It is 7pm at night and the phone rings. “Who could be contacting me at this time of night?” you may think… It is a robot or real telemarketer that wants to sell you a data plan or insurance! The annoyance that is experienced by users from telemarketing might be approaching its end. This will come as a great relief to many citizens but will be a crushing blow to the Telemarketing and data broker industry which will likely lead to jobs lost.
When POPIA comes into effect there will be strict rules on the collection, storage, usage, sharing and destruction of data that directly impact existing client information databases that are being shared or sold to telemarketers. POPI Act Section 69 speaks directly to telemarketing and Section 8 to 25 specifies the specifics around the processing of personal information. Some of the Highlights that will affect Direct/Telemarketing and Data brokers are as follows:
Section 69 – Direct marketing by means of unsolicited electronic communications:
1. The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSes or e-mail is prohibited unless the data subject—
a. has given his, her, or its consent to the processing; or
b. is, subject to subsection (3), a customer of the responsible party.
2.
a. A responsible party may approach a data subject—
i. whose consent is required in terms of subsection (1)(a); and
ii. who has not previously withheld such consent,
iii. only once in order to request the consent of that data subject.
b. The data subject’s consent must be requested in the prescribed manner and form.
3. A responsible party may only process the personal information of a data subject who is a
customer of the responsible party in terms of subsection (1)(b)—
a. if the responsible party has obtained the contact details of the data subject in the context of
the sale of a product or service;
b. for the purpose of direct marketing of the responsible party’s own similar products or services;
and
c. if the data subject has been given a reasonable opportunity to object, free of charge and in a
manner free of unnecessary formality, to such use of his, her or its electronic details—
i. at the time when the information was collected; and
ii. on the occasion of each communication with the data subject for the purpose of marketing if
the data subject has not initially refused such use.
4. Any communication for the purpose of direct marketing must contain—
a. details of the identity of the sender or the person on whose behalf the communication has
been sent; and
b. an address or other contact details to which the recipient may send a request that such
communications cease.
5. ‘‘Automatic calling machine’’, for purposes of subsection (1), means a machine that is able to do automated calls without human intervention.
This is where it gets tricky, the section basically states that any existing data can only be used to obtain consent once if it has not already previously been withheld or withdrawn.
Even if the data has been collected from a public source (Section 12 details the collection directly from Data subjects.) the Data subject must still consent to the usage and further processing of their data.
Basically, Direct\Telemarketers and Data brokers to contact you and obtain your consent but they, but they can only do so once and if you refused, they may not contact you at a later stage to verify if your interest has changed.
The data owners always have the full right to all the data they hold, how they intend to use it (Processing), the 3rd parties they want to share it with and how the 3rd party will use it (Further Processing). Each of those should carry its own consent option and no blanket consent is allowed anymore. You also have the full right to request its removal from their database. Section 11 – Consent, justification, and objection is considered an important review point.
As you can imagine this will make life very difficult for the mentioned entities, but the response may be more favorable if people being contacted have consented and want to be contacted.
If the correct process and procedure is not followed these companies can be reported to the Information Regulator and they stand to be fined up to R10 million rand or it can also carry 10 years jail time for the most serious offences.
What can the user do?
If you want to join an opt-out list for any direct marketers that belong to DMASA (Direct Marketing Association of South Africa) then you simply need to go to their website and register. This registration itself requires some of your PII to identify yourself and specify the number to opt-out:
https://www.dmasa.org/page/register-opt-out-service
or
https://www.nationaloptout.org/
“Amendment requirements
1. When you register you will be required to enter a valid RSA ID number and email address and/or cell number.
2. You will also be prompted to provide other contact details that you wish NOT to be contacted.
3. On completion of the registration, once you have clicked the SUBMIT button, you will receive an email requesting that you confirm that you want to be on the National Opt Out Database.
4. Once we have received your confirmation you will then be registered.
5. If you do not respond within 5 days your details will be deleted.
6. It will take +/-6 weeks for this service to be fully effective i.e. for all members of the DMASA to stop contacting you.”
What can the Direct Marketer do?
It appears that DMASA is prepping to launch a compliance portal to assist all their members, but this appears to still be incomplete as the compliance portal does either not exist yet or is only available to members:
Written by: Christo De Lange