If recent media reports are anything to go by, the subject of POPI is again in the limelight, with reports indicating that the full Act will come into effect by the end of the year.
As a recap, limited sections of the POPI Act came into effect last year, providing for a one-year grace period for businesses to become compliant. It is the announcement of the commencement date for this one-year grace period which is now expected.
Simply put, once the full act comes into effect the onus will be put on companies and individuals to respect and protect the personal information they process in the course of routine business, including personal information of customers, prospective customers, employees, and suppliers. It is not limited to people but also applies to information about organisations, including communities and corporate entities.
Get ready for POPI
The train of thought regarding what exactly the full implementation of POPI will mean, seems to differ far and wide between economists, business owners and marketers.
One distinct camp believes that there is definite potential for opportunity, while the other side believes that more harm than good will come from it.
The one thing that is not disputed is, however, that POPI will most definitely have a vast impact on marketers. In a piece written by Johanna McDowell, MD of the Independent Agency Search and Selection Company (IAS), she points out that marketers are going to have to be certain that their data is well-secured. This, she says, will apply whether marketers looks after their own data or if their agencies are entrusted with this, and might require much more investment by marketers and agencies in IT firewalls and storage software.
Security procedures must be in place for passwords and individuals who have access to any system where the data is stored. These security measures must extend to all internal processes to ensure compliance when personal information is handled outside of the system.
POPI also requires that records be kept of what is done with the personal information. This will include all processing such as when the contact was imported or subscribed, when you sent the contact emails or SMSes, or when they unsubscribed.
POPI and digital marketing
Looking more specifically now at digital marketing, POPI is expected to have a huge impact. Making use of email and SMS as marketing tools has provided marketers with far reaching methods of communicating with their client base.
Once POPI becomes fully effective, companies will be required to process the personal information gathered according to the conditions set out by the act and at the same time protect that information. However, as Bizcommunity.com aptly points out, POPI does not aim to stop the free flow of information; it recognises that there is a need for balance.
POPI does not restrict the collection of people’s personal information but it does stipulate strong guidelines for how that information can be used. If reasonably practicable, companies should make a person aware that their personal information is being collected and why. Companies collecting information should have a privacy statement, notice or policy that is easy to read and accessible. It should be in clear language and should state whether the information will be passed on to third parties.
POPI also requires marketers to offer people a way to opt out of their communications and up to date subscription lists and bulk communication tools can assist with this.
Is the CPA and POPI in conflict with one another?
As both the POPI Act and the Consumer Protection Act (CPA) apply to direct marketing, some confusion seems to linger as to the rules prescribed in each case, as they are slightly different.
Ramsay Webber explains as follows: The CPA – which governs the National Consumer Commission (NCC) – requires an opt-out facility, meaning a marketing document may be sent to someone who didn’t request it, providing they are able to ‘opt-out’ from any further correspondence from that entity. POPI – once implemented – will require marketers to get permission from recipients prior to engaging in direct marketing activities. The Bill does not prohibit direct marketing, but regulates the way in which it is undertaken, to ensure privacy and rights of consumers are protected.
Gareth Cremen of Ramsay Webber says: “It would be difficult to determine when clarification on this issue will be handed down by the DoJ. In the meantime, organisations engaged in direct marketing should make themselves familiar with both POPI and the CPA and the laws that will govern their marketing activities.”
Elizabeth de Stadler of Novation Consulting agrees, saying that if the CPA applies, a business can conduct direct marketing until the consumer opts out. POPI, on the other hand, introduces what is referred to as an opt-in system. This means that a business is not allowed to conduct direct marketing unless prior consent is obtained. The business may contact a new customer once to obtain this consent.
De Stadler adds that the strange thing is that the section in POPI which regulates direct marketing only applies to electronic communications. This is considerably narrower than the definition of direct marketing. By contrast, the CPA applies to all types of direct marketing.
“When POPI does not apply, the CPA applies. When they both apply, the act which gives the most protection to the consumer applies (this is not always easy to determine and will depend on the situation). This means that the definition of electronic communications is key in establishing which set of rules will apply. If it is an electronic communication both acts could potentially apply. If it is not an electronic communication only the CPA will apply,” says De Stadler.
Did you know?
• POPI could have dire consequences for any party being convicted of an offence in terms of the Act. A maximum period of imprisonment of 10 years, or an undisclosed maximum fine (each fine to be determined by the relevant court on a case-by-case basis) can be levied. Furthermore, the Regulator may institute administrative fines up to an amount of R10 million.
• POPI requires that eight conditions be complied with for the lawful processing of a data subject’s personal information, namely: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards and data subject participation.
• POPI also provides for civil remedies, where the court may award an amount that in its discretion is just and equitable.
• POPI affects all areas in organisations where personal information is processed and places specific obligations and duties on organisations.
• In the UK, the Data Protection Act was passed in 1998, but compliance took more than a decade.
For more on the POPI Act download Guide to Navigating POPI, produced by Everlytic