed to use their information for the purpose it was collected for. So, if you collected users’ data to send them newsletters, you are only allowed to use their data for this purpose.
This also means that if you target unknown users in a defined area such as Cape Town, you don’t have their personal information so you will not be in breach of the POPI Act.
Therefore, if your promotional content is sent to identifiable users, the Information Regulator might view it as Direct Marketing. Your users need to give you consent for each Direct Marketing Channel.
What is Consent?
From the various resources we have read, we can summarise that “consent” needs to be
- Specific about what they can expect, the products you will promote and the channels you will use;
- An opt-in mechanism, such as a tick-box that is clearly visible and easy to tick and untick. The users must be able to give you explicit consent for you to contact them;
- Voluntary and may not be hidden in your terms and conditions, and it may not be a prerequisite for them to use your products or services;
- An expression of will where their consent is given “through a clear, unambiguous, affirmative act. The use of pre-ticked opt-in boxes, or double negatives are not allowed.” (Everlytic);
- Informative so that the user knows what personal information you will be gathering, what you will use it for, and who you will share it with (such as third parties);
- Written in clear, understandable language that is not open for misinterpretation;
- Flexible so that users can update their preferences and/or unsubscribe;
- Transparent so that you will be able to give users access to the data you have collected on them.
Rule of thumb: the user should not be surprised to hear from you.
How does G2 keep your users’ data safe?
For our clients, we give extra attention to ensure that their newsletter subscription forms sync with a central, secure database. Users can subscribe to your newsletter at events, in restaurants or via your website. Their information is sent directly to a central database with minimal human interference. This is to ensure that their personal information is stored and managed securely.
Users are able to update their preferences, update their details and unsubscribe completely, very easily.
If you need help in securing your customers’ data when they subscribe to your newsletter, feel free to reach out to us at firstname.lastname@example.org
Disclaimer: This article should by no means be regarded as legal advice. Please contact your attorney.