The 2026 Opt-Out Registry: Three Legal Axes that Now Govern Direct Marketing in South Africa

The 2026 Opt-Out Registry: Three Legal Axes that Now Govern Direct Marketing in South Africa

By Zurayda Mayet | Mayet & Associates

Introduction

In 2024, the Information Regulator issued an enforcement notice against FT Rams Consulting for unlawful direct marketing in contravention of section 69 of the Protection of Personal Information Act 4 of 2013 (POPIA). The notice carried the prospect of a fine of up to R10 million, or imprisonment of up to 10 years, on non-compliance. It was the first occasion on which the Regulator had taken meaningful enforcement action in this space, and it signalled a clear shift in regulatory posture.

That shift accelerated on 15 April 2026, when the Minister of Trade, Industry and Competition published the Consumer Protection Act Amendment Regulations, 2026 (the 2026 Regulations), which came into immediate effect. The 2026 Regulations operationalise the national opt-out registry contemplated by section 11(6) of the Consumer Protection Act 68 of 2008 (the CPA), administered by the National Consumer Commission (the Commission). Consumer-side registration and direct-marketer registration are due to commence from July 2026, and the published penalty range, up to R1 million or 10% of annual turnover, whichever is greater, sits within the CPA’s enforcement architecture.

The combined effect of these two developments is that direct marketing in South Africa is now regulated along three distinct legal axes that do not always align. This article examines those three axes, identifies the points at which they pull in different directions, and proposes a risk-stratified approach for businesses that wish to keep marketing operations defensible during the transition period.

Our firm’s earlier piece on POPIA and direct marketing addressed the Information Regulator’s December 2024 Guidance Note. The present article picks up where that piece left off and incorporates the 2026 Regulations into the analysis.

Axis One: The CPA, as amended by the 2026 Regulations

Section 11 of the CPA confers on a consumer the right to refuse to accept, to require a supplier to discontinue, or pre-emptively to block direct marketing. The right was always there; the practical mechanism to give effect to it was, for fifteen years, largely absent. The Direct Marketing Association of South Africa operated a voluntary opt-out registry, but compliance was limited to its members.

The 2026 Regulations close that gap. They:

  • establish a central opt-out registry administered by the Commission;
  • introduce a defined concept of a “pre-emptive block”, being a consumer’s registration on the registry to prevent unwanted electronic communication from direct marketers;
  • require every direct marketer to register with the Commission (in the new prescribed form, Annexure P) and to renew that registration annually;
  • impose a continuous obligation to cleanse marketing databases against the registry on at least a monthly basis; and
  • prohibit a direct marketer from marketing to any consumer who has registered a pre-emptive block.

The 2026 Regulations do not merely codify existing practice. They re-allocate the day-to-day anti-spam role to the Commission, displace the DMASA voluntary regime, and place a positive registration and cleansing obligation on every business that engages in direct marketing, irrespective of the channel and irrespective of whether the business is a member of any industry body.

Two textual features of the 2026 Regulations deserve attention.

First, the term “pre-emptive block” is defined by reference to “unwanted” electronic communication. The word “unwanted” is deliberate, and it leaves an interpretive space. A direct marketer may seek to argue that communication sent within the precise scope of a consumer’s specific, current and informed consent is not, on a proper construction, “unwanted,” and accordingly does not fall within the prohibition. The argument is not without difficulty. The Commission and (in due course) the courts may take the view that a consumer’s registration on the registry is conclusive of what the consumer regards as unwanted, and that the marketer is in no position to second-guess that assessment. The point will likely have to be resolved either by way of guidance from the Commission or by litigation. Until then, the textual hook exists but should not be relied on as a substitute for compliance.

Second, the prohibition is framed broadly, a direct marketer must not market to a registered consumer, without expressly carving out the existing-customer scenario contemplated by section 69(3) of POPIA. The interaction is left to the conflict-of-laws principle to which we return below.

Axis Two: POPIA and the Information Regulator’s Guidance Note

POPIA approaches direct marketing from a different starting point. Section 69(1) prohibits the processing of personal information for the purpose of direct marketing by means of any form of electronic communication unless one of two bases applies: the data subject has given consent (s 69(1)(a)), or the data subject is an existing customer of the responsible party and the conditions in section 69(3) are met (the so-called soft opt-in).

The Information Regulator’s Guidance Note, issued in December 2024, sharpens this position in three ways that matter here.

  • It treats telephone calls as electronic communications for the purposes of section 69. Direct marketing by telephone therefore requires opt-in consent or compliance with the existing-customer exception. The Regulator’s view marks a clear departure from the historical CPA position, which permitted telephonic marketing on an opt-out basis, and creates a direct overlap with the new registry regime.
  • It confirms that, once a data subject objects to the processing of his or her personal information for direct marketing purposes (in terms of section 11(3) of POPIA), the responsible party must cease such processing.
  • It contemplates that consumers may register a pre-emptive block under the CPA, and notes that the obligations of responsible parties under POPIA are not displaced by the absence of such a block.

The Regulator has therefore set out a position in which the consent and objection mechanics of POPIA operate alongside, but not subordinate to, the CPA registry regime.

It is also worth recalling that consent under POPIA, in addition to satisfying the section 11 definitional requirements (voluntary, specific, informed), must be requested in the prescribed manner and form (s 69(2), read with regulation 6 and Form 4 of the POPIA Regulations) when consent is sought for purposes of direct marketing by electronic communication. The responsible party may make only one approach to obtain that consent. Consent obtained through generic terms-and-conditions bundles, opaque check-boxes, or post-hoc database imports may not satisfy these requirements, and a marketer who relies on such consent in defence of a future complaint is unlikely to succeed.

Axis Three: The Conflict-of-Laws Principle

The CPA and POPIA do not regulate the same conduct, but they regulate overlapping conduct, and they do not always do so consistently. The principal example, as noted above, is telephonic direct marketing, permitted on an opt-out basis under the CPA’s historical architecture, but requiring opt-in under POPIA on the Regulator’s current view.

The applicable conflict-of-laws principle is now well-established. Where both POPIA and the CPA apply to a particular processing activity, the provisions of the two statutes must be read together, and the provision conferring the greater protection on the data subject or consumer prevails. This rule is supported by section 3(1)(b)(i) of POPIA, which provides that POPIA’s protections are minimum standards, and by the general principle that consumer-protection legislation is interpreted in favour of the consumer.

Three practical corollaries follow.

First, on the question of channel-by-channel rules, the more protective standard applies. For telephonic direct marketing, the Information Regulator’s opt-in view governs (more protective than the CPA’s traditional opt-out), even though the CPA registry regime is also engaged.

Second, on the question of withdrawal and objection, the more protective standard applies. A data subject’s POPIA section 11(3) objection ends the marketer’s right to process. A pre-emptive block under the 2026 Regulations ends the marketer’s right to market. The two operate cumulatively: each is independently capable of bringing the marketing relationship to an end. Compliance with one does not excuse non-compliance with the other.

Third, on the question of consent, the more protective standard applies, but the practical content of that standard remains contested. POPIA requires consent in the prescribed form and manner. The 2026 Regulations require attention to the registry. Whether prior POPIA-compliant consent can lawfully override a subsequent pre-emptive block is the question to which we now turn.

The Hard Case: Prior Consent and a Later Pre-Emptive Block

Consider the following scenario. A customer signs up for an account in 2025. As part of the sign-up flow, the customer provides POPIA-compliant consent (in the prescribed form) to receive direct marketing from the responsible party by email and SMS. In August 2026, the customer registers a pre-emptive block on the Commission’s registry. The responsible party’s database, accurately maintained, still reflects the 2025 consent.

What is the responsible party’s obligation in respect of marketing communications sent on or after the August 2026 block?

In our view, the position is as follows.

The pre-emptive block is, at minimum, an instruction to cease. A consumer who registers on the registry is doing something. The minimum content of what that consumer is doing is signalling that further direct marketing communications are unwanted. The 2026 Regulations require a direct marketer to remove from its marketing database any consumer who has registered a pre-emptive block. That obligation operates regardless of whether the consumer had previously consented.

The earlier consent does not override the later block. Consent under POPIA is, by definition, withdrawable at any time (s 11(2)). Although the Act preserves the lawfulness of pre-withdrawal processing, it does not entitle the responsible party to continue processing after withdrawal. The pre-emptive block, on a sensible construction, operates either as a withdrawal of any previously given consent, as an objection in terms of section 11(3), or as both. On any of these constructions, the earlier consent ceases to provide a lawful basis for ongoing direct marketing.

A narrow exception may survive for the section 69(3) existing-customer scenario but it is narrow. A responsible party who has obtained the consumer’s contact details in the context of the sale of a product or service may, in terms of section 69(3), market its own similar products or services to that consumer, subject to the section 69(3) opt-out being provided. However, where the existing customer has registered a pre-emptive block, the more protective rule (the block) applies in our view, and the section 69(3) exception falls away. The contrary view, which would treat the existing-customer relationship as immunising the marketer from the registry, is difficult to sustain against the prohibition in the 2026 Regulations.

Post-block consent is a different question. A consumer who, after registering a block, signs up to a specific marketing programme of a particular responsible party, by a specific and unambiguous opt-in, has done something different. The block was a generalised refusal of “unwanted” marketing; the later opt-in is a specific election to receive a particular type of marketing. Properly documented, channel-specific, time-stamped post-block consent is, in our view, capable of authorising marketing within its scope, subject to the responsible party being able to demonstrate that the consent was specific, informed and voluntary, and was obtained in compliance with section 69(2) of POPIA. Marketers who rely on this route must be prepared to defend the audit trail.

A Risk-Stratified Approach for Direct Marketers

A practical compliance framework, in our view, distinguishes between four categories of marketing contact and applies a tiered response.

Category A — Marketing to a consumer with no pre-emptive block, on the strength of specific and current consent obtained in the prescribed form. This is the lowest-risk category. The marketer must continue to honour POPIA objections and channel-specific opt-outs, and must continue to cleanse against the registry at least monthly. Within those constraints, the marketing remains lawful.

Category B — Marketing to an existing customer with no pre-emptive block, on the strength of the section 69(3) soft opt-in. This is acceptable for marketing the marketer’s own similar products and services, provided the customer was given a reasonable opportunity to object at the point of collection and on each subsequent communication. Marketers should not rely on this category for cross-selling beyond own-similar products, or where the contact details were not obtained in the context of a sale.

Category C — Marketing to a consumer with a pre-emptive block, in reliance on consent obtained before the block. In our view, this is not legally defensible. Pre-block consent should be treated as suspended (at minimum) by the registry entry, and marketing should cease pending a fresh opt-in obtained after the block.

Category D — Third-party lead lists, lead-generation arrangements, and database transfers. This is the highest-risk category. The marketer cannot rely on consent that it cannot itself audit. Where third-party data are to be used, the marketer should verify, before any communication, the wording, scope, date, channel and transferability of the consent on which the third party relied. The data must be cleansed against the registry, and the marketer should obtain contractual warranties from the data supplier together with documented indemnities.

A practical implementation of this framework will require, at a minimum:

  • a designated business owner for direct-marketing compliance, sitting at sufficient seniority to enforce the framework against operational marketing pressure;
  • a documented governance policy that records the four categories above and the rules applied to each;
  • a database architecture that reconciles internal consent records, channel-specific opt-outs, POPIA objections and registry-based suppressions in a single suppression view;
  • automated monthly registry cleansing, with audit-traceable records of each cleansing exercise;
  • a process for capturing and verifying post-block consent that is materially more rigorous than the process used for ordinary opt-in capture; and
  • a clear escalation procedure for resolving conflicts between categories, including (where necessary) legal sign-off before any communication is sent to a contested record.

Concluding Observations

The architecture introduced by the 2026 Regulations is, in our view, a meaningful shift. Direct marketers who had grown accustomed to the relatively permissive enforcement environment that prevailed before the publication of the Information Regulator’s December 2024 Guidance Note, and before the 2026 Regulations took effect, should not assume that the regulatory posture will revert. The FT Rams enforcement notice is unlikely to be the last; the Commission, with its new registry and statutory penalty framework, has both the tools and the mandate to act.

The legal question that runs through the analysis above, whether prior consent can survive a later pre-emptive block, does not, at the time of writing, have a settled answer in South African law. Pending guidance from the Commission, or judicial consideration of the question, marketers must form a view on it and operate accordingly. Our view, set out above, is that the conservative reading is also the better one: the pre-emptive block should be treated as superseding earlier consent, with the narrow exception of demonstrably post-block, channel-specific, prescribed-form opt-ins. Businesses that adopt that position will not be wrong, even if a more permissive reading were ultimately to prevail. The reverse is not true.

How We Can Assist

Mayet & Associates advises responsible parties on POPIA compliance, on Consumer Protection Act direct-marketing regimes, on the implementation of the 2026 Regulations within existing data-governance and marketing-operations frameworks, and on responses to complaints and enforcement notices issued by the Information Regulator and the National Consumer Commission. Should your organisation wish to discuss the matters set out in this article, please contact the firm.

This article is provided for general information only and does not constitute legal advice. Readers should obtain specific advice in respect of their particular circumstances before acting on any of the matters discussed.

Categories

Recent Posts
Social Media
Facebook
Twitter
WhatsApp
LinkedIn