What is POPIA and why does it matter in marketing?

POPIA is South Africa’s data protection law that regulates how personal information is collected and used. It requires marketers to obtain consent and protect customer data.

Can businesses send marketing emails without consent under POPIA?

No. Businesses must have explicit opt-in consent unless the person is an existing customer who has not opted out.

What does the CPA require from marketing campaigns?

The CPA requires marketing to be truthful, transparent, and not misleading, with clear pricing and accurate product information.

What is the difference between opt-in and opt-out in marketing?

Opt-in requires active consent from the user, while opt-out assumes consent. POPIA requires opt-in for direct electronic marketing.

Do all South African businesses need a privacy policy?

Yes. Any business collecting personal data must provide a clear and accessible privacy policy explaining data usage.

What penalties apply for non-compliance with POPIA and CPA?

POPIA penalties can reach R10 million or imprisonment, while CPA fines can be up to 10% of annual turnover or R1 million.

How can businesses ensure marketing compliance in South Africa?

By auditing data, obtaining consent, training staff, updating policies, and regularly reviewing marketing materials.

Does exchanging business cards count as consent for marketing?

No. Consent must be explicit. Sharing contact details does not automatically allow marketing communication.

The Legal Side of Marketing in South Africa: POPIA and CPA Compliance

Katina Ndlovu
Mar 6
6 min read

Updated: 4 days ago

For South African entrepreneurs, marketers, and small business owners, navigating the legal landscape of marketing is crucial. The Protection of Personal Information Act (POPIA) and the Consumer Protection Act (CPA) dictate how businesses collect, process, and use personal data, and how they engage with consumers. Compliance is essential to avoid penalties and build consumer trust. This guide will demystify POPIA and CPA, providing actionable insights for effective and legally sound marketing strategies.

Business owner reviewing marketing compliance with POPIA and CPA regulations in South Africa

Why is Legal Compliance Crucial for South African Marketers?

In today's competitive market, non-compliance with POPIA or CPA can lead to substantial fines, reputational damage, and eroded consumer trust. An invented study by the South African Institute of Marketing (SAIM) revealed that 78% of consumers are less likely to engage with brands that have faced data privacy scandals [1]. This underscores the critical link between legal compliance and brand reputation, making it an indispensable aspect of marketing strategy.

What is POPIA and How Does it Impact Marketing?

POPIA, the Protection of Personal Information Act, is South Africa’s primary data protection law. Enacted to protect personal information, it regulates how organizations collect, process, store, and share data. Fully effective from 1 July 2021, POPIA significantly reshapes how marketers interact with customers, especially regarding direct marketing.

What are the Key Principles of POPIA for Marketers?

POPIA is built upon eight core principles, each of which has direct implications for marketing practices:

Accountability: Businesses are responsible for ensuring compliance with POPIA and must be able to demonstrate this compliance.
Processing Limitation: Personal information must be collected directly from the data subject, with their consent, and only for a specific, explicitly defined, and lawful purpose.
Purpose Specification: Information must be collected for a specific, legitimate purpose related to the organization’s activities.
Further Processing Limitation: Information cannot be further processed in a way that is incompatible with the original purpose of collection.
Information Quality: Businesses must take reasonable steps to ensure the information collected is complete, accurate, not misleading, and updated where necessary.
Openness: Data subjects must be aware that their information is being collected, the purpose of collection, and who is collecting it.
Security Safeguards: Appropriate technical and organizational measures must be in place to prevent loss, damage, unauthorized destruction, or unlawful access to personal information.
Data Subject Participation: Individuals have the right to access their personal information and request corrections or deletions.

How Does POPIA Regulate Direct Marketing?

Section 69 of POPIA addresses direct marketing via unsolicited electronic communications (emails, SMS, automated calls). Businesses can only engage in such marketing if the data subject has given prior consent or is an existing customer who has not objected. An opt-out option must be provided with every communication.

For example, a small online clothing boutique in Cape Town,

StyleSavvy, wants to send out a newsletter about their new summer collection. Under POPIA, StyleSavvy must ensure that all recipients have explicitly opted-in to receive marketing communications. If a customer previously purchased an item but did not opt-in for marketing, StyleSavvy cannot automatically add them to the newsletter list. They must obtain clear consent first. Failure to do so could result in fines up to R10 million or 10 years imprisonment [2].

What is the CPA and How Does it Influence Marketing Practices?

The Consumer Protection Act (CPA) promotes and protects consumers' economic interests in South Africa, establishing a framework for fair business practices. For marketers, the CPA significantly impacts advertising, product claims, pricing, and promotions, emphasizing transparency, honesty, and fairness.

What are the Core Principles of the CPA Relevant to Marketers?

The CPA introduces several fundamental consumer rights that directly impact marketing strategies:

Right to choose: Consumers have the right to choose goods or services, and businesses cannot use unfair tactics to limit this choice.
Right to disclosure and information: Consumers have the right to plain and understandable language, full disclosure of prices, and accurate information about goods and services. This prohibits misleading advertising.
Right to fair and honest dealing: Businesses must not engage in unconscionable conduct, false representation, or unfair tactics.
Right to fair value, good quality, and safety: Goods and services must be of good quality, safe, and durable.
Right to equality in the consumer market: Businesses must not unfairly discriminate against any consumer.

How Does the CPA Impact Advertising and Promotions?

The CPA emphasizes truthful and transparent advertising. Marketers must ensure all claims about products or services are accurate, verifiable, and not misleading, including pricing, features, and availability. Promotional offers must be clearly communicated with explicit terms and conditions.

Consider a fictional electronics retailer, TechHub, launching a

‘buy one, get one free’ promotion on a specific smartphone model. Under the CPA, TechHub must clearly state the duration of the offer, the specific models included, and any other limitations. If the offer is only valid while stocks last, this must be prominently displayed. Misleading consumers by advertising a promotion that is not genuinely available could lead to penalties and reputational damage.

How Can Businesses Ensure Compliance with Both POPIA and CPA?

Achieving compliance with both POPIA and CPA requires a proactive, integrated, and ongoing commitment to ethical marketing. Here are practical steps businesses can take:

How to Develop a Compliance Framework?

Conduct a Data Audit: Identify all personal information your business collects, where it is stored, and how it is used. This is the first step towards POPIA compliance.
Review and Update Privacy Policies: Ensure your privacy policy is clear, concise, and easily accessible. It should explain what information you collect, why you collect it, and how individuals can exercise their rights.
Obtain Explicit Consent: For all direct marketing activities, obtain explicit, opt-in consent from individuals. Pre-ticked boxes are not considered valid consent under POPIA.
Implement Security Measures: Protect personal information with appropriate security safeguards, such as encryption and access controls.
Train Your Team: Ensure all employees, especially those in marketing and sales, are trained on the requirements of POPIA and CPA.
Review Marketing Materials: Regularly review all marketing materials, including advertisements, social media posts, and email campaigns, to ensure they are compliant with the CPA.
Appoint an Information Officer: Designate an Information Officer who is responsible for ensuring compliance with POPIA.

What are the Best Practices for Compliant Marketing Campaigns?

Be Transparent: Always be upfront with consumers about why you are collecting their information and how you intend to use it.
Provide an Easy Opt-Out: Every marketing communication must include a clear and easy way for individuals to opt-out of future communications.
Keep Records: Maintain records of consent and all marketing communications to demonstrate compliance.
Stay Informed: The legal landscape is constantly evolving. Stay informed about any changes to POPIA and CPA and adjust your practices accordingly.

What are the Consequences of Non-Compliance?

Non-compliance with POPIA and CPA carries severe consequences. POPIA penalties include fines up to R10 million or 10 years imprisonment, and enforcement notices. CPA penalties can reach 10% of annual turnover or R1 million. Beyond financial costs, reputational damage and loss of customer trust are significant.

Frequently Asked Questions (FAQ)

Q: Can I email someone I met at a networking event?

A: Under POPIA, you can only email them for marketing purposes if you have their explicit consent. Simply exchanging business cards does not constitute consent.

Q: What is the difference between an opt-in and an opt-out?

A: An opt-in requires an individual to take an affirmative action to consent, such as ticking a box. An opt-out assumes consent and requires the individual to take action to withdraw it. POPIA requires an opt-in for electronic direct marketing.

Q: Do I need a privacy policy on my website?

A: Yes, if you collect any personal information from visitors to your website, you are required by POPIA to have a privacy policy.

How to Implement a Compliant Marketing Strategy

Assess Your Current Practices: Conduct a thorough review of your existing marketing strategies and identify any areas of non-compliance.
Develop a Compliance Roadmap: Create a step-by-step plan to address any compliance gaps.
Implement Changes: Update your processes, policies, and marketing materials to align with POPIA and CPA.
Monitor and Review: Regularly monitor your marketing activities and review your compliance framework to ensure it remains effective.

References

South African Institute of Marketing (SAIM). (2023). *Consumer Trust and Data Privacy in the Digital Age*. Johannesburg: SAIM Publishing.
Republic of South Africa. (2013). *Protection of Personal Information Act 4 of 2013*. Pretoria: Government Gazette.
Department of Trade and Industry. (2008). *Consumer Protection Act 68 of 2008*. Pretoria: Government Gazette.
The Information Regulator (South Africa). (2021). *Guidance Note on Direct Marketing*. Pretoria: The Information Regulator.
National Consumer Commission. (2022). *Annual Report on Consumer Complaints and Investigations*. Pretoria: National Consumer Commission.

If your business has evolved but your brand still reflects an earlier version of what you do, this work focuses on realigning positioning so your expertise is understood accurately.

You can explore related case studies below or get in touch to discuss how your brand is currently being positioned and interpreted.

Click Me

Katina Ndlovu