POPIA Q&A: Third-Party Consent for Direct Marketing

In 2020, Everlytic and Elizabeth from Novation Consulting hosted a POPIA Webinar Series to unpack the legalities of the POPIA legislation that will be enforceable in South Africa from 1 July 2021. In this POPIA Q&A blog series, we share some of the questions we received during the three webinars and the answers Elizabeth provided. This blog covers the questions we received on third-party consent for direct marketing.

POPIA Q&A: Third-Party Consent for Direct Marketing | Direct Marketing | Everlytic | Third-Party Consent

Third-party consent in Europe requires that you mention the third party by name – you can’t just say ‘other companies’. The specifics will be determined once the legislation is being enforced.

It depends. According to the Consumer Protection Act, you may not incentivise people to share other people’s information with you by offering them a reward if you end up selling to them.

For POPIA, you need to ensure that their friends have given them permission to share their information. This is hard to prove. If you want to, do it like Uber, where a contact shares a unique code with their friends. Then, when a friend signs up, they use the code, and the referrer is rewarded. This way, you don’t run the risk of having information you’re not permitted to have, and the new contact actively opts in, ensuring compliance.

Section 18 refers to privacy notices, and yes, it stipulates sharing the category of third parties. However, according to the European Regulators, which is where South Africa is probably going, in the case of getting consent on behalf of someone else for the purpose of marketing, the third party must be mentioned by name.

Section 18 is more for general purposes. But for marketing, you’ll need to get their permission to share, in which case the consent must mention the company by name.

Are these brands separate legal entities, or is it one legal entity that has a license to sell various brands? If it’s the latter, you can cross-sell. If you’re separate entities, it depends on what you told the contact when they consented to your communications. Did you tell them that they’d receive marketing from all entities in the holding company?

Use the rule of thumb: Will this person be surprised to receive this marketing? If no, go ahead, but make sure that you have a clear unsubscribe process.

If it’s something that you must do to fulfil the contract that the customer has with you (e.g.: buying something on Takealot and getting a third party to deliver it), you don’t need permission because they asked you to do this.

There must, however, be a written contract between you and that third-party that includes provisions for POPIA, ensuring that the third party:

  • Doesn’t share the information with anyone
  • Uses it only for the purpose that you gave it to them
  • Keeps it secure and confidential
  • Lets you know if there’s any breach on the data

You just need to be able to prove that you asked them for consent – it doesn’t really matter which channel you get the consent on. They must, however, be able to unsubscribe via the channel that they’re receiving your communications on.

For more guidance, watch our POPIA webinars, listen to our POPIA podcasts, read our POPIA guide, or chat to a POPIA expert, like Elizabeth de Stadler from Novation Consulting.

By |May 11th, 2021|
This site uses cookies. Find out more. Okay, thanks