The long-awaited Protection of Personal Information Act (POPIA) regulations were published last year in September. They don’t say much, but what they do say spells more than just sleepless nights for direct marketers. If accepted as is, these regulations have the potential to send direct marketing in SA back to the stone age.
WE HAD AN OPPORTUNITY TO MAKE SUBMISSIONS TO THE INFORMATION REGULATOR, AND THIS IS WHAT WE SAID.
DIRECT MARKETING PLAYS A PIVOTAL ROLE IN CONSUMER PROTECTION AND IN THE ECONOMY
1.Direct marketing has a bad reputation due to its association with so-called ‘spam’. However, the assumption that direct marketing has no place in commerce or that it is universally undesirable for consumers to receive, is flawed. Our central submission is one of principle.
Because of the evolution in digital marketing and advanced analytics, direct marketing is increasingly used to ensure that consumers are able to access goods and services that are suited to their particular needs. Direct marketing, and particularly personalised direct marketing, provides an element of advice and therefore plays an important role in consumer decision-making by giving consumers access to information about an appropriate selection of goods and services.
The information about products is made all the more accessible as it is delivered to consumers’ inboxes and devices. The ability to make informed choices and to ensure access to goods and services is central to consumer protection..
This is not to say that consumers should not have a say in whether they want to receive direct marketing. However, their decision must be an informed one.
THE DIRECT MARKETING PROVISIONS IN THE POPIA:
OPT IN OR OPT OUT
2.Section 69 of the POPIA requires that a business obtains consent if it wants to do direct marketing and that the business can contact the consumer once to obtain such consent. It is not necessary for purposes of these submissions to go into the definition of direct marketing. Suffice it to state that section 69(1) provides that it only applies to ‘electronic’ direct marketing.
We have encountered arguments that section 69 of the POPIA also applies to other forms of direct marketing. These arguments hinge on the fact that the definition of ‘direct marketing’ in the POPIA refers to other means of communication. Our counter-argument is that the rest of the POPIA applies to any form of direct marketing, but that section 69 expressly does not.
The definition of consent, on the other hand, is critical. It is defined as ‘any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information’. The question is whether the consent must be opt in (where the default is that a consumer will not get marketing unless they consent by means of opting in) or opt out (where the default is that a consumer will receive marketing until they opt out)?
Competing interests Most important for these purposes, the consent must be an expression of will. This requirement influences whether the consent must be obtained in the form of an opt in or an opt out. Whatever the case, the bottom line is that consumers must know what they are consenting to. However, the Information Regulator has to guard against overregulation as it is acknowledged internationally that direct marketing is a legitimate interest of businesses.
In this regard, the United Kingdom’s Information Commissioner’s Office can be of some assistance because they have a similar definition of consent:
- According to the ICO’s Direct Marketing Guidance4 one of the key principles for valid consent is that there must be ‘an indication signifying agreement’, i.e. ‘a positive expression of choice’. According to the ICO ‘[i]t does not necessarily have to be a proactive declaration of consent – for example, consent might sometimes be given by submitting an online form, if there was a clear and prominent statement that this would be taken as agreement and there was the option to opt out’.5 They are of the view that, ‘organisations cannot assume consent from a failure to opt out unless this is part of a positive step such as signing up for a service or completing a transaction’.A non-response to an email is not a positive indication of agreement. It must still involve a positive action indicating agreement (such as clicking on a button, or subscribing to a service).6 A very clear statement explaining that the ‘action’ involved will be interpreted as consent, must be made and the consumer must still have a choice as to whether they want to consent or not. The bottom line is that consumers must know what they consent to.
- The ICO has provided the following useful guidance on the use of opt-in and opt-out boxes:
The conclusion? It is clear that the use of opt-out mechanisms is not rejected outright by the ICO. This is significant given that the legislative provisions in question are close to those found in the POPIA. Australia also appears to allow for an opt-out approach to marketing consent. See paragraph 3 below for a comparison between the POPIA and other jurisdictions.
- The safest way to demonstrate consent is to require a positive choice through an unticked opt-in box.
- It is best practice to allow for an opt-in box for each type of communication.
- Here is an example of good practice: ‘Tick if you would like to receive information about our products and any special offers by post / by email / by telephone / by text message / by recorded call
- A pre-ticked opt-in box assumes consent and is therefore more like an opt-out. According to the ICO ‘[a] pre-ticked box will not automatically be enough to demonstrate consent, as it will be harder to show that the presence of the tick represents a positive, informed choice by the user.’
- An opt-out box may be appropriate if it is ‘part of a wider mechanism of indicating consent’. This will be the case if the consumer must take a positive (affirmative) action to submit a form wherein it is made clear that when you submit the form, you will automatically receive marketing unless you want to opt out.
Here is an example of such a message:‘By submitting this registration form, you indicate your consent to receive email marketing messages from us. If you do not want to receive such messages, tick here:
DIRECT MARKETING IN THE REST OF THE WORLD
3. Important: The current approach will negatively affect South African business’ capability to compete in the global marketplace.
The marketplace is increasingly global. It is of vital importance that the South African approach to direct marketing should be in keeping with the rest of the world. If it is not aligned, South African marketers will not be able to compete with businesses based in other countries that are not subject to the same requirements. In other words, foreign businesses will be able to market more efficiently. In addition, there is an entire industry of marketing agencies and wireless application services providers who will not be able to attract foreign business if the regulations are too strict.
The preamble to the POPIA acknowledges that the POPIA and its regulations must be ‘in harmony with international standards’. This is repeated in section 2 of the Act which states that harmonisation with international standards is one of the purposes of the Act.8 In our opinion, this means that the Information Regulator ought to undertake a comparative study when making regulations.
Neither Regulation 6 nor Form 4 of the POPIA in their current formats are in harmony with international standards. The POPIA requires that the Information Regulator must undertake a comparative study when making regulations. This study should be made public and where the Information Regulator wishes to depart from the regulations, it should be justified.
We undertook a limited comparative study into the consent required for direct marketing in other parts of the world. Out of four countries reviewed, only two required that consumers must opt in to receive direct marketing. However, none of them required that consent must be provided in a particular form.
A. The United Kingdo
Privacy and Electronic Communications (EC Directive) Regulations, 2003 (PECR) and the Data Protection Act, 1998 (DPA).
Type of consent required to send direct marketing:
Businesses will generally need the consumer’s consent before they can send marketing emails.
To be valid, consent must be knowingly and freely given, clear, and specific. The clearest way of obtaining consent is to invite the consumer to tick an opt-in box to confirm that they wish to receive marketing messages via specific channels.
Businesses can also obtain consent when a consumer clearly and knowingly indicates his or her agreement by clicking an icon, sending an email, subscribing to a service, or providing oral confirmation.
An opt-out box may be used if the consumer must take a positive action to submit a form (e.g. click a button), and the business provides a clear and prominent message along the following lines, ‘By submitting this registration form, you indicate your consent to receiving email marketing messages from us. If you do not want to receive such messages, tick here: ’
The fact that a suitably prominent opt-out box was not ticked might help to establish that by clicking the button was a positive indication of consent.
B. European Union
The General Data Protection Regulation 2016/679 (GDPR) entered into force on 24 May 2016 and will apply from 25 May 2018. It repeals the Data Protection Directive 95/46/EC.
Type of consent required to send marketing messages
The GDPR does not specifically require consent for direct marketing when such marketing is a legitimate interest of the business. If direct marketing can reasonably be expected by a data subject in a particular case, consent is not required. However, it is clear that there is some uncertainty regarding the interpretation of the GDPR in the context of direct marketing.
Let’s assume that consent is required. Consent in terms of the GDPR means ‘any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’
Businesses will not be able to rely on silence or opt-outs, and instead an active process such as to tick a box will have to be put in place – according to the GDPR ‘[s]ilence, pre-ticked boxes or inactivity should not therefore constitute consent … If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.’ A request for consent must be presented in an intelligible and easily accessible form, using clear and plain language.
Businesses must also be able to demonstrate that consent has actually been given by individuals to the processing of their personal data.
C. United States
CAN-SPAM Act, 2003
Type of consent required to send commercial (marketing) messages
Consent is not required.
Spam Act, 2003
Type of consent required to send marketing messages
Businesses must have consent to send marketing messages to customers in Australia. The Spam Act provides for two types of consent, express consent and inferred or implied consent.
Express consent means a deliberate and intentional opt-in to receive electronic messages, for example ticking a box next to a statement that seeks permission to send marketing messages. Pre-ticked boxes are not an acceptable way to gain consent.
Inferred consent relies on the existing business or other relationship where there is a reasonable expectation of receiving marketing messages.
DIRECT MARKETING AND OTHER CONSUMER PROTECTION LEGISLATION
4. The POPIA is not the only legislation that addresses direct marketing. The Consumer Protection Act 68 of 2008 (the CPA) also regulates, and will continue to regulate, direct marketing. In enacting the CPA, the legislature demonstrated an understanding that a sustainable and profitable digital industry also advances consumer protection. In its preamble it states that:
‘The people of South Africa recognise … that recent and emerging technological changes, trading methods, patterns and agreements have brought, and will continue to bring, new benefits, opportunities and challenges to the market for consumer goods and services within South Africa; and [t]hat it is desirable to promote an economic environment that supports and strengthens a culture of consumer rights and responsibilities, business innovation and enhanced performance[.]’
The legislature also recognised that consumer protection should ‘promote and protect the economic interests of consumers’, and ‘improve access to, and the quality of, information that is necessary so that consumers are able to make informed choices according to their individual wishes and needs’.
The CPA recognises the right to privacy and specifically, the ‘right to restrict unwanted direct marketing’.9 It does so by providing that consumers must always be able to unsubscribe from direct marketing. Put differently, the CPA provides that direct marketing is permissible unless the consumer has opted out. However, the approach proposed by the Information Regulator represents a pronounced departure from the provisions of the CPA. Yet it is worth noting that the POPIA did not repeal these sections of the CPA.
It is unclear how the two pieces of legislation will operate simultaneously, but this is not the focus of our submission. In terms of section 2(9) of the CPA and section 3(2)(a) of the POPIA, both Acts must apply unless they are mutually inconsistent, in which case the Act that provides the most protection to the consumer will apply.
It could be argued that, in respect of electronic communication, the POPIA is stricter and should apply.10 Electronic communication includes automatic calling machines, facsimile machines, SMSs, and email. 11
The definition of ‘electronic communication’ is ‘any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient’. 12 This excludes telemarketing unless the marketer leaves a message.
This means that only the CPA will apply to telemarketing and post and that both the CPA and the POPIA will apply to electronic communication. It is arguable that the POPIA provides more protection than the CPA, but in any event, the lack of certainty in this regard will make it difficult for marketers to comply.
The National Credit Act 34 of 2005 similarly provides that consumers must be given the opportunity to ‘be excluded from any (i) telemarketing campaign that may be conducted by or on behalf of the credit provider … (iii) any mass distribution of email or SMS messages.’ This section has also not been repealed.
The Information Regulator, the National Consumer Commission, and the National Credit Regulator should come to an agreement regarding which regulator has jurisdiction over which type of direct marketing.
10) The POPIA provision on direct marketing only applies to electronic direct marketing (section 69(1)).
11) Section 69(1).
12) Section 1.
CONSUMERS REMAIN PROTECTED BY THE REST OF THE POPIA
5.Strict rules regarding consent to direct marketing is not the only way to protect consumers’ privacy. There are many other principles in the POPIA which will also protect consumers from overly intrusive direct marketing:
- The POPIA will severely restrict the ability of businesses to buy and sell personal information (i.e. the selling of leads).
- Businesses will be required to notify consumers of all processing activities including marketing and profiling activities.
- Consumers will be entitled to object to the processing activities and to unsubscribe.
- Consumers are entitled to know where the information has come from.
The significance of direct marketing consent must not be overstated. It is not the only weapon in the POPIA arsenal. Direct marketing can be regulated through the other principles of the POPIA while avoiding overregulation of otherwise compliant direct marketers.
SUBMISSIONS ON THE WORDING OF DRAFT REGULATION 6 OF THE POPIA
6. We wholeheartedly support the limitation of Regulation 6 to ‘unsolicited’ direct marketing, but we recommend that its implications are made explicit to avoid legal uncertainty. We do have reservations about whether the use of the term ‘unsolicited’ is uniformly understood. We would recommend the introduction of either a definition or a test for when communication is unsolicited. The dictionary definition of the term is unasked for or unrequested.13 We are of the view that the term means that Form 4 of the POPIA does not have to be completed if:
- the consumer signed up for, or subscribed to, direct marketing or communications that may be construed as, or contain, direct marketing (e.g. newsletters), or
- the direct marketing is sent to a customer who signed up for it during the course of a transaction for goods or services in cases where the consumer approached the supplier of those goods and services.
We recommend the inclusion of some guidelines in Regulation 6 to determine whether direct marketing can be considered to be ‘solicited’. We also recommend that these guidelines be adopted to measure whether a particular consent is substantially similar to Form 4.
Some of our suggestions are:
- The subscription mechanism17 or request for consent must be in plain language. The definition of plain language in the CPA and the NCA is established and should be adopted.
- The subscription mechanism or request for consent must be an active opt in. Only unticked opt-in boxes or similar opt-in methods must be used.
- The consent to direct marketing must not be bundled with other terms and conditions and the subscription must not be a precondition of signing up to a service or purchasing a product. In other words, the consumer must be able to say no.
- The direct marketing consent must be informative. It must describe the type of communication the consumer can expect to receive (e.g. a newsletter or promotional mail), the communication channel (which should be technology neutral rather than limited to the currently available methods) that will be used, and the frequency of communication.
- The direct marketing consent must clearly state who the organisation and any third parties are that will send direct marketing based on the subscription or consent.
- Only the personal information needed to send the direct marketing must be requested. For instance, if the direct marketing will always be sent via email the responsible party should not ask for a telephone number too. If multiple channels will be used, the responsible party must decide whether it is able to allow one consent per channel (i.e. the consumer wants to receive email, but not SMSs) or whether it is an ‘all or nothing’ consent.
- If further information is requested for other purposes (e.g. for profiling the customer), those purposes must either be disclosed in the form itself, or the customer must be directed to a privacy notice.18
- The consumer must be informed of the right to unsubscribe and how to exercise it. It must be as easy to unsubscribe as it is to subscribe. A simple and effective consent withdrawal method must be in place.
- Whether the technology used by the responsible party is digital or manual, the responsible party must be able to keep records to demonstrate what the consumer consented to, what he or she was told, and when and how he or she consented
Regulation 6 should contain guidelines for when direct marketing will be considered unsolicited and when a subscription action or consent will be considered substantially similar to Form 4. We have made specific recommendations based on international best practice.
SUBMISSIONS ON FORM 4
7. We have a number of concerns in relation to Form 4. Cumulatively, these concerns will put South African businesses at an enormous disadvantage as it is highly likely that most consumers will be so put off by the length and density of the form that they will never consent to direct marketing, even when they might otherwise have done so. In other words, the form will result in many unintentional opt outs. Our biggest concern is that the form also breaches the POPIA in that it collects personal information which is not justified by the purpose.
We believe that Form 4 should be revised for the following reasons:
- It is not technology neutral. It would appear as if the form was written with a manual process in mind, whereas the lion’s share of direct marketing is done via digital channels (and section 69 is specifically referring to ‘electronic communications’).
- It will lead to over-collection of personal information. For instance, this form is intended to be used for consent to electronic direct marketing, yet it asks for the address of the data subject. The principle of minimality in the POPIA dictates that a responsible party may only collect personal information that is relevant for the purpose for which it is collected.19
- The form is not in plain language. For the most part, it is a restatement of the legislation. This means that the majority of South Africans will not be able to understand it, which means that it does not meet the requirements in the definition of consent in section 1 of the POPIA as the consent will not be ‘informed’.
- The form is too long. The definitions of ‘processing’ and ‘personal information’ are not relevant for the purpose which they are intended to fulfil.
- The form requires a signature without there being a legal requirement for writing or a signature in the POPIA. In fact, a signature is biometric information and as such is very sensitive. It should never be collected in instances when it is not required.
- It is impossible to get direct marketing consent by means of SMSs.
Here are some examples of what we think should be considered as examples for consent to direct marketing:
Don’t miss out on fantastic deals and product offerings. Get weekly updates. Reply YES to opt in.
CONSENT FORM SENT VIA EMAIL
Sign up for our weekly newsletter and promotional information
(Redirects to online consent form)
Only collect information for the channels you will actually use, and decide whether you want to allow customers to opt in per channel, or whether it’s an all or nothing consent
Only ask for information you actually need. E.g. if your products or services are geographically bound , you may want to include a ‘city’ field. Rule of thumb: If you don’t actually need the information in order to deliver your product or service, don’t ask!