MAIN IMAGE: Rona Bekker, policy manager of the National Employers’ Association of South Africa (NEASA)
Senior writer
The Information Regulator, which the government empowers to enforce and monitor compliance with the Protection of Personal Information Act (PoPIA), recently issued its first enforcement notice against a company for sending unsolicited direct marketing messages via electronic communications. If the company does not comply with the instructions issued by the Information Regulator within 90 days, a fine of up to R10 million or imprisonment for up to 10 years may be imposed.
This is very concerning for the residential property market, given that agents and agencies have built substantial databases on which they depend for property leads for decades. The fact that the complainant in the aforementioned case is a member of the public—the target market of the residential property industry—indicates that people are no longer tolerant of unsolicited marketing efforts and have the law firmly behind them.
The problem is that the Act contains a grey area relating specifically to how Section 69 of PoPIA defines ‘electronic communication’: ’any text, voice, sound or image message sent over an electronic communications network, which is stored in the network or in the recipient’s terminal equipment until the recipient collects it.’
This definition has raised a few red flags because telephone calls occur in real-time, meaning they are not stored in a network and, therefore would fall outside of what the Act considers ‘electronic communications.’ To address this, the chairperson of the Information Regulator, Advocate Pansy Tlakula, has announced that a Direct Marketing Guidance Note will be published soon. In the meantime, she says it is critical to secure consent from individuals for ANY direct marketing activities and to record those details.
We reached out to Rona Bekker, policy manager of the National Employers’ Association of South Africa (NEASA), to clarify what residential property agents and agencies should note regarding the finer details of compliance with POPIA, specifically relating to direct marketing.
Q: Regarding verbal telephone communications, or ‘cold calling,’ should agents ask if the customer wishes to remain on a database, or does the restriction only apply strictly to written, electronic communications, where there is usually an opt-out feature?
A: In the case of verbal communication, agents should confirm with their customers whether they agree or not to have their personal details on record. This means the burden of proof of consent lies with the agent processing the personal information. I would, however, advise that consent is obtained in writing, as far as practicably possible, as proof.
Cold calling has been an issue for many citizens across South Africa. To avoid fines and reputational damage, I advise all agents and agencies to ensure that their marketing strategies and procedures are fully PoPIA compliant. Bear in mind that every type of marketing communication must include the details and identity of the sender and an address or contact details to which the recipient may send a request for the marketing to cease/stop.
Q: When a customer chooses to opt-out, verbally or in writing, should this be considered permanent, or is there a timeframe within which they can be contacted again?
A: POPIA does not prescribe a timeframe for the opt-outs. We are still awaiting more clarity on this matter from the Information Regulator. In the meantime, a draft Code of Conduct regarding Direct Marketing has been published for public comment, but no final Code has been gazetted yet.
As the Act currently reads, I would caution all responsible parties against harassing customers who have opted out of receiving further communications. The public has lodged a multitude of complaints at the Regulator, and clearly, the Regulator has taken serious issue with this matter, with enforcement notices being issued to 14 companies regarding their continued direct marketing strategies.
Q: Should opt-out requests be processed immediately, or can they be processed every quarter or so (whatever timeframe the agency/agent chooses)?
A: Technically, as per PoPIA, the opt-out must be actioned immediately, or the agent will be in contravention of the Act. Every time a marketing message is sent to an individual, it is translated as meaning their personal information is being processed for direct marketing purposes. If the recipient has objected or opted out, and they receive even one more marketing communication, the sender has used their personal information without their consent.
Q: It is possible that a single agent, when moving to a new company, adds a longtime customer who has opted out of the new agency database to the new company’s database, but the agent is unaware of this. How should agencies control this type of challenge?
A: This has to be dealt with on a case-by-case basis. Should the agent add the client to the database, the client should be given the opportunity to opt-out once again. If the client is upset, the agent should contact the client and explain why the re-addition of their details occurred and in error.
However, it does remain the responsibility of the agent/agency to ensure that all personal information processing and record-keeping systems are swiftly and constantly monitored to mitigate this kind of risk.
Q: Agents have their own personal databases, which may or may not be part of the broader agency’s database. How important is the synchronicity of those two databases?
A: It is extremely important to ensure the synchronicity of the two databases. If an agent acts under the agency’s direct authority, the agency will be liable for all of its agents’ information processing activities. Should the agent act in contravention of POPIA, the agency is liable.
