Information Regulator’s first enforcement notice: Direct marketing complaint

28 Feb 2024
by Era Gunning and Priyanka Naidoo

The Information Regulator issued its first Enforcement Notice as a result of a direct marketing complaint on 27 February 2024. The Information Regulator found that FT Rams Consulting had sent unsolicited direct marketing communications to the data subject in relation to emails on courses and webinars which it offered, in contravention of the Protection of Personal Information Act, 2013 (“POPIA”).

Key findings in the Enforcement Notice:

  • FT Rams Consulting sent direct marketing communications to the data subject without obtaining their written consent. The Information Regulator found that the first message which FT Rams Consulting was supposed to send to the data subject was one in which it requested the data subject’s consent. If the data subject consented to receiving direct marketing messages, they also had to indicate the preferred means of communication which FT Rams Consulting could use to send direct marketing messages to them. FT Rams Consulting was supposed to use the prescribed form (this would be Form 4 of the POPIA Regulations) to obtain the data subject’s written consent.
  • FT Rams Consulting did not action the data subject’s requests to opt out the direct marketing communications.

As a result of this contravention, the Information Regulator has ordered FT Rams Consulting to adhere to the following, among other things:

  • To immediately cease sending unsolicited direct marketing messages by means of any electronic communication, including telephone, fax, SMS, email or automated calling machine, to any data subject who has not consented, including the complainant data subject.
  • To ensure that the first communication sent to data subjects is one in which they request the data subject’s consent and must approach such data subjects only once in order to obtain consent.
  • FT Rams Consulting must use the form prescribed by the Information Regulator the use of which is compulsory.
  • Furthermore, they must also ensure that they only send such a message to a data subject who had not previously withheld his or her consent.
  • FT Rams Consulting has also been ordered to compile and maintain a database of all data subjects who had previously withheld or did not consent to receive unsolicited direct marketing messages and submit a design of such a database to the Regulator.

The Information Regulator has given FT Rams Consulting 90 days to adhere to the above directions, failing which it may face the consequences for non-compliance with POPIA including a fine of up to ZAR10 million and/or imprisonment.

The Information Regulator has also said that it will be publishing a guideline on direct marketing communications.

Our views

The Information Regulator’s enforcement of a direct marketing complaint demonstrates that the Information Regulator takes its mandate under POPIA and the protection of data subjects’ personal information seriously.

We do however have some reservations with the Information Regulator’s rigid approach requiring  Form 4 to be used by responsible parties when requesting consent from a data subject to send direct marketing communications. The POPIA regulations make it clear that a form substantially similar to Form 4 would suffice.  In addition, the Information Regulator seems to disregard the fact that direct marketing by electronic means can be sent to customers without their consent. This may present a practical hurdle to many companies.

We are also concerned that the Enforcement Notice prohibits FT Rams Consulting from sending unsolicited direct marketing messages by means of telephone to any data subject who has not consented. Section 69 of POPIA regulates direct marketing sent over electronic communication only. POPIA defines electronic communications as “any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient”. By definition, this excludes communications over the telephone as marketing messages cannot be stored in the network or in the recipient’s terminal equipment.

We await the Information Regulator’s guidelines on direct marketing which we hope sheds further light on these issues.

Era Gunning
Executive | Banking and Finance

Priyanka Naidoo
Senior Associate | Technology, Media and Telecommunications