SA companies seem to be struggling with the new Protection of Personal Information Act and the management of customer data.
Seldom have a few simple questions elicited such frantic responses. After receiving more than 20 text messages from 10 different companies – all in the space of three weeks – the senders were contacted and asked the same question: Where did you get my telephone number?
It’s a reasonable question but few could respond to it quickly, while some of the answers stretched the new Protection of Personal Information Act (Popia) to the point of breaking the law.
The new legislation gives everyone the right to enquire about how companies use their personal information – and companies are obliged to answer queries, including:
- Where did you get my contact details?
- What information do you have about me?
- Do you share my personal information with third parties?
- What do you use my personal information for?
Popia became effective from July 2020 and was fully implemented in July 2021 after a grace period of 12 months to give companies time to ensure compliance.
Wendy Tembedza, senior associate at law firm Webber Wentzel, says the spirit and purpose of Popia is, among other things, to protect a person’s right to have a say in how their personal information is used.
“Under Popia, a data subject [person] must be informed of all the ways in which a responsible party [the companies] will use their personal information at the time when the information is collected, or as soon as reasonably possible after collection. If the data subject has not been advised of the potential sale or sharing of their information, any such sale or sharing will in most instances be unlawful.
“In addition, Popia requires that any further processing of personal information [being processing of personal information for purposes other than that for which the information was initially collected], must be compatible with the purpose for which it was initially collected. In this regard, the responsible party would have to assess factors such as the relationship between the purpose for initial collection and the intended further processing, the nature of information concerned and the consequences of the intended further processing for the data subject,” says Tembedza.
“Popia has introduced a major shift in how personal information, including contact details on large databases, can be dealt with.
Tembedza adds that while direct marketing is allowed, companies should ensure that they fully understand their obligations under Popia.
“While there are nuances relevant to the question of whether a responsible party can send you direct marketing materials, the basic requirement is that direct marketing is only permitted in instances [where] either the data subject is an existing customer of the responsible party [subject to additional qualifying requirements], or where the data subject has given consent for their personal information to be used for direct marketing.
“Unless the direct marketing is taking place in one of these two scenarios, it will be unlawful,” says Tembedza.
“In relation to contact lists, the risk increases because these lists can run into the tens of thousands. This is particularly important because factors such as the number of data subjects affected will be taken into account by the Information Regulator when determining the appropriate fine,” she says.
She confirms that companies are obliged to disclose where a data subject’s details were collected from.
It seems that companies are struggling with the new legislation, with only a few able to give a quick response to queries.
Budget Insurance answered within two days, reminding me that I had a policy with it some years ago and that this counts as a client relationship within the provisions of Popia.
In addition, I opted in to receive marketing messages when using the Hippo Comparative Services website (hippo.co.za) a few months ago.
Thus, Budget Insurance knows a lot about me. I have provided it with my (new) telephone number, while it already had my e-mail address, home address, identity number and a lot of other personal information as well. Budget might even still know what car I drove a few years back and what furniture I had in my house at the time.
That I received no fewer than four text messages from Scorpion Legal Services within a few weeks came as a surprise.
I have never dealt with the company nor have I responded to any of their advertisements that try to sell legal insurance policies.
Asking Scorpion Legal Services where they got my contact details and whether they have other personal information about me was a bad experience.
Scorpion Legal Services said it has no personal information about me because it uses third parties to conduct advertising campaigns and generate leads.
“In order to abide by Popia we are only able to divulge the information linked to this cell number to the person who owns the number. The third party involved [is] happy to engage with you directly, if you can provide evidence that the cell number that the SMS was sent to belongs to you,” answered an executive in an e-mail.
She asked to remain anonymous, adding that I should contact my service provider and ask them for confirmation of my cell number.
That my number is included in my official signature to the bottom of every email I sent to Scorpion Legal Services was not acceptable. “Anyone can send an e-mail and sign it with a cell number,” according to Scorpion.
That the executive called me on the number, and insisted on recording the conversation, including my verbal declaration that it is my number, did not help either as “you could have picked up the phone in the street”.
It took several calls to get hold of a human at the MTN call centre, who referred me to a different department. Unfortunately, the call looped back to the same call centre menu.
Someone said the information would be readily available in an MTN store, but the shop assistant referred me back to the call centre.
The MTN press office eventually explained: “As per the Numbering Plan Regulations 2016 numbers are a national resource and are neither owned by the licensee to whom they have been allocated to nor the subscriber to whom a number is assigned.
“We have noted that the [number] is currently on Pay As You Go, therefore MTN does not keep personal records that were used to register or activate the number. These are kept under [the] Regulation of Interception of Communications and Provision of Communication-Related Information Act and this information can only be made available to parties via Subpoena 205 [court order].
“MTN is not authorised to provide written confirmation that the user is the owner of the mobile number,” according to MTN.
Management of the firm that runs advertising campaigns and generates leads for Scorpion Legal Services responded to my queries directly.
“I delegate a lot of tasks, but I deal with complaints myself,” he says, “and more than one of your queries led to BMI.”
The meeting was informative, explaining how this small part of the digital marketing industry works.
Van Deventer provided proof that I opted in on his database after responding to an earlier general advertising campaign.
“Based on [the] aforementioned response and relationship established, the data subject was profiled as a high propensity responder to a number of products and services and would therefore have been included in product and service offerings targeted via direct various marketing efforts through the respective electronic channels,” concluded his investigation into the queries.
Van Deventer explained that the industry went through consolidation as a result of Popia. “I welcome the new act. It is good for the industry as a lot of ‘garage’ outfits closed down,” he says by way of explaining why BMI works for a lot of clients.
However, he admitted to and apologised for an internal problem which resulted in many messages from different (and competing) companies.
Sending an e-mail to a company by using the handy enquiry form on their website will often opt in the sender, once again due to not reading the terms and conditions.
This can be seen as forced consent, if the contact form is the only available method of contacting a company, or other contact details are difficult to find.
An interaction with LegalWise – also after receiving a marketing message – serves as an example.
LegalWise responded to the original questions as to why I was receiving marketing messages with the following explanation: “We have confirmed that the SMS messages were sent by a network partner of Reach Republic, one of the third party lead providers used by LegalWise. Reach Republic has confirmed that the message was sent to yourself in error and it was never the intention to communicate the message to yourself.
“The error was a result of a recent data update on the part of the network partner in which your number was incorrectly linked to another party for whom the message was intended.”
LegalWise says it had none of my personal information prior to me using the Contact Us form on its website to query the marketing messages.
It clearly is easy to opt in to marketing messages and agree to the sharing of your personal information.
Fortunately, there is a way to opt out too.
Members of the umbrella body should check their contact lists against the DMASA database regularly to prevent them from irritating potential customers.
Being marketers, DMSA puts a positive twist on it. “Registering may prevent you from receiving information which you want – thereby cutting you off from relevant and worthwhile opportunities.
“For example you may miss out on special sales or miss the opportunity to support charities who use telemarketing as an economical way to raise awareness and much needed support.”