Proposed revisions to South Africa’s Consumer Protection Act (CPA) Regulations are poised to strengthen personal data privacy and tighten controls over unsolicited direct marketing. These changes, open for public comment until 15 January 2025, introduce an opt-out registry under the management of the National Consumer Commission, enabling consumers to block unwanted electronic marketing messages before they reach them.

The draft amendments require direct marketers to formally register, renew that registration annually, and ensure that their contact databases are regularly checked and “cleansed” to remove any person who has opted out. Failure to comply could lead to regulatory action, significant administrative fines, or criminal penalties. Importantly, these measures are designed to complement existing obligations under the Protection of Personal Information Act (POPIA), creating a more cohesive system for safeguarding consumer rights.

Key Features of the Proposed Changes

1. Opt-Out Registry for Consumers
Consumers will gain the ability to file a “pre-emptive block” in a central registry to prevent direct marketers from sending them unsolicited communications. This registry will be administered by the Commission, and consumers will be responsible for keeping their details accurate and up to date.

2. Obligations for Direct Marketers
Any individual or business engaging in direct marketing via electronic communication will have to register on the opt-out system before contacting consumers. Marketers will also need to:

• Renew their registration yearly and pay the applicable fee.
• Check marketing lists against the opt-out registry before sending messages.
• Remove all opted-out consumers from their databases, performing monthly cleansing in collaboration with the Commission.

3. Enforcement and Penalties
If a consumer receives a marketing message despite being on the opt-out registry, they may lodge a complaint with the Commission. Following investigation, the Commission can issue a compliance notice detailing corrective steps, timelines, and potential penalties. Continued non-compliance can result in:

• An administrative fine of up to 10% of annual turnover or ZAR 1 million, whichever is higher; or
• Criminal prosecution, with possible fines and/or up to 12 months’ imprisonment.

Interaction with POPIA

Section 69 of POPIA already restricts direct marketing unless a consumer has provided explicit consent or is an existing customer under specific conditions. Under the proposed CPA amendments, even if a consumer has not opted out in the registry, marketers must still obtain lawful consent under POPIA before sending any marketing content.

Moreover, responsible parties, whether acting directly or through an operator, will be classified as direct marketers for the purposes of these rules. They will be required to verify their contact lists against the opt-out registry, remove any consumers who have blocked marketing, and ensure monthly data cleansing to stay compliant.

Implications for Businesses and Consumers

From a consumer perspective, these changes provide a powerful tool to prevent unwanted marketing and strengthen control over personal information. For businesses, however, the rules impose new compliance burdens that could significantly impact marketing strategies, particularly for those reliant on large-scale outreach.

The alignment between the CPA amendments and POPIA is expected to create a comprehensive framework for direct marketing regulation in South Africa. While it raises the compliance bar for marketers, it also promises a more respectful and privacy-conscious approach to consumer engagement.

If effectively implemented, the amendments could reshape South Africa’s marketing landscape, balancing consumer privacy with responsible commercial communication.