The Information Regulator of South Africa has released a Guidance Note on direct marketing under the Protection of Personal Information Act, 2013 (POPIA). This document clarifies how businesses may lawfully process personal information for unsolicited marketing purposes, whether through traditional channels (such as post or hand-delivered flyers) or digital platforms (such as SMS, email, and telephone calls).

The Guidance Note responds to a growing number of complaints about intrusive marketing practices and provides direction on how organisations must balance commercial interests with the privacy rights of individuals. Although the note itself is advisory, it emphasises that the provisions of POPIA and its Regulations remain binding and will prevail in cases of conflict.

Direct Marketing Under POPIA: Electronic vs. Non-Electronic

The Regulator draws a sharp distinction between:

• Non-electronic marketing (in-person approaches, postal mail, hand-delivered brochures). These do not generally require prior consent, provided that recipients are given a clear opportunity to opt out from future communications.
• Electronic marketing (emails, SMS campaigns, cookies, and similar tools). These usually require opt-in consent, unless the individual is already a customer and the conditions in section 69(3) of POPIA are satisfied.

Telephone Calls: A Shift in the Rules

One of the most significant clarifications is how telephone marketing calls are treated. The Information Regulator has confirmed that telephone calls fall within the category of electronic communications. As such, direct marketing via telephone requires the recipient’s prior consent unless the caller is engaging with an existing customer under the limited exemption in section 69(3).

This stance marks a departure from the Consumer Protection Act (CPA), which traditionally required only an opt-out option for such calls. Telemarketers, who have long relied on the CPA, may face compliance challenges as the Regulator’s opt-in approach could significantly restrict cold-calling practices. Legal challenges to this interpretation are anticipated.

Compliance Requirements for Electronic Communications

Section 69(4) of POPIA, reinforced by the Guidance Note, stipulates that every marketing communication must clearly:

1. Identify the sender or the party on whose behalf the message is sent.
2. Provide valid contact details for recipients to opt out of future communication.

In addition, organisations must maintain internal “do-not-contact” databases of individuals who have refused consent or opted out.

For outbound telemarketing, the rules are even stricter:

• Consent must be obtained.
• Telemarketers must read aloud the content of Form 4 of the Regulations, outlining the goods/services and the chosen communication method.
• The call must be recorded and retained as proof of compliance.

Non-Electronic Direct Marketing and Legitimate Interests

When marketing in person or via physical post, businesses may rely on legitimate interests rather than consent, provided they can demonstrate compliance through a three-step assessment:

1. Purpose test – Is there a legitimate, objective reason for processing the personal information?
2. Necessity test – Is the processing proportionate and essential to achieve the stated purpose, or could it be done with less data or no data?
3. Balancing test – Do the rights and expectations of the data subject outweigh the organisation’s interest?

The Regulator stresses that the rights of the data subject will always take priority. For instance, marketing to a consumer on the grounds that it may benefit them (such as eligibility for a discount) might qualify, but aggressive sales tactics where data privacy is compromised will likely fail the balancing test.

Key Takeaways for Businesses

• Consent is king for electronic direct marketing, including telemarketing calls.
• Opt-out mechanisms remain essential for both electronic and non-electronic channels.
• Documented compliance, including call recordings and “do-not-contact” lists—is no longer optional but a best-practice requirement.
• Businesses should review their telemarketing, email, and SMS campaigns immediately to avoid breaching POPIA and exposing themselves to enforcement action or reputational harm.