POPIA for the Automotive Industry

In the last episode we dived into the detail of the law, and unpacked the 8 conditions for lawful processing that all responsible parties need to adhere to.

If you’re a Responsible Party handling data, you need to adhere to those 8 conditions. But several of our Dealership and MBR clients have been asking questions about what exactly the POPIA implications are to other parts of their businesses. Our first two podcasts covered various elements – The Client Contact Book, and Consent – but as we get closer to POPIA implementation, and Dealerships and MBR’s are contemplating the impact of this on how they conduct business, this becomes an important topic to revisit from a different angle.

Unsolicited Direct Marketing
When you contact a person without them requesting to be contacted, to sell them a product or service, that is unsolicited Direct Marketing.

There are two current laws that govern aspects of Direct Marketing, and POPIA will be the third.

These two laws are the ECTA (Electronic Communications and Transactions Act of 2002) and the Consumer Protection Act of 2008 which has been in place since 2011. Both Acts are long and detailed and regulate a variety of matters, only some of which are relevant to today’s conversation. So please be aware that this is a drastic simplification because we only want to touch on the points that are relevant to Direct Marketing in those Acts. In other words, we want to discuss how the ECTA and the CPA applies to Direct Marketing methods to sell your services and products to new clients.

The ECTA, which regulates the sending of ‘unsolicited commercial communications’ to consumers. If you want to send these communications, you must provide the consumer with the option to cancel their subscription to your ‘mailing list’ (the so-called 'opt out approach') and, if the consumer so wishes, you need to tell them where you got their details.
From 1 July 2021, all processing of personal information for purposes of Direct Marketing by means of unsolicited electronic communications must comply with POPIA, while the way you undertake the Direct Marketing, must still comply with all CPA requirements.

The Consumer Protection Act, and Direct Marketing
Both the CPA and POPIA will apply to Direct Marketing of customers. It is a very complex legal area because of this position. Basically, both Acts will apply to Direct Marketing unless they are mutually inconsistent, in which case the Act that provides the most protection to the consumer will apply. The CPA basically grants everyone the right to restrict unwanted Direct Marketing. One thing that is important to understand is the definition of Direct Marketing under the CPA. It is “to approach a person, either in person or by mail or electronic communication, for the direct or indirect purpose of:
  • promoting or offering to supply, in the ordinary course of business, any goods or services to the person;
  • requesting the person to make a donation of any kind for any reason”.
The reason this is important is because, while the definitions for Direct Marketing are very similar between POPIA and the CPA, the CPA regulates all forms of communications to a consumer for Direct Marketing purposes, whereas the POPIA definition only covers Electronic Communication, as we will get to later.

A consumer has the right to tell you to stop contacting them, and to pre-emptively block any contact. You also need to have processes in place that ensure you can act on this requirement and the consumers’ requests.

There should be a place or list on which consumers can add their name to prevent people contacting them for Direct Marketing in an unsolicited way.

The National Consumer Commission has yet to establish or officially recognise a registry where people can register a pre-emptive block. It is not clear what this process is, and the National Consumer Commission has not indicated when such a registry will become available. But one such list, probably the most effective one, is managed by the Direct Marketing Association, and people who wish to avoid Direct Marketing should go to their website and register their details. The Direct Marketing Association is a voluntary association which has a voluntary code for its members.

Companies who provide lists of contact details to various types of business, are members of the DMA and run their lists of contact details against the DMA list before providing them onwards. This practice, of selling personal information for Direct Marketing purposes, will naturally have to be compliant with POPIA from 1 July 2021.

You need to check with your provider as to whether they are DMA members and whether they run opt-outs against DMA lists before providing them.

The CPA restricts the times at which people can contact consumers for Direct Marketing purposes. You are not allowed to contact them on Sundays, public holidays, Saturdays before 09h00 or after 13h00 and before 08h00 or after 20h00 on any other day, unless the consumer has expressly or implicitly requested or agreed otherwise.

The above will not change when POPIA comes into force, as those provisions do not get repealed when POPIA is active. But, as mentioned before there are additional requirements that will come into play with POPIA, which we will unpack in our next episode.

This series does not constitute legal advice. If you have questions or a need to take onward action in your business, please seek the input of a legal professional who can guide you based on the specifics of your business and circumstance.

Until next time, keep learning more about POPIA.