Lucy Phillips
Lucy Phillips

What is direct marketing in terms of POPI?

by Lucy Phillips. All sections of the POPI Act will be in force from 1 July, and retailers need to understand the implication.

by Lucy Phillips. The long-awaited Protection of Personal Information Act will be of full force and effect from 1 July this year (after it was signed into law in July 2020), and it is vital that retailers understand the potential implication on any of their direct marketing operations prior to this deadline. To date, direct marketing has been governed by the Consumer Protection Act (CPA) and the Electronic Communications and Transactions Act (ECTA), and there are some significant differences to be aware of.

Simply put, direct marketing is where a retailer or supplier approaches a person for the purposes of selling their goods or services (as opposed to the person approaching the retailer). Section 69 of POPI outlaws direct marketing by any form of electronic means (emails, SMSes and automatic voice calling machines), unless a data subject has given their consent. This understanding of what constitutes direct marketing under POPI is important, because it only relates to electronic forms of direct marketing. Therefore, direct marketing in other forms, for example the handing out of brochures, is not governed by POPI and will continue to be governed by the CPA.


By now you will be aware that a large focus of many provisions in POPI is the issue of obtaining consent from a data subject to process their information, and that is amplified for the purposes of direct marketing. When a retailer wants to engage in direct marketing via electronic means, they have one opportunity to obtain consent from the data subject to contact them for the purposes of direct marketing. If consent is not given, the retailer cannot continue to approach the data subject for the purposes of obtaining consent.

However, if the data subject is an existing customer, the retailer does not have to obtain consent, provided that:

  1. The details were obtained in the course of a sale.
  2. The direct marketing relates to similar products or service as the sale when the details were obtained.
  3. The data subject is given a reasonable opportunity to object to the direct marketing, both at the time the details were collected, as well as in all communications going forward.

This distinguishes POPI from the CPA, which provided for an “opt-out” mechanism; whereas POPI specifically requires that the data subject “opt-in” to receive communication.

Prescribed manner and form

There is not only an obligation on retailers to obtain consent, but it needs to be in a prescribed manner and form as set out in Form 4 of the POPI Regulations, which essentially details:

  • Identify the data subject (name of the data subject).
  • Identify the responsible party and provide their contact details (name, address and contact details).
  • Identify the person designated to sign for the responsible party and the signature of that person.
  • Enable the data subject to consent to receive direct marketing for specified goods or services by specified methods of electronic communication.
  • The signature of both the person designated by the responsible party and the data subject must be included.

All communications to data subjects needs to provide the data subjects with the opportunity to unsubscribe, at any time. This applies whether the data subject is a new or existing customer. Retailers will need to ensure that any software they utilise for the purposes of direct marketing allows for this feature, and more importantly, that once a data subject elects to unsubscribe, that their details are in fact removed from the database.

Practical implementation

The thought of POPI coming into effect can be daunting for retailers, however, once a process is in place, ensuring compliance will become second nature. It should be re-iterated that the obligations on marketing to existing customers will be more practical from a retailers point of view, and therefore mechanisms should be put in place to obtain details and consent at the point of sale. Where retailers are attempting to market to new customers, it is important to bear in mind that you may only make contact once for the purposes of obtaining consent.

Should a retailer be utilising the services of an external marketing company, it is also suggested that the retailer, as the responsible party, ensures that the marketing company is complying with the relevant POPI provisions with regards to obtaining consent and unsubscribing tools. It is also important to note that when communicating with a data subject, the retailers details should be easily discoverable to the data subject, so as to comply with the requirements of POPI to allow for the consent obtained to be “informed, specific and voluntary”.


Main image credit: Photo by Cristian Dina from Pexels.


Lucy Phillips heads up Consilium Legal, after founding the company with Natalie Laurencik in 2012. As a specialised consultancy, Consilium is focused on the commercial aspect of its clients’ businesses, such as commercial, corporate and advisory work. Having previously worked at FNB, where she was Legal Contracts Manager, and as Head of Legal (procurement) at Rand Merchant Bank; Phillips has extensive experience and expertise in staff training and continuing education on data privacy; consumer protection; roles and duties of directors under the Companies Act 2008 and the laws relating to social media.


– Receive the Retailing Africa newsletter every Wednesday • Subscribe here.