Subscribe
About

Info watchdog goes after direct marketing firm

Simnikiwe Mzekandaba
By Simnikiwe Mzekandaba, IT in government editor
Johannesburg, 27 Feb 2024
Advocate Pansy Tlakula, chairperson of the Information Regulator. (Photograph by Strike A Pose Studio)
Advocate Pansy Tlakula, chairperson of the Information Regulator. (Photograph by Strike A Pose Studio)

South Africa’s data privacy enforcer has issued the first enforcement notice as a result of a direct marketing complaint.

This comes shortly after chairperson advocate Pansy Tlakula told ITWeb the Information Regulator will take a strong stance against telemarketers, following the decision that telemarketing by telephone constitutes electronic communication.

The move, said Tlakula, is in an effort to address data subjects’ frustrations with unsolicited direct marketing phone calls and messages, despite the Protection of Personal Information Act (POPIA) being in effect.

Today, the Information Regulator announced it issued an enforcement notice to FT Rams Consulting, a training institution, following findings of the contravention of various sections of POPIA.

“Our leniency regarding direct marketing through unsolicited electronic communications is going to be a thing of the past because responsible parties (public or private bodies) ignore the provisions of section 69 of POPIA and infringe on the rights of data subjects,” says Tlakula.

“In response to this, we are also putting together a guidance note, which will clearly spell out the dos and don’ts of processing personal information for the purposes of direct marketing by means of unsolicited electronic communication.”

The Information Regulator, which is headed by Tlakula, is mandated to ensure organisations put in place measures to protect the data privacy of South Africans under POPIA.

The chairperson previously explained an enforcement notice, which should not be ignored, follows investigation on the regulator’s part. The notice informs the company found to be at fault what action it has to take and within what time period.

If there is non-compliance with the notice, the next step will be an infringement notice that can lead to a fine of up to R10 million or the option of prosecution – the maximum sentence is 10 years.

For instance, the R5 million fine imposed on the Department of Justice and Constitutional Development – the first time a South African organisation was fined under the country’s POPIA data privacy law – is because it ignored the enforcement notice, Tlakula revealed.

In the case of FT Rams Consulting, the information watchdog says it received a complaint from a data subject following countless direct marketing messages. Despite multiple attempts to opt out and requests to be removed from the company’s e-mailing list, FT Rams Consulting ignored the pleas from the data subject and continued to send marketing messages via e-mail, it states.

As a result, the regulator determined that FT Rams Consulting interfered with the protection of personal information of the data subject, and thus breached the conditions for the lawful processing of personal information. Furthermore, the regulator found FT Rams Consulting violated section 69 of POPIA, which regulates direct marketing by means of unsolicited electronic communications.

“The regulator found that FT Rams Consulting had failed to adhere to POPIA and contravened sections 69 (1) and (2) and subsequently other sections of POPIA by transmitting to the data subject, without first obtaining their consent, persistent direct marketing communications through e-mails pertaining to the courses or webinars which it offered.

“Furthermore, that although the data subject was provided with the option to ‘opt out’, this did not remedy the situation. Section 69 (1) of POPIA states the processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication is prohibited unless the data subject has given their consent to the processing.

“POPIA defines consent as voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information. If the data subject consented to receiving direct marketing messages, they also had to indicate the preferred means of communication which FT Rams Consulting could use to send direct marketing messages to them.

“Also, FT Rams Consulting was supposed to use the prescribed form to obtain the data subject’s written consent. All these requirements were not complied with.”

According to the regulator, in the enforcement notice issued to FT Rams Consulting, the company has been ordered, among other things, to immediately stop sending unsolicited direct marketing messages by means of any electronic communication, including telephone, fax, SMS, e-mail or automated calling machine, to any data subject who has not consented, including the complainant.

The company must also ensure the first communication sent to data subjects is one in which FT Rams Consulting requests their consent and must approach such data subjects only once to obtain consent.

“FT Rams Consulting must use the form prescribed by the regulator for this purpose. The use of this form is compulsory. Furthermore, they must also ensure they only send such a message to a data subject who had not previously withheld his or her consent. FT Rams Consulting has been ordered to provide an undertaking to the regulator regarding compliance with these orders.

“FT Rams Consulting has also been ordered to compile and maintain a database of all data subjects who had previously withheld, or did not consent to receiving unsolicited direct marketing messages, and submit a design of such a database to the regulator. This will ensure the data subjects on the database are not contacted again.”

FT Rams Consulting is ordered to adhere to the instructions contained in the enforcement notice and demonstrate such to the regulator within 90 days of receipt of the notice.

ITWeb has reached out to the company for comment.


Share