The Information Regulator recently published its Guidance Note on Direct Marketing (“Guidance Note”), providing clarity on how personal information can be lawfully processed under the Protection of Personal Information Act (“POPIA”). The Guidance Note offers actionable steps for organizations to align their marketing practices with these principles, fostering responsible marketing that complies with both the letter and spirit of the law.

In this blog, we briefly examine POPIA’s rules on direct marketing, and some of the key highlights from the Guidance Note.

How Direct Marketing is Regulated under POPIA

POPIA regulates direct marketing by establishing strict conditions for the lawful processing of personal information. It requires “responsible parties” (more commonly known as ‘controllers’) to ensure that personal data is collected and used transparently, fairly, and only for a specific, legitimate purpose.

For direct marketing:

  • Consent is the default requirement for unsolicited electronic communications (e.g., emails, SMSs, and automated calls). Section 69 of POPIA explicitly prohibits such communications unless the data subject has given prior consent or is an existing customer under specific conditions.
  • Legitimate interests may only serve as a justification for non-electronic direct marketing (e.g., postal mail or in-person promotions) under section 11, provided the responsible party conducts a legitimate interest assessment and complies with all conditions for lawful processing.

These rules emphasize data subjects’ control over their personal information, highlighting the importance of consent and the right to object.

Key Highlights from the Guidance Note

  1. Types of Direct Marketing Covered

POPIA distinguishes between:

  • Non-electronic direct marketing: Such as postal mail and in-person promotions.
  • Unsolicited electronic communications: Including emails, SMSs, and telephone calls.

The processing of personal data for these purposes must comply with strict consent and notification requirements, ensuring data subjects retain control over their information.

  1. Consent is King

Organizations must obtain informed, voluntary, and specific consent before using personal data for direct marketing. The first interaction with a data subject should primarily focus on seeking this consent, and organizations are permitted only one such request if consent has not been previously withheld.

  1. Legitimate Interest Assessments

When relying on “legitimate interests” as a basis for processing data for non-electronic direct marketing, businesses must undertake a three-stage test:

  • Purpose Test: Is the processing necessary and lawful?
  • Necessity Test: Is there no less intrusive way to achieve the objective?
  • Balancing Test: Does the organization’s interest override the individual’s rights and freedoms?

Businesses cannot lawfully process personal data under this justification without successfully meeting these criteria,

  1. Rights of the Data Subject

Data subjects have the right to:

  • Object to direct marketing at any time.
  • Withdraw previously given consent.
  • Lodge complaints with the Information Regulator.

Importantly, once a data subject objects, organizations must cease processing their information for direct marketing purposes and maintain a database to ensure compliance.

  1. Enhanced Consumer Protections

The Guidance Note aligns with section 69 of POPIA, requiring that all unsolicited electronic communications:

  • Clearly identify the sender.
  • Provide an accessible way for recipients to opt out of future communications.
  1. Integration with the Consumer Protection Act, 2008

Data subjects may also preemptively block marketing communications by registering with the preemptive block registry under the Consumer Protection Act. POPIA reinforces this protection by emphasizing that organizations cannot bypass consent even if such blocks are absent.

Implications for Businesses

The Guidance Note offers a roadmap for compliant marketing practices, with a strong emphasis on transparency and accountability. Organizations should:

  • Regularly conduct comprehensive audits of their direct marketing practices.
  • Implement systems for obtaining and managing consent.
  • Train staff to ensure compliance with the conditions for lawful processing.

Failure to adhere to these rules may lead to severe penalties and reputational harm, making it essential for businesses to align their practices with POPIA.

* * *

If you have questions about handling data privacy compliance matters, please contact Dan Cooper at dcooper@cov.com, Ben Haley at bhaley@cov.com, Deon Govender at dgovender@cov.com, Mosa Mkhize at mmkhize@cov.com, Ahmed Mokdad at amokdad@cov.com. This article is intended to provide general information. It does not constitute legal advice.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Benjamin Haley Benjamin Haley

Ben Haley leads the firm’s White Collar and Anti-Corruption Practice in the Middle East and Africa and is a chair of the firm’s broader Africa Practice. With deep experience representing clients before regulators in high-profile white collar and disputes matters and a history operating on…

Ben Haley leads the firm’s White Collar and Anti-Corruption Practice in the Middle East and Africa and is a chair of the firm’s broader Africa Practice. With deep experience representing clients before regulators in high-profile white collar and disputes matters and a history operating on the ground in emerging markets, he helps clients assess and mitigate a wide range of complex legal and compliance risks.

Complementing his investigations and dispute resolution practice, Ben has a broad-based compliance advisory practice, helping clients proactively manage compliance risk in areas including anti-corruption, trade controls, anti-money laundering, fraud, and data privacy.

Ben represents corporate and individuals clients in a wide range of investigations and disputes, including:

  • Investigations under the U.S. Foreign Corrupt Practices Act (“FCPA”).
  • Investigations into anti-money laundering, financial crimes, anti-terrorism, and sanctions and export control issues.
  • Securities fraud and accounting matters.
  • Board investigations and shareholder litigation.
  • Insurance recovery.

Ben also regularly advises clients on a range of regulatory compliance and corporate governance issues. His compliance advisory practice includes:

  • Performing risk and compliance program assessments.
  • Leading compliance reviews on business partners and assisting companies with third-party risk management processes.
  • Conducting forensic accounting reviews and testing and enhancing financial controls.
  • Advising on market entry, cross-border transactions, and pre-acquisition diligence and post-acquisition integration.
  • Assisting companies in designing, implementing, and maintaining best-in-class compliance programs.

In recent years, Ben has steered a number of clients to successful resolutions and declinations in complex FCPA and corporate fraud matters with the U.S. Department of Justice and Securities Exchange Commission. In his advisory practice, Ben has served as lead compliance counsel on a number of major M&A and investment transactions. He has developed special expertise assisting clients in leveraging technology in their compliance programs, including assisting one of the world’s largest consumer goods companies in the design and implementation of an award-winning compliance data analytics and monitoring system.

Ben has been described by the Chief Compliance Officer of one of his clients as “[a]n outstanding senior lawyer and advisor,” and “a guiding light for all things compliance advisory in Africa,” whose “advice is crystal clear, covers all angles and is business friendly.”

Photo of Deon Govender Deon Govender

Deon Govender is a vice chair of the Africa Practice Group. He focuses his practice on project development and corporate and project finance transactions across Africa, with particular emphasis on southern Africa. His experience ranges from advising on the development and financing of…

Deon Govender is a vice chair of the Africa Practice Group. He focuses his practice on project development and corporate and project finance transactions across Africa, with particular emphasis on southern Africa. His experience ranges from advising on the development and financing of renewable energy and thermal power projects and various other infrastructure assets in the transportation and telecommunications sectors. Deon’s experience additionally includes advising on financing independent power producer projects under the South African government’s Renewable Energy Independent Power Producer Procurement Programme.

Photo of Ahmed Mokdad Ahmed Mokdad

Ahmed Mokdad is an associate based in the Johannesburg office, and a member of the firm’s White Collar Defense and Investigations and Anti-Corruption Practice Groups, as well as the Privacy and Cyber Security Practice Group. With a depth of experience representing clients across…

Ahmed Mokdad is an associate based in the Johannesburg office, and a member of the firm’s White Collar Defense and Investigations and Anti-Corruption Practice Groups, as well as the Privacy and Cyber Security Practice Group. With a depth of experience representing clients across various sectors, Ahmed regularly assists clients navigate and mitigate a broad spectrum of regulatory and compliance risks.

Ahmed’s investigations practice includes internal and government investigations into anti-corruption, anti-money laundering, fraud, and financial crimes matters more generally. Complementing his investigations practice, Ahmed has a broad-based compliance advisory practice in these areas and in data protection and information security matters. This includes assisting clients in numerous sectors with compliance under South Africa’s Protection of Personal Information Act (POPIA).

Adding to his investigative, regulatory and compliance advisory experience, Ahmed has extensive experience advising on numerous M&A and complex financial transactions. He has also been involved in several high profile international arbitrations, and litigious matters before the South African courts relating to, among other things, commercial and tax disputes, exchange control violations, government procurement irregularities, and defending white collar crimes. This experience gives Ahmed valuable perspectives and insights when advising on compliance advisory matters.

For international clients facing compliance issues cutting into Africa, Ahmed regularly advises on a range of issues that can arise in such context, e.g., labor and employment considerations, legal professional privilege, whistleblower protections, corporate governance reporting obligations, and control processes and protocols for engaging with government and law enforcement agencies. Ahmed is recognized by clients for providing practical advice and solutions on complex legal issues in ambiguous statutory regimes.

Photo of Mosa Mkhize Mosa Mkhize

Mosa Mkhize is a policy advisor and leads the firm’s Africa Public Policy Practice. Drawing on her experience both in government and in various roles in the private sector, Mosa provides strategic policy and regulatory advice to clients doing business with and across…

Mosa Mkhize is a policy advisor and leads the firm’s Africa Public Policy Practice. Drawing on her experience both in government and in various roles in the private sector, Mosa provides strategic policy and regulatory advice to clients doing business with and across Africa. Mosa does so by leveraging close to two decades of experience in international trade, public policy and government affairs.

Mosa assists clients on a broad range of issues including advocacy, strategic policy, regulatory, and dispute resolution advice in various sectors, including technology, energy and life sciences. In addition to this, Mosa’s capabilities include building strategic relationships and coalitions in support of smart technologies. Furthermore, she is currently working with government officials, private corporations, academia, and the general public on the development of regulations and policies that will bring about an enabling environment for digital transformation and economic growth in Africa.