Everywhere we go, we are asked the same questions. Do we really have to use the terrible, horrible, no good, very bad form 4, to get consent for direct marketing when the POPIA comes into effect? And do we then really have to get consent again from our current database?
To answer these questions, let’s go back to some direct marketing basics.
What is direct marketing?
According to the POPIA, direct marketing is ‘electronic’ communication that is directed at a person and that promotes or offers to supply any goods or services, or requests donations from that person.
Examples of direct marketing include:
- emails
- SMS messages
- direct messages sent via social media platforms
- advertising sent to a custom audience via social media platforms (where you know exactly who you are targeting by name)
Once you have established that it is direct marketing you want to send out, your next step is to establish whether you need to get an opt-in consent from the person before you start marketing to them.
When do you need consent and what must it look like?
If you are contacting a person for the first time, you will need to obtain consent for any unsolicited marketing. In other words, where you want to contact a person for the first time with marketing communication which they didn’t ask for, you must obtain consent before sending your marketing.
The consent must:
- be a voluntary, specific, and informed expression of will.
- Voluntary means that the consent must be a genuine choice.
- Specific and informed means that it must be clear what direct marketing the person is consenting to.
- Expression of will means that the person must give consent through a clear, unambiguous affirmative act. The use of pre-ticked opt-in boxes, or double negatives are not allowed.
- be an opt-in, which means that if the person does nothing (i.e. does not tick the box), that person will not receive marketing.
- contain the identity and contact information of the marketer as well as a person designated to act on behalf of the marketer (usually the information officer or the deputy information officer).
- contain the full name of the person who gives consent.
- be signed in person or electronically.
- include
- the date and location where consent is given
- the goods or services that will be marketed (in general terms or classes of goods)
- the method of communication(e.g., email, SMS).
Some important good news: You don’t need to use the Regulator’s form 4 word for word. Just make sure that the form you use is clear, understandable and substantially similar.
You will often not need consent
There will be many instances when you don’t need an opt-in consent. In general, if the person you want to market to has an existing relationship with you it won’t be necessary to get consent. For instance, the person applied for your products or services already, they subscribed to your newsletter before, or they asked you for more information.
Direct marketing consent is not required from a person if
- you collected the person’s personal information while they were enquiring about or purchasing your goods or services,
- the person is told that their personal information would be used to send marketing communications,
- you only send marketing communication for your own goods or services, and those goods or services are similar to the ones the person contacted you about or purchased,
- the person is given an opportunity to unsubscribe at the time their information was collected (i.e. they were given an opportunity to opt out), and
- the person can unsubscribe every time they receive marketing communications from you.
You need to comply with all of the above requirements. If any of the requirements are not met, an opt-in consent must be obtained before marketing communications can be sent.
To avoid having to get an opt-in consent, you need to comply with all the requirements we’ve listed, and you must be able to prove that you comply. This means that you need to know where you got the information in your database, the circumstances under which you got it, and what privacy notices or terms and conditions were in place at the time and that you have an ironclad unsubscribe process in place.
Marketers who can’t comply and provide proof of their compliance will have some difficult decisions to make. Do you send an opt-in consent to your base and risk losing the subscribers that don’t open the mail or don’t respond? Or, do you send a message with an opt-out and risk that the Regulator doesn’t think it is good enough.
Do you have questions?
Join us for this debate at the Digital in Law SA Briefing where we will talk to the Regulator about these and other POPIA issues.