The importance of POPI to IDM

The Protection of Personal Information Act (POPI) – which was signed into Law by the President on 19 November and published in the Government Gazette on 26 November – distinguishes itself by being the lengthiest piece of legislation (at 115 Sections) and about the longest ever to sit before the legislative process (first drafted in early 2008 and only signed at the end of 2013). It is also of great importance to interactive and direct marketing, and how it will be implemented in the future will greatly affect how interactive and direct marketing develops in SA in the future. The POPI is distinguished by being principle-based There are eight principles enshrined in the law, most of which have exceptions and exemptions. This makes it a complex and somewhat obscure law to follow. The law is designed with three important areas of guidance which must be used when interpreting it. First, a Regulator will be set up and that body will act as the enforcer/interpreter of the law. Second, the Regulator must agree Codes of Practice with the relevant sectors (remember, interactive and direct marketing is only one of the sectors affected. Third and finally, the Regulator and the courts will be guided by international experiences of data privacy, and in particular the European Union’s data protection law on which it is based. An example of the Consent principle The POPI starts in Section 11 by saying that consent is the principle; however, it then lists six exemptions to that principle, two of which relate to interactive and direct marketing. First, direct marketing may be processed without consent in the process of a contract. Second, if ‘processing is necessary for the legitimate interests of the [data processor], or of a third party to whom the information is supplied’ (11.1f). As interactive and direct marketing is considered to be a ‘legitimate interest’ (see Section 4.5), this means in effect that creating and using a database for marketing purposes does not require consent. As with the CPA, an opt-out system must always be provided (even in the case of an opt-in). However, we also have an exception to this – specifically in the case of electronic communications, which are defined as sms, e-mail, fax and automated calling units, consent is required (see Section 69). But a marketer can use electronic communications once to ask for consent; and if the person’s data have been collected ‘in the process of a sale’, then that person is considered to have opted in (an-opt out solution always needs to be offered). Consent also must be given if sensitive data is collected. Is Consent the most important issue facing the IDM industry? The issue of Consent always comes up as the most important facing our industry. However, I take issue with that. In my view, the most controversial elements of this law will be the information that marketers have given when collecting data; and the rule on profiling (automated decision-making). The rules on what information the consumer must be given are very precise – the name and address of the collector/processor; the purpose(s) for the data (is it marketing/CRM/market research? etc); must the consumer provide the data and the consequences of the failure to provide that data (for example, if you do not give us your name, etc, we will not be able to provide you with after-sales service); the name of the recipients to whom data may be sent (for example, a list broker); the right to access and rectify information; and the right to complain to the Regulator. These are onerous requirements, particularly when data may be collected, for example, by sms. Obviously, no-one could provide all that information by sms, therefore this is a good example of where a sector Code of Practice is essential. The rules on Profiling are also onerous, but the law precisely requires sector Codes of Conduct which are agreed by the Regulator. The implementation date of POPI is still undecided The POPI will not be implemented until the Regulator is set up – this may be sooner or later – and looking at the law (available on the DMASA website www.dmasa.org), one can see why the POPI could not be implemented without a Regulator. For further information on marketing and the law, contact us at info@dmasa.org. By Alastair Tempest, COO of the DMASA