New legislation takes time to come into effect. What timeframe are we looking at with POPI?
Realistically, it could be another 18 to 20 months before organisations are forced to comply with POPI. Once the Act is signed, a regulator will need to be appointed, and only then can the new legislation be monitored.
This all takes time. However, I believe the reputational risk facing companies is far greater than the regulatory risk, and that will come into effect almost immediately, especially as consumers begin to educate themselves on their rights.
What are those rights?
From a customer’s perspective, consumers should know that they have a right to privacy. Their personal information belongs to them, and they have a right in determining what their information is being used for, how it is to be handled and under what circumstances they might object to the processing thereof.
How does this impact marketers or organisations that use lists for prospecting?
To be dead honest, you’ll have to change your strategy, approach and way of doing business. POPI doesn’t prevent anyone from marketing to or prospecting for new customers, but it does affect the way in which this is done.
The proposed legislation will provide checks and balances when processing personal information and some of those checks and balances relate directly to marketing.
In what way?
For example, you’re not allowed to contact someone via cold calling, sms or email if those contact details were not lawfully obtained. One lawful way of collecting data could be through the use of public registers. But, each register might have certain limitations as to what it might be used for, and you need to be aware what those are.
Secondly, one will also have to ensure that you act within the ambit of the Consumer Protection Act. There are specific instructions on what are considered to be appropriate days and times for making these calls. You can’t sms someone in the middle of the night for example, even if you lawfully hold their details.
What is best practice for collecting marketable data?
In a nutshell, you need prior consent. This can take one of two forms. At the point of sale you can ask your customer if they would like to receive promotional information from you or third party distributors and suppliers.
Any subsequent contact must include a specific opt-out option, but you can now lawfully contact these prospects. A second scenario is that if you buy something from me, I can now consider you a customer and send you marketing that relates to similar products to what you bought. However, I must provide you with an opt-out option.
How does this differ from current best practice?
Essentially it shouldn’t. The Consumer Protection Act together with the Electronic Communications Act already laid the foundations for consumer protection, and this is just one more extension of that protection. Europe has followed these guidelines for almost two decades, and consumers have become a lot more vocal in opting in, opting out, and wanting to know how companies obtained their information.
Businesses that have paid close attention to best practice in Europe and Australia would have already started changing the way they obtain client information and what they do with it, and this goes back to reputational risk.
Scrupulous companies understand how important it is to only approach consumers who want to be contacted. If you’re unscrupulous in how you obtain personal information, and more importantly in what you do with it, there will be a consumer backlash, and this will hurt your brand.
What are the worst and best case scenarios with POPI’s legal implications?
The worst case scenario is that you can end up in jail, while at its best, POPI compliance could be utilised as a market differentiator. Of course, in both cases you need to understand the spirit of the law. Let’s use identity theft as an example.
Companies wanting to target a specific age group could previously make up 5 000 ID numbers, send them through to a credit regulator, and request information on these people. Some wouldn’t exist of course, but others would, and suddenly thousands of people have had their personal information compromised.
The National Credit Act put stringent controls in place to prevent this, but POPI has similar goals: There are serious implications in how personal information is handled. Marketing is just one small part of this, but of course it’s an important part and shouldn’t be ignored. As long as you have the best interests of your consumers in mind, you can differentiate yourself as a trusted source and holder of contact details. As consumers demand greater accountability, this will become more and more important.
What about the legal implications?
From a legal perspective, POPI is also a very big deal. Organisations will be held accountable for the way they collect, use and distribute personal information. This includes not only the personal information of their customers and clients, but also the personal information of their employees.
Data subjects will therefore have ample recourse in seeking justice and not only will the regulatory fall-out affect your day to day operations, it will also place a considerable dent in your organisation’s reputation.
What should organisations do to protect themselves?
I would suggest you find out who your industry association is and start putting a firm code of conduct in place. You can then get the regulator to approve that code of conduct, and essentially police yourselves.
You will still need to follow best practice, and if you don’t adhere to your own code of conduct you will be liable, but it means you can determine what works for your industry (within the framework of the law). Industries that don’t do this will find themselves subject to a precedent that is based on another industry, most likely the banking industry, which by necessity has very stringent controls.
