Meet your CPD requirements effortlessly with our quick Express CPD activities before the cycle ends on 31 May 2024. Learn more.

Media Articles

Direct marketing and POPIA – What you need to know

Posted on 25 Apr 2024

Earlier this year, the Information Regulator issued its first enforcement notice concerning a direct marketing complaint, spotlighting compliance issues of these practices with the Protection of Personal Information Act (POPIA). Here is how you can stay on the right side of the law if you conduct direct marketing.

Background on the enforcement notice

In February, the Information Regulator issued a noteworthy enforcement notice against the training institution FT Rams Consulting following a complaint regarding the company’s direct marketing practices.

The complaint was filed by an individual – or “data subject” – who, after multiple attempts to opt out and requests to be removed from the company’s emailing list, continued to receive countless direct marketing messages from them.

After investigating the complaint, the Information Regulator found that the training institution interfered with the protection of personal information of the data subject, thus breaching the conditions for the lawful processing of personal information.

Moreover, it was also found to be in contravention of Sections 69(1) and (2) for sending unsolicited electronic communications through emails pertaining to the courses and webinars which it offered, without first obtaining consent.

FT Rams Consulting was ordered to implement the remedial actions mentioned in the enforcement notice within 90 days. Failure to adhere to an enforcement notice is a contravention of the law, and upon conviction, it can result in a fine of up to R10 million or imprisonment for a period not exceeding ten years (or both).

What constitutes electronic communication in POPIA?

Section 69 of POPIA regulates direct marketing by means of unsolicited electronic communications but what exactly falls under the definition of “electronic communications”?

Section 1 of POPIA defines electronic communication as any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.

Section 69(1) further specifically mentions automatic calling machines, facsimile (fax) machines, SMSs or email. Section 69(5) defines an automatic calling machine as a machine that can make automated calls without human intervention.

There is a grey area in the law when it comes to telephone calls where there is human intervention – for example, a call centre agent who persistently calls, trying to sell you something. There are conflicting views about whether telemarketing is allowed or prohibited under POPIA because telephone calls are received instantly and is not stored in the network (as is required by the definition of electronic communication). Thus, it would appear that telephone calls don’t meet the definition of electronic communications for the purposes of POPIA.

However, you can argue that other provisions of POPIA, such as consent, justification and objection for the lawful processing of personal information, still apply to telemarketing.

Interestingly, the Information Regulator covered telephone use in the enforcement notice against FT Rams Consulting. It ordered the company to, amongst other things, immediately stop sending unsolicited direct marketing messages by any means to any data subject whose consent is required and who has not consented to receiving such messages. In this case, any form of electronic communication included email, SMS, fax machine, automatic calling machine or telephone.

The Information Regulator has taken notice of the public’s frustration with the surge in direct marketing calls and messages. Addressing this concern, Information Regulator Chairperson Advocate Pansy Tlakula stated: “Our leniency regarding direct marketing through unsolicited electronic communications is going to be a thing of the past because responsible parties [public or private bodies] ignore the provisions of Section 69 of POPIA and infringe on the rights of data subjects. In response to this, we are also putting together a guidance note which will clearly spell out the dos and don’ts of processing personal information for the purposes of direct marketing by means of unsolicited electronic communication.”

A draft guidance note on direct marketing is expected to be issued soon and will be open for public consultation before the final version is published.

What can direct marketers do to remain compliant with POPIA?

If you conduct direct marketing practices, here is what you need to do:

  • Obtain consent: Ensure you obtain the necessary consent from individuals before engaging in direct marketing activities. This consent should be requested in a clear and transparent manner during the initial contact and should only be sought once. Additionally, you need to ask the data subject what their preferred method of communication is and respect their choice. Don’t contact someone who had previously withheld consent. (Note that direct marketing by electronic communications can be sent to individuals that are your customers without their consent, provided that certain conditions are met.)
  • Use the correct forms: When getting consent, use the prescribed paperwork. The POPIA Regulations specifies Form 4 for obtaining written consent for the purpose of direct marketing by electronic communication. Alternatively, the Regulations permit any form that is substantially similar to Form 4.
  • Keep a database: It is advisable to maintain a record of all data subjects who have given their consent to receive direct marketing messages, as well as of those that withheld consent. Keeping and using a database is necessary and can help prevent the business from contacting individuals who have withheld consent or who, having initially provided consent, later opted out or withdrew their consent.
  • Implement a compliance framework: Get a compliance framework in place in terms of Regulation 4(1)(a) of POPIA. The framework can include policies, procedures and controls for ensuring POPIA compliance specific to direct marketing in your business. For example, what information must be contained in your direct marketing communication as prescribed by Section 69(4) of POPIA.
  • Train your team: Make sure your staff understands POPIA and keep a record of all training activities. The training should cover direct marketing as set out in Sections 69 and 11(3) and (4) of POPIA.

Navigating regulatory complexity?

The recent enforcement notice by the Information Regulator serves as a stark reminder for direct marketers and other businesses to prioritise POPIA compliance.

Despite grey areas in the law regarding direct calls by human telemarketers, the enforcement notice indicates that the Regulator expects businesses to respect individuals’ privacy rights and ensure the lawful processing of personal information.

For any business, having an effective POPIA compliance framework in place, along with sufficient staff training, is crucial. By prioritising transparency, consent and adherence to regulatory frameworks, direct marketers can navigate complexities while effectively safeguarding individuals’ privacy rights.

By Masthead Compliance Manager, Shanal Boordiram.


A national supplier of risk management services to independent financial advisors and other licensed financial service providers (FSPs). Established in 2004, we help our clients overcome their risk management challenges so they can grow and thrive in an increasingly regulated industry. Providing professional guidance and practical support, our team of specialists is passionately committed to delivering tangible solutions.

Why Masthead?



021 686 3588


  Show Email


Masthead is a level 1 B-BBEE contributor.

Read more and view certificate