South Africa Tightens the Reins on Telemarketing with POPIA Regulations

The Information Regulator of South Africa is strengthening its grip on unsolicited electronic communications, commonly known as spam calls, by enforcing the provisions of the Protection of Personal Information Act (POPIA). Direct marketing entities that inundate consumers with unwanted phone calls could now face penalties up to R10 million or even jail time after a thorough investigation and the issuance of enforcement notices.

This new regulatory approach considers telemarketing as a form of electronic communication which falls under the jurisdiction of POPIA, aimed at upholding consumers’ rights to privacy. The Acting Chairperson of the Information Regulator, Adv. Pansy Tlakula, asserts that these marketing communications must become compliant or else face legal consequences. This directive will likely be contested by direct marketing companies as they adapt to these stringent regulations and may result in potential legal challenges.

In a recent declaration, the Information Regulator informed that their first enforcement notice will be issued imminently, following a detailed investigation into complaints regarding direct marketing practices. This step comes after the Regulator had identified not only one but also 14 other organizations potentially failing to comply with POPIA's requirements related to direct marketing.

Tlakula highlighted the persistence of some direct marketing firms in making unsolicited calls even after consumers have expressly declined to engage, which not only violates the consumers’ privacy rights but also amounts to SPAM. The Regulator has completed a guidance note aimed at clarifying the rules related to direct marketing and is expected to release it for public review and consultation shortly.

The POPIA directive comes at a time when accountability for data management and protection is under the spotlight in South Africa. The Department of Justice and Constitutional Development (DoJ&CD) is also in hot water, having been slapped with a R5-million infringement notice for a security lapse that led to a September 2021 ransomware attack. The Regulator deemed the department negligent, as the DoJ&CD failed to renew security software licenses, which might have prevented the incident. Despite this enforcement action, the DoJ&CD has expressed its intention to appeal the decision in the court.

What does this mean for South African consumers? There should be a notable decline in unsolicited marketing communications as the Information Regulator’s enforcement of POPIA begins to take effect. This legal framework aims to protect the personal information of individuals, ensuring respect and consent in marketing approaches, and establishes a precedent for corporate accountability in data management.